Slashdot Mirror
Buffer Overflow In All Shockwave Players
drinkypoo writes: "As per this article at lwn.net there is a buffer overflow which affects "All SWF plugins on all platforms" because bounds checking is not being done on the SWF data. You can use this problem to "execute arbitrary code stored in the SWF
file"."
Many embedded web browsing devices ship with support for Flash. Maybe this overflow could be used to execute any code on those boxes if it was not possible otherwise. E.g. just load shockwave movie from http://linux.boot.org/ and your box will boot to Linux. Would not that be cool?
Now, think what we could do with a beowulf cluster of Flashed computers. This will give whole new meaning for flashing new applications.
err.. you're really lost in thinking that this code is being executed in the data segment but anyways, on x86 there is only READ_EXEC_ONLY, READ_WRITE_EXEC, READ_ONLY or NO_PERMISSIONS. You can't say READ_WRITE_ONLY which is the problem. If you want a data section that is read only then you can have that, but if you want a read/write data section that is not executable, sorry, that's not offered.
How we know is more important than what we know.
so that's what the boys at gabocorp have been doing all along!
those nefarious bastards!
FluX
After 16 years, MTV has finally completed its deevolution into the shiny things network
"It is seldom that liberty of any kind is lost all at once." -David Hume
No, it is completely NOT necessary with css.
Unless you're selling DVDs, you don't have to worry about CSS issues.
Oh, that CSS. Cascading style sheets. The one that crashes Netscape 4.x, one of the most popular browsers on the Net (because Mozilla won't run well on their 32 MB machines). If you're using CSS layout, you may want to use a DeCSS filter to remove the formatting for those who are behind Nutscrape.
Tetris on drugs, NES music, and GNOME vs. KDE Bingo.
Will I retire or break 10K?
Many people havn't updated NS from the "Every web browser is a server with JAVA" security hole. So I doubt anyone will care.... :(
The majority of users won't care if there browser has security issues. They have their browser, they may have had it set up for them, or they may just not want to download a newer browser; this, and most other browser security holes will be left open.
The Windows update utility will fix this more some Windows users, but again, most users aren't using the latest version, or they'll just cancel the download.
Are there any really good ways for a browser to be kept up to date without causing too much trouble on the users part or sacrificing any security (for the anti-Microsoft paranoids)?
int getnextnumber(FILE *fp)
{
char line[100];
fgets(line, 200, fp);
return atoi(line);
}
(I may have got the parameters in the wrong order above, don't flame me, it's the principle that I'm trying to describe)
In the above, the programmer has allocated a 100 byte array for input of a number, but has called fgets to read a line of up to 200 characters. So a 101 byte line will overflow the buffer.
With most C compilers on most platforms allocate memory, the same stack is used to store the return address to jump to when the function has completed executing as the data itself. Therefore, a buffer overflow exploit needs to put code in the buffer, work out where that code will be when the function is executed, and overwrite the return address with the address of that code.
It's not easy but a number of factors can help a hacker in this situation, usually that once compiled for a particular platform, on 32 bit platforms at least, the function will normally always appear in the same place in memory, and when the program is running, if you're careful about the conditions underwhich you feed it bad data, you can make a reasonable assessment as to where the stack will be when its called.
The majority of UNIX hacks I've seen on the BugTrac lists are buffer overflow exploits, and from what I recall, they're the major ones the OpenBSD team are constantly on the look out for. So it's a real problem, and assuming the Shockwave overflow is predictable as described above (or requires little overflow anywhere else to overwrite code or a return address), it's credible someone might use it.
So don't run Netscape as root. Unless you're a Windows 9X/Me user of course, where you don't have much choice...
--
You are not alone. This is not normal. None of this is normal.
The integration into the web browser is at best in pre alpha stage. Try resizing a .swf under Netscape in Linux and you crash within a few seconds. Under IE5 keyboard navigation on a web page becomes impossible (For people who can't use a mouse this is really a problem).
;),
:P)
Hardly anyone who does Flash even knows about, let alone cares about Linux support.
The two major consumer platforms are well supported (and exploited, now!
and Linux still holds a tiny amount of market share.
Not to mention hardcore Linux users will occasionally drop into 'doze or MacOS to browse,
simply because Netscape sucks SO much.
(Konqueror, on the other hand, is really getting there. Even supports Flash.
IIRC, keyboard navigation *IS* possible in Flash, but it has to be authored in, which most people neglect to do.
-Viewing web pages with flash content is almost unbearable on a remote X11 display and eats up the complete bandwidth. It especially pisses me off if people have flash web banners on their pages like f.ex. sharkyextreme.com.
Once again, the average Flash author will prolly think 'X' is some pr0n reference.
X platforms simply don't have enough market share for Random Webdesigner to care about - as long as (s)he hits the target audience and gets paid, (s)he's happy.
The Flash player is definately a buggy piece of software, but I've had far less
lockups and far more speed with Flash than with Java, so I really can't bitch about stability too much.
