SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Web Browser)  >  Netscape Communicator Vendors:  Netscape
Netscape Browser Java Buffer Overflow in canCovert() Method Allows Malicious Applets to Execute Arbitrary Code
SecurityTracker Alert ID:  1005714
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 26 2002
Impact:  Execution of arbitrary code via network, User access via network
Version(s): 4.x
Description:  A buffer overflow vulnerability was reported in the Netscape (version 4) Java implementation. A remote user can execute arbitrary code on the target user's system.

It is reported that a remote applet can trigger a buffer overflow in the canConvert() method of the sun.awt.windows.WDefaultFontCharset class by passing a long string to the constructor of the class and invoking the canConvert() method on the created instance, as shown below:

new WDefaultFontCharset(long_string).canConvert('x');

The vendor has reportedly been notified.
Impact:  A remote user can create a malicious applet that will cause arbitrary code to be executed on a target user's system when the applet is loaded by the target user's browser.
Solution:  No solution was available at the time of this entry.

The author of the report indicates that Netscape 4 users can protect themselves from the flaw by disabling Java in Preferences.
Vendor URL:  www.netscape.com/ (Links to External Site)
Cause:  Boundary error
Underlying OS:  Windows (Any)
Reported By:  Jouko Pynnonen <jouko@solutions.fi>
Message History:   None.

 Source Message Contents
Date:  Tue, 26 Nov 2002 20:12:56 +0200 (EET)
From:  Jouko Pynnonen <jouko@solutions.fi>
Subject:  Netscape 4 Java buffer overflow

 



The Java implementation of Netscape 4 contains a buffer overflow 
vulnerability. Arbitrary code may be run on a Netscape user's system 
when a web page containing a malicious applet is viewed.

The buffer overflow happens in the method canConvert() of the class 
sun.awt.windows.WDefaultFontCharset. An applet may trigger the overflow 
by passing a long string to the constructor of the class and invoking the 
method canConvert() on the created instance. In Java:

  new WDefaultFontCharset(long_string).canConvert('x');

The vulnerability is trivial case of buffer overflow. Its 
exploitability has been confirmed with an exploit which runs a program 
when a web page is viewed.

Netscape 4 has a very limited user base nowadays. Other Netscape 
versions use Sun Microsystem's Java Plug-in so they aren't vulnerable. 
This vulnerability only affects the Windows platform which limits the 
number of vulnerable systems further. The vulnerability doesn't appear 
exploitable on other browsers. Netscape and Sun Microsystems were 
informed about the problem in August 2002. Netscape 4 users can protect 
themselves from the flaw by disabling Java in Preferences.


  Jouko Pynnönen
  jouko@solutions.fi


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC