----- Forwarded message from Chiaki Ishikawa <[EMAIL PROTECTED]> ----- > From: Chiaki Ishikawa <[EMAIL PROTECTED]> > Reply-To: Chiaki Ishikawa <[EMAIL PROTECTED]> > Date: Mon, 14 Aug 2000 16:26:05 +0900 > To: [EMAIL PROTECTED] > Subject: MacroMedia Flash/Shockwave plug-in on linux : memcpy overrun > problem. > > X-PMC-CI-e-mail-id: 13428 > > A replacement library for checking well-known type of stack overrun > caused by memory copy / string copy operations has been made > available, namely libsafe. > > I have used it on Linux and I spotted a couple of suspicous popular > programs on linux. > > I have been using libsafe on linux and found that > - netscape plug-in for Flash/Shockwave plug-in seems to have > memcpy overrun problem. > ( and adobe acrobat reader on linux have some issues with libsafe. > But this seems to be caused by the different libc, somewhat old > compat-libc, used by acrobat reader. So I won't go into details on > acrobat reader.) > > Flash / ShockWave plug-in for netscape. > > For netscape flash/shockwave plug-in on linux, > the log output below shows the output from libsafe. > The first and the second last messages are from the test > suite of libsafe. > The other logs are from netscape > (during flash/shockwave plug-in operation from what I remember). > You can see that the version of netscape 4.72, 4.73 and 4.74 suffered > from the memcpy() overwrite problem. > (During the period, the kernel was upgraded from 2.2.14 > to 2.2.15,2.2.16, 2.4.0-test4, etc..) > > ishikawa@standard$ more libsafe-netscape-showckwave-flash.bug > Apr 23 01:04:15 standard libsafe.so[1534]: version 1.3 > Apr 23 01:04:15 standard libsafe.so[1534]: detected an attempt to write across stack >boundary. > Apr 23 01:04:15 standard libsafe.so[1534]: terminating >/opt2/tools/libsafe/exploits/t1 > Apr 23 01:04:15 standard libsafe.so[1534]: overflow caused by strcpy() > Apr 29 04:35:23 standard libsafe.so[648]: version 1.3 > Apr 29 04:35:23 standard libsafe.so[648]: detected an attempt to write across stack >boundary. > Apr 29 04:35:23 standard libsafe.so[648]: terminating /opt/ns472/netscape > Apr 29 04:35:23 standard libsafe.so[648]: overflow caused by memcpy() > May 2 02:11:53 standard libsafe.so[1153]: version 1.3 > May 2 02:11:53 standard libsafe.so[1153]: detected an attempt to write across stack >boundary. > May 2 02:11:53 standard libsafe.so[1153]: terminating /opt/ns472/netscape > May 2 02:11:53 standard libsafe.so[1153]: overflow caused by memcpy() > Jul 2 02:58:32 standard libsafe.so[1648]: version 1.3 > Jul 2 02:58:32 standard libsafe.so[1648]: detected an attempt to write across stack >boundary. > Jul 2 02:58:32 standard libsafe.so[1648]: terminating /opt/ns473/netscape > Jul 2 02:58:32 standard libsafe.so[1648]: overflow caused by memcpy() > Jul 2 23:39:05 standard libsafe.so[639]: version 1.3 > Jul 2 23:39:05 standard libsafe.so[639]: detected an attempt to write across stack >boundary. > Jul 2 23:39:05 standard libsafe.so[639]: terminating /opt/ns473/netscape > Jul 2 23:39:05 standard libsafe.so[639]: overflow caused by memcpy() > Jul 8 03:04:47 standard libsafe.so[390]: version 1.3 > Jul 8 03:04:47 standard libsafe.so[390]: detected an attempt to write across stack >boundary. > Jul 8 03:04:47 standard libsafe.so[390]: terminating /opt/ns473/netscape > Jul 8 03:04:47 standard libsafe.so[390]: overflow caused by memcpy() > Jul 11 04:10:47 standard libsafe.so[1424]: version 1.3 > Jul 11 04:10:47 standard libsafe.so[1424]: detected an attempt to write across stack >boundary. > Jul 11 04:10:47 standard libsafe.so[1424]: terminating >/opt2/tools/libsafe/exploits/t1 > Jul 11 04:10:47 standard libsafe.so[1424]: overflow caused by strcpy() > Aug 14 00:30:11 standard libsafe.so[393]: version 1.3 > Aug 14 00:30:11 standard libsafe.so[393]: detected an attempt to write across stack >boundary. > Aug 14 00:30:11 standard libsafe.so[393]: terminating /opt/ns474/netscape > Aug 14 00:30:11 standard libsafe.so[393]: overflow caused by memcpy() > > It has been rather difficult to figure out what URL exactly caused > the libsafe to detect the error and abort netscape. > Often times, when I clicked on a new URL, one of the URL links in > the new web page is a flash shockwave page and the loading > automatically started, and before I knew it, the netscape aborted. > > But for the last one, dated Aug 14, I know what URL caused the abort > exactly. This prompted me to write this article. > (Presumably, those who have access to the source code of > the Flash/Shockwave plug-in should be able to fix this problem easily by > trying the URL.) > > URL: > http://www.washingtonpost.com/wp-srv/photo/conventions/ > > There is a big photo of the national political convention > in the middle and "ENTER" button. > Clicking on "ENTER" will start loading the flash/shockwave > movie or something and this triggered the error reported > in the above log. (As soon as the loading of ~ 500KB > data endded, my netscape aborted.) > > Severity/Exploit: > > I have no idea how hard it is to exploit this memcpy overrun. > But given that some linux distribution vendors felt it was necessary > to do something about jpeg decoder bug in netscape, this plug-in issue > probably ought to be dealt with in a similar manner : this can cause > DoS attack certainly. > > Before I forget, let me explain that I tried to reach the people > responsible for technical problems/security problems at Macromedia > without success so far. Simply stated, I could not find contact e-mail > addresses easily. I am not a registered user of these programs (they > are available for free), and so it is very difficult to use MacroMedia web > submission forms. It has been a few weeks since I wrote to various > addresses I found on the web pages. I have not heard from human > recipients yet and decided to post this article instead in the hope of > getting someone at MacroMedia to become aware of the problem. > > (Come to think of it, I thought this may be marginally related to the > netscape browser itself, and so sent a message using the security > reporting form on the Netscape web page. I wonder if the message was > forwarded to MacroMedia.) > > I would welcome anyone forward this post to responsible parties. > > My suggestions to software vendors: on the web page, > either post a security-related contact address or at least a > generic e-mail address where these findings can be sent. > Posting only e-mail addresses for very limited use is not very helpful > under these circumstances. > > > -- > Ishikawa, Chiaki [EMAIL PROTECTED] or > (family name, given name) [EMAIL PROTECTED] > Personal Media Corp. ** Remove .NoSpam at the end before use ** > Shinagawa, Tokyo, Japan 142-0051 > > ----- End forwarded message ----- -------------------------------------------------------------------------- Utk berhenti langganan, kirim email ke [EMAIL PROTECTED] Informasi arsip di http://www.linux.or.id/milis.php3 Pengelola dapat dihubungi lewat [EMAIL PROTECTED]
