[Full-Disclosure] zero-width gif: exploit PoC for NS6.2.3 (fixed in 7.0) [Was: GIFs Good, Flash Executable Bad]

From: zen-parse (zen-parse@gmx.net)
Date: 09/06/02


From: zen-parse@gmx.net (zen-parse)
Date: Fri, 6 Sep 2002 18:47:51 +1200 (NZST)

On Tue Sep 03 2002, Blue Boar wrote:
> This is one of my favorite vulnerabilities:
> http://online.securityfocus.com/bid/1503
> It's an overflow in the JPEG handler in Netscape.
>
> I don't know of one for GIFs off the top of my head, but the same
> principle applies. If there's a viewer with a bug, then there is a
> possibility that it can be used to exploit the client.
>
> BB

Zero width GIF file can cause exploitable heap corruption.
(Or: "Why not to use a graphical browser")

Vendor contacted: 17 Jul 2002
Internally patched: 19 Jul 2002 (according to changelog)
Received notification of patch: 29 Aug 2002 (via email)

http://crash.ihug.co.nz/~Sneuro/zerogif/

Contains an example exploit for malformed GIFs under Netscape 6.2.3
Also affects a number of other browsers, including Mozilla (of course) and
manages to kill Opera.

Example exploit (when it works properly) should create ~/.mashrc with
a sample replacement for ~/.bashrc.

Certain values in 'generic.c' and possibly other files will need changing
depending on library addresses.

Comments in pngshellcode.c are related to another exploit for Netscape
6.2.3... once I found one way to get data into known locations, I kept it.

Certain utilities (pnmtopng and ppmtogif) called by these programs are in
the netpbm-progs package.

$ make pngshellcode; ./pngshellcode
$ make enc; ./enc >mapfile.ppm ; make generic; ./generic

These commands will make the shellcode and the gif file.

This exploit is extremely "Proof of Concept" code. Sorry about the
system() calls.

This issue is patched in Netscape 7.0 and latest version of Mozilla.

There are a few other exploitable issues patched in Netscape 6.2.3
relating to other image formats.

I expect (hope for?) an advisory from Netscape at some point soon for this
and the other patched issues.

-- zen-parse

-- 
-------------------------------------------------------------------------
1) If this message was posted to a public forum by zen-parse@gmx.net, it 
may be redistributed without modification. 
2) In any other case the contents of this message is confidential and not 
to be distributed in any form without express permission from the author.
This document may contain Unclassified Controlled Nuclear Information.