The buffer overflow is *extremely* careless tho...hopefully Macromedia will fix it soon.
--K
I've been meaning to install Shockwave on my Linux box to look at all the fancy things everyone else gets, but now I'm glad I haven't done so yet.
Once common misconception about Unix security is if something doesn't run as root, any possible exploit is not important. A Shockwave player compromise can still read your mail, get/alter your files, even ptrace Netscape or ssh and grab your passwords. Doing as many things as possible under a non-root user is good practice, but does not solve all problems.
Well after a little searching I found where M$ hides shockwave for IE5.
/dev/null .....
c:\windows\system\macromedia
it's now been sent to
Here's the bugtraq id on securityfocus:
http://www.securityfocus.com/bid/2162
Cheers
There are languages, and libraries for other languages, out there that build in buffer bounding without you having to trust your programmers to handcode a check every time they make an I/O call.
When are developers going to wise up? Or do we still have a world full of developers who've never heard of the concept "buffer overflow", and thus don't know they should be taking precautions.
I know there are subtleties of security that won't be cured by a silver bullet, but BOs are discovered almost daily, and unless you're a hermit that never hears about any of those discoveries, there's not much excuse for publishing a program with a BO in it.
[Writer crosses fingers hoping not to be the next person to publish one!]
--
Sheesh, evil *and* a jerk. -- Jade
Anyone who thinks that a good website should depend on a plugin/javascript/animated graphics/java/images with no tags/frames/ or overdesigned pages that take forever to load on a 14.4 connection deserves the complaints from users they will get at the email address listed under 'feedback' on their page.
/. that said "If I wanted your site to make music, I'd have turned on the radio"
Spend your time on content, and when you've got good content, add in features... but don't ever trade off usability or accessibility for 'animated pull-down menus with sound and all sorts of mouseover hoopla' that won't work with anything but the latest browsers.
Use lynx and links to test your site for navigation. If you can't at least navigate your site with these tools, then it's time start over.
My personal list of website peeves:
- Click here to enter -- Duh!? I already entered the url, doesn't that mean I want to enter?
- anything that says UNDER CONSTRUCTION -- no informational value. Everything on the internet is under construction
- clear 1X1 pixel gifs used for spacing with alt tags that say "spacer" - doing typesetting with 1X1 pixel transparent gifs is a kludge that adds a lot of excess html to your docs
- more than 2 frames in a page - on rare occasion, I can stomach two frames.
- using javascript for something that could be done with standard html - don't use javascript to display text, for example
- websites that play music - saw a sig on
- websites that have all info in non-html or text formats like doc, xls, pdf, ps - Thanks for nothing - just post the info and use html or text. More info and file formats are nice, but put the info in text first.
- websites that try to determine your browser type and give you messages about needing a different browser - deal with what I have. You're in no position to require me to do anything.
- popup ads - did I ask you to open a window?
- any site that says: "Welcome to my website" - duh!
- more than one animated gif on a page
there are more, but I don't have the time to list them all. Bottom line: cut the junk and and leave the content.
this is still in existance for the sole reason that no-one has bothered to write an exploit for it. In situations like this the standard response is to create a web page that explains what the exploit does and how it will do it. Then a link is included that says "show me, I want to be exploited" and clicking on the link does something fancy like writing files to your harddrive or desktop along with bringing up a message box. Why is this necessary? Because most companies do not have the time or man power to track down every little bug and fix it, not matter the security risk and it is only after demonstrating that this is a serious problem that customers start to complain and companies take notice.
How we know is more important than what we know.
-Having two points on the same coordinate in any kind of vectorial shape causes a crash (something like a division by zero).
-The integration into the web browser is at best in pre alpha stage. Try resizing a .swf under Netscape in Linux and you crash within a few seconds. Under IE5 keyboard navigation on a web page becomes impossible (For people who can't use a mouse this is really a problem).
-Viewing web pages with flash content is almost unbearable on a remote X11 display and eats up the complete bandwidth. It especially pisses me off if people have flash web banners on their pages like f.ex. sharkyextreme.com.
-Specs for the newest .swf format revisions are always kept secret. Flash5 contains a JavaScript like language called ActionScript. This kind of stuff scares me to death...
It could always be possible to alias the netscape command to be transparently invoked as another user by placing the following in one's ~/.bashrc :
alias nsnav = "su - dummy -c nsnav"
alias nsmail = netscape
launch the mail as usual or with the nsmail command and if you want to surf (see here why you would like to), just launch navigator with the nsnav command.
Of course, you'd better use Konqueror or W3-Emacs but this was my 0.01$ bit.
--
Trolling using another account since 2005.
-- If no truths are spoken then no lies can hide --
But I guess they feel that it is now a bigger threat. Maybe joecartoon and killfrog have been rooting our boxes unsuspectingly for the last year, and they are not catching on.
Oh well, my favorite resource has some more information here