Netscape 4 + Bookmark Crash


Date: Wed, 18 Feb 1998 15:57:37 -0500 (EST)
From: Roland Grefer 
To: bugtraq@netspace.org
Subject: Re: Netscape 4 DoS/Possibly exploitable buffer overflow.

Netscape 4.04 on NT 4.0 with SP3 has a buffer overflow in bookmarks, too.

Tests with strings up to 3976 bytes did not cause any problems;
strings of 3977 bytes length and above crashed netscape while it
was loading the bookmark file. The "Dr. Watson" log file did not
reveal any obvious indications.

Test entry in bookmark.htm (all in one line):

    _DT__A HREF="http://www.test.org/" ADD_DATE="886800988"
           LAST_VISIT="886801023"
           LAST_MODIFIED="886800975">String_of_3977_byte_length_/A_

Any insights regarding this length (buffer size) are welcome. The total
line length including the 4 leading blanks is 4090 bytes. I would have
expected a somewhat more "standard" buffer size of a multiple of 1024
(in this case: 4096) to be the limit/problem.

I have not reported this issue to Netscape. I did not find any reference
to this issue in the FAQs and bug reports at Netscape's web site.

Regards,
Roland

On Mon, 12 Jan 1998, Laslo Orto wrote:

> Netscape (version verified is 4.03) has a buffer overflow bug in their
> bookmarks code. When somebody goes to a web page with a very long title
> (6-8k) and then s/he bookmarks the page, netscape will start crashing at
> loading bookmark.htm on startup. It's similar to the IE4 bug discovered
> not long ago, but here you have to get the victim to bookmark the attackers
> page.
>
>
> Laslo Orto                              Computer Pages / Better.Net
> Systems Administrator                   253 Sheppard Ave. West
> laslo@cpol.com / laslo@Better.net       Toronto, Canada M2N 1N2
> www.cpol.com / www.better.net           Ph: +1 416 225 3030
>                                         Fax: +1 416 225 6737

--
- - - - - - - - - - - - - - - - - - - - - - - - - + - - - - - - - - - - - -
Roland Grefer          | Department of Labor      | Ph: +1-202-219-8432x329
Senior Systems Analyst | Nat'l Office ETA/UIS/DIT | Fx: +1-202-219-8506
-=|=- -=|=- -=|=- -=|=-| 200 Constitution Ave, NW | -=|=- -=|=- -=|=- -=|=-
Base Technologies, Inc | Washington, DC 20210     | btirg@uis.doleta.gov
- - - - - - - - - - - - - - Speaking for myself - + - - - - - - - - - - - -

=-=

From sublett@SWIPNET.SE Sun Mar  8 00:39:19 1998
From: SubLett 
X-Sender: mg18016@gaia.swipnet.se
To: BUGTRAQ@NETSPACE.ORG
Date: Thu, 19 Feb 1998 21:39:08 +0100
Subject: Re: Netscape 4 DoS/Possibly exploitable buffer overflow.

>Subject: Re: Netscape 4 DoS/Possibly exploitable buffer overflow.
>Netscape 4.04 on NT 4.0 with SP3 has a buffer overflow in bookmarks, too.
>

I tried this on my computer running Win95 3.0.950B with Netscape
4.04 Swedish version. Strings that goes over 1079 chars tend to
crash netscape...

Norton Crashguard reported the following:

NETSCAPE.EXE caused fault #c0000005 in NETSCAPE.EXE at address 014f:00532b9b
MSG("Netscape", WM_CREATE, 00000000, 0088E6F4)

-- SubLett