Re: Netscape 4 DoS/Possibly exploitable buffer overflow. (fwd)

Roland Grefer (btirg@UI.UIS.DOLETA.GOV)
Thu, 19 Feb 1998 12:56:53 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Christopher Blizzard: "[Fwd: MIT Kerberos V5 R1.0.5 is released]"
Previous message: Aleph One: "Administratrivia"

Here we go again ...

Roland

Date: Wed, 18 Feb 1998 15:57:37 -0500 (EST)
From: Roland Grefer <btirg@uis.doleta.gov>
To: bugtraq@netspace.org
Subject: Re: Netscape 4 DoS/Possibly exploitable buffer overflow.

Netscape 4.04 on NT 4.0 with SP3 has a buffer overflow in bookmarks, too.

Tests with strings up to 3976 bytes did not cause any problems;
strings of 3977 bytes length and above crashed netscape while it
was loading the bookmark file. The "Dr. Watson" log file did not
reveal any obvious indications.

Test entry in bookmark.htm (all in one line):

<DT><A HREF="http://www.test.org/" ADD_DATE="886800988"
LAST_VISIT="886801023"
LAST_MODIFIED="886800975">String_of_3977_byte_length</A>

Any insights regarding this length (buffer size) are welcome. The total
line length including the 4 leading blanks is 4090 bytes. I would have
expected a somewhat more "standard" buffer size of a multiple of 1024
(in this case: 4096) to be the limit/problem.

I have not reported this issue to Netscape. I did not find any reference
to this issue in the FAQs and bug reports at Netscape's web site.

Regards,
Roland

On Mon, 12 Jan 1998, Laslo Orto wrote:

> Netscape (version verified is 4.03) has a buffer overflow bug in their
> bookmarks code. When somebody goes to a web page with a very long title
> (6-8k) and then s/he bookmarks the page, netscape will start crashing at
> loading bookmark.htm on startup. It's similar to the IE4 bug discovered
> not long ago, but here you have to get the victim to bookmark the attackers
> page.
>
>
> Laslo Orto Computer Pages / Better.Net
> Systems Administrator 253 Sheppard Ave. West
> laslo@cpol.com / laslo@Better.net Toronto, Canada M2N 1N2
> www.cpol.com / www.better.net Ph: +1 416 225 3030
> Fax: +1 416 225 6737

--
- - - - - - - - - - - - - - - - - - - - - - - - - + - - - - - - - - - - - -
Roland Grefer          | Department of Labor      | Ph: +1-202-219-8432x329
Senior Systems Analyst | Nat'l Office ETA/UIS/DIT | Fx: +1-202-219-8506
-=|=- -=|=- -=|=- -=|=-| 200 Constitution Ave, NW | -=|=- -=|=- -=|=- -=|=-
Base Technologies, Inc | Washington, DC 20210     | btirg@uis.doleta.gov
- - - - - - - - - - - - - - Speaking for myself - + - - - - - - - - - - - -

Next message: Christopher Blizzard: "[Fwd: MIT Kerberos V5 R1.0.5 is released]"
Previous message: Aleph One: "Administratrivia"