|
|
| |
| Netscape Communicator has been shown to crash when an argument of 800 characters is supplied with a URL. Some of the data passed as the argument makes its way into the EIP and EBP registers, so execution of arbitrary code is definitely possible. |
| |
Credit:
The mentioned vulnerability was discovered by: Mike Boto.
|
| |
Vulnerable systems:
Netscape Communicator 4.7
Netscape Navigator has a vulnerability causes it to crash when a URL contains long variables is entered. When this happens Netscape Navigator crashes and executes the arbitrary buffer passed by the URL.
After entering the hexadecimal value 0xAAAAA....(with about 800 A) after the http://hostname/dosomething.asp? URL, Netscape crashes with the following error:
NETSCAPE caused an invalid page fault in
module <unknown> at 0084:41414141.
Registers:
EAX=00000000 CS=015f EIP=41414141 EFLGS=00010246
EBX=00954c84 SS=0167 ESP=00b486f4 EBP=41414141
ECX=0000003f DS=0167 ESI=000031d2 FS=0fdf
EDX=00b47dd3 ES=0167 EDI=00b4c160 GS=0000
Bytes at CS:EIP:
Stack dump:
41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
You can notice observe that the stack and the EIP and EBP registered are smashed by the contents of the buffer, making it possible to execute arbitrary code.
|
|
|
|
|
|
|
|
