Netscape communicator 4.06J, 4.5J-4.6J, 4.61e Buffer Overflow

[DEF CON ZERO WINDOW]

Hi,

 I discovered a buffer overflow bug which causes huge security hole on the `Netscape 
communicator 4.06J, 4.5J - 4.6J, 4.61e( probably, a version 3.0 after all )'.

 The problem of this application is in the handling of EMBED TAG, the buffer overflow 
is caused if the long string is specified at "pluginspage" option.
 I coded the exploit program to execute any command on the victim machine. I tested on 
the Windows98.

 However, this program specifies immediately the address of the system() function 
which is defined on the msvcrt.dll, this program does not work on the Windows machine 
which is installed the other version of msvcrt.dll (This program is for Version 
6.00.8397).

 The reason that I specified the immediate address of the function is the buffer which 
can be written the exploit code is very short, the size of writable buffer is about 83 
bytes. The buffer is too small to put the code which gets the address of the functions 
which are defined on the "msvcrt.dll".

 However, this problem will be solved if the code that searchs the attack code and 
executes that code is put on the exploit code. The attack code also can be written on 
the other buffer.

# An attack code could be written in 2300 bytes to stack_bottom.

 The trojan or virus can be written on the attack code, this problem is very serious.

 In this case, the stack pointer (ESP) when the overflow is caused differs by the 
environment. So, the method of the RET address overwrites can not be used to exploit. 
This example overwrites the handling address of the access violation, the exploit code 
is called when the access violation is caused. When the access violation is caused, 
the address of the exploit buffer is stored in the EBX register. So, I overwrite the 
handling address to the code that the "JMP EBX" instruction is written.

 You can quickly test this exploit on my site. I have prepared some versions of 
exploits that execute "welcome.exe" on your Windows98 machine. If you are user of the 
specified version of netscape, please test. I did not code the exploit program for the 
WindowsNT and Windows95, but they also contain same problem.

... and, This problem can't be avoided.


[ exploit demo page ]

exec "welcome.exe" - nc4x_ex.c
http://www.ugtop.com/defcon0/hc/nc4x_ex/nc4x_ex.cgi

exec "notepad.exe"
http://www.ugtop.com/defcon0/hc/nc4x_ex/nc4x_ex2.cgi

---

[ exploit test ]

blue screen(int 01h)
http://www.ugtop.com/defcon0/hc/nc4x_ex/nc4x_bs01.htm
http://www.ugtop.com/defcon0/hc/nc4x_ex/nc4x_bs01.htm


[ document(japanese) ]
http://www.ugtop.com/defcon0/hc/nc4x_ex_demo.htm


special thanks:
UNYUN( The Shadow Penguin Security )
http://shadowpenguin.backsection.net/



--
: R00t Zer0 -   http://www.ugtop.com/defcon0/index.htm           :
: E-Mail: [EMAIL PROTECTED]                                      :
: --                                                          -- :
: "HP/UX is the worst OS for the hacker..." - Mark Abene         :