[VulnWatch] iDEFENSE Security Advisory 11.19.02c: Netscape Predictable Directory Structure Allows Theft of Preferences File
From: David Endler (dendler@idefense.com)
Date: 11/20/02
- Previous message: Marc Maiffret: "[VulnWatch] Update: EEYE: Macromedia ColdFusion/JRun Remote SYSTEM Buffer Overflow Vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "David Endler" <dendler@idefense.com> To: vulnwatch@vulnwatch.org Date: Tue, 19 Nov 2002 18:15:40 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
iDEFENSE Security Advisory 11.19.02c:
http://www.idefense.com/advisory/11.19.02c.txt
Predictable Directory Structure Allows Theft of Netscape Preferences
File
November 19, 2002
I. BACKGROUND
Netscape Communications Corp.'s Communicator is a popular package
that includes a web browser (Navigator), e-mail client, news client,
and address book.
II. DESCRIPTION
Socially engineering users of Netscape Communicator 4.x's web browser
and e-mail client into clicking on a malicious link could return the
contents of the targeted user's preferences file back to a remote
attacker.
The attack involves the redefinition of user_pref(), which is an
internal JavaScript function. The redefined function constructs a
string of all user preferences stored in the hidden field of a form
and later submitted by another JavaScript routine. In order for the
redefinition to occur, an attacker must store the exploit script in a
Windows (or Samba) share and coerce a victim into following a link to
it. A sample link to an attack script would look like
file:///attacker.example.com/thief.html. Communicator only allows
local files to redefine internal functions.
III. ANALYSIS
Remote exploitation allows an attacker to steal user preferences,
including the victim's real name, e-mail address, e-mail server, URL
history and, in some cases, e-mail password.
IV. DETECTION
Netscape Communicator 4.x is vulnerable. Communicator 6 and later is
not vulnerable, being it stores the prefs.js file in a randomized
location.
V. CVE INFORMATION
The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
assigned the identification number CAN-2002-1204 to this issue.
VI. DISCLOSURE TIMELINE
08/29/2002 Issue disclosed to iDEFENSE
10/14/2002 Netscape notified (support@netscape.com,
info@netscape.com, pradmin@netscape.com)
10/14/2002 iDEFENSE clients notified
10/31/2002 Second attempt at vendor contact
11/07/2002 Third attempt at vendor contact
11/19/2002 Public disclosure
VII. CREDIT
Bennett Haselton (bennett@peacefire.org) discovered this
vulnerability.
Get paid for security research
http://www.idefense.com/contributor.html
Subscribe to iDEFENSE Advisories:
send email to listserv@idefense.com, subject line: "subscribe"
About iDEFENSE:
iDEFENSE is a global security intelligence company that proactively
monitors sources throughout the world — from technical
vulnerabilities and hacker profiling to the global spread of viruses
and other malicious code. Our security intelligence services provide
decision-makers, frontline security professionals and network
administrators with timely access to actionable intelligence
and decision support on cyber-related threats. For more information,
visit http://www.idefense.com.
- -dave
David Endler, CISSP
Director, Technical Intelligence
iDEFENSE, Inc.
14151 Newbrook Drive
Suite 100
Chantilly, VA 20151
voice: 703-344-2632
fax: 703-961-1071
dendler@idefense.com
www.idefense.com
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1.2
Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A
iQA/AwUBPdrFIUrdNYRLCswqEQJO8QCeLSkaHcdHYKxSR+4gP4b3gX8KADcAnj7p
M0apHRqvhaWN4jthj57zhgNO
=QPPR
-----END PGP SIGNATURE-----
- Next message: Steve W. Manzuik: "[VulnWatch] Foundstone Advisory"
- Previous message: Marc Maiffret: "[VulnWatch] Update: EEYE: Macromedia ColdFusion/JRun Remote SYSTEM Buffer Overflow Vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
