[NT] Predictable Directory Structure Allows Theft of Netscape Preferences File

From: support@securiteam.com
Date: 11/21/02

  • Next message: support@securiteam.com: "[NT] Remotely Exploitable Buffer Overflow in Microsoft MDAC (Technical details)" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 21 Nov 2002 11:21:24 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      Predictable Directory Structure Allows Theft of Netscape Preferences File
    ------------------------------------------------------------------------

    SUMMARY

    Netscape Communications Corp.'s Communicator is a popular package that
    includes a web browser (Navigator), e-mail client, news client, and
    address book. A vulnerability in the product allows stealing of the user's
    preferences.

    DETAILS

    Socially engineering users of Netscape Communicator 4.x's web browser and
    e-mail client into clicking on a malicious link could return the contents
    of the targeted user's preferences file back to a remote attacker.

    The attack involves the redefinition of user_pref(), which is an internal
    JavaScript function. The redefined function constructs a string of all
    user preferences stored in the hidden field of a form and later submitted
    by another JavaScript routine. In order for the redefinition to occur, an
    attacker must store the exploit script in a Windows (or Samba) share and
    coerce a victim into following a link to it. A sample link to an attack
    script would look like file:///attacker.example.com/thief.html.
    Communicator only allows local files to redefine internal functions.

    Analysis:
    Remote exploitation allows an attacker to steal user preferences,
    including the victim's real name, e-mail address, e-mail server, URL
    history and, in some cases, e-mail password.

    Detection:
    Netscape Communicator 4.x is vulnerable. Communicator 6 and later is not
    vulnerable, being it stores the prefs.js file in a randomized location.

    Disclosure timeline:
    08/29/2002 Issue disclosed to iDEFENSE
    10/14/2002 Netscape notified (support@netscape.com, info@netscape.com,
    pradmin@netscape.com)
    10/14/2002 iDEFENSE clients notified
    10/31/2002 Second attempt at vendor contact
    11/07/2002 Third attempt at vendor contact
    11/19/2002 Public disclosure

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:dendler@idefense.com> David
    Endler of iDEFENSE, the vulnerability was discovered by
    <mailto:bennett@peacefire.org> Bennett Haselton.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.