Denial of Service Database


---------- Forwarded message ----------
From: HD Moore (hdmoore@USA.NET
To: BUGTRAQ@netspace.org
Date: Thu, 8 Oct 1998 23:06:19 -0500
Subject: Re: Remote CGI can crash Netscape 4.x (and current source for 5.x)

Maybe this will give an idea of *why* its crashing...

Digging around in the mozilla source code (http://www.mozilla.org), I found
these references to the content type of  "internal/parser" :

--[ from net.h in /mozilla/include ]--

/* This is like text/html, but also implies that the charset is that of
   the window.  This type should not escape to the outside world!
 */
#define INTERNAL_PARSER      "internal/parser"

--[ from mimemoz.c in /mozilla/lib/libmime/ ]--

  /* If we've converted to HTML, then we've already done charset
conversion,
     so label this data as "internal/parser" to prevent it from being
passed
     through the charset converters again. */

  if (msd->options->write_html_p &&
      !strcasecomp(type, TEXT_HTML))
    type = INTERNAL_PARSER;

______________________________________________________________

If you are curious to how this makes it crash, grep the source code for
"INTERNAL_PARSER" and you can see the many places that data with this
content type, but not in that format will crash the browser.  Here are some
other interesting cuts from mozilla source:

--[ from mozilla.cpp in /mozilla/cmd/winfe ]--

 //      added by ftang & jliu, just remap it from
memory_stream->net_ColorHTMLStream
    NET_RegisterContentTypeConverter(INTERNAL_PARSER, FO_VIEW_SOURCE,
TEXT_HTML, net_ColorHTMLStream);

--[ from pagescan.c in /mozilla/network/main/ ]--

if ((URL_s->server_status >= 400) ||
  /* don't attempt to parse non-html */
  ((PL_strstr(URL_s->content_type, TEXT_HTML) == NULL) &&
   (PL_strstr(URL_s->content_type, INTERNAL_PARSER) == NULL))) {
  /* URL_s->dont_cache = PR_FALSE; */
  obj->page->dontFollow = PR_TRUE;
 }



Here is the NPL disclaimer so I dont get bitched at for quoting source
code:

/* -*- Mode: C; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*-
 *
 * The contents of this file are subject to the Netscape Public License
 * Version 1.0 (the "NPL"); you may not use this file except in
 * compliance with the NPL.  You may obtain a copy of the NPL at
 * http://www.mozilla.org/NPL/
 *
 * Software distributed under the NPL is distributed on an "AS IS" basis,
 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the NPL
 * for the specific language governing rights and limitations under the
 * NPL.
 *
 * The Initial Developer of this code under the NPL is Netscape
 * Communications Corporation.  Portions created by Netscape are
 * Copyright (C) 1998 Netscape Communications Corporation.  All Rights
 * Reserved.
 */
/* Please leave outside of ifdef for windows precompiled headers */


Jim Paris wrote:

> Netscape 4.x will crash when given a content-type of "internal/parser".
> Earlier versions seem unaffected.  Tested versions are 4.05 and 4.5b1.
> Under Win95 it simply hangs and needs a three finger salute to kill it.
> It dies with a bus fault under Linux.  To test it, try
> http://www.jtan.com/~jim/netscape-crash.cgi , which contains
>
> #!/bin/sh
> echo Content-type: internal/parser
> echo
> echo If you can see this, your browser is OK!
>
> It may be possible to do worse than crash a browser.  If this data is
> going to the same place that parsed pages go, I would imagine that
> buffer overflows are present.
>
> I submitted a bug report to Netscape.
>
> -jim

---------- Forwarded message ----------
From: Aleph One (aleph1@DFW.NET)
To: BUGTRAQ@netspace.org
Date: Thu, 8 Oct 1998 20:58:19 -0500
Subject: Re: Remote CGI can crash Netscape 4.x

Summarizing all the messages that have been sent to the list:

Netscape 4.x will crash under Win 95/98/NT, Solaris, SunOS
It seems to survive under Macs and maybe HP-UX.

You can now stop posting "me too" messages to the list.

On another front, I'd like to thank route/deamon9. He is been kind enough
to take care of the lists for a couple of weeks on and off the last couple
of months while I take off to other parts of the world. He also celebrated
his b-day this week. A tip of the hat to him.

Aleph One / aleph1@dfw.net
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01