[VulnWatch] iDEFENSE Security Advisory 11.19.02c: Netscape Predictable Directory Structure Allows Theft of Preferences File

From: David Endler (dendler@idefense.com)
Date: 11/20/02

  • Next message: Steve W. Manzuik: "[VulnWatch] Foundstone Advisory"
    From: "David Endler" <dendler@idefense.com>
    To: vulnwatch@vulnwatch.org
    Date: Tue, 19 Nov 2002 18:15:40 -0500
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    iDEFENSE Security Advisory 11.19.02c:
    http://www.idefense.com/advisory/11.19.02c.txt
    Predictable Directory Structure Allows Theft of Netscape Preferences
    File
    November 19, 2002

    I. BACKGROUND

    Netscape Communications Corp.'s Communicator is a popular package
    that includes a web browser (Navigator), e-mail client, news client,
    and address book.

    II. DESCRIPTION

    Socially engineering users of Netscape Communicator 4.x's web browser
    and e-mail client into clicking on a malicious link could return the
    contents of the targeted user's preferences file back to a remote
    attacker.

    The attack involves the redefinition of user_pref(), which is an
    internal JavaScript function. The redefined function constructs a
    string of all user preferences stored in the hidden field of a form
    and later submitted by another JavaScript routine. In order for the
    redefinition to occur, an attacker must store the exploit script in a
    Windows (or Samba) share and coerce a victim into following a link to
    it. A sample link to an attack script would look like
    file:///attacker.example.com/thief.html. Communicator only allows
    local files to redefine internal functions.

    III. ANALYSIS

    Remote exploitation allows an attacker to steal user preferences,
    including the victim's real name, e-mail address, e-mail server, URL
    history and, in some cases, e-mail password.

    IV. DETECTION

    Netscape Communicator 4.x is vulnerable. Communicator 6 and later is
    not vulnerable, being it stores the prefs.js file in a randomized
    location.

    V. CVE INFORMATION

    The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
    assigned the identification number CAN-2002-1204 to this issue.

    VI. DISCLOSURE TIMELINE

    08/29/2002 Issue disclosed to iDEFENSE
    10/14/2002 Netscape notified (support@netscape.com,
                    info@netscape.com, pradmin@netscape.com)
    10/14/2002 iDEFENSE clients notified
    10/31/2002 Second attempt at vendor contact
    11/07/2002 Third attempt at vendor contact
    11/19/2002 Public disclosure

    VII. CREDIT

    Bennett Haselton (bennett@peacefire.org) discovered this
    vulnerability.

    Get paid for security research
    http://www.idefense.com/contributor.html

    Subscribe to iDEFENSE Advisories:
    send email to listserv@idefense.com, subject line: "subscribe"

    About iDEFENSE:

    iDEFENSE is a global security intelligence company that proactively
    monitors sources throughout the world from technical
    vulnerabilities and hacker profiling to the global spread of viruses
    and other malicious code. Our security intelligence services provide
    decision-makers, frontline security professionals and network
    administrators with timely access to actionable intelligence
    and decision support on cyber-related threats. For more information,
    visit http://www.idefense.com.

    - -dave

    David Endler, CISSP
    Director, Technical Intelligence
    iDEFENSE, Inc.
    14151 Newbrook Drive
    Suite 100
    Chantilly, VA 20151
    voice: 703-344-2632
    fax: 703-961-1071

    dendler@idefense.com
    www.idefense.com

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 7.1.2
    Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A

    iQA/AwUBPdrFIUrdNYRLCswqEQJO8QCeLSkaHcdHYKxSR+4gP4b3gX8KADcAnj7p
    M0apHRqvhaWN4jthj57zhgNO
    =QPPR
    -----END PGP SIGNATURE-----



    Relevant Pages