8368866 2002-04-30 03:11 +0200 /133 rader/ GreyMagic Software <security@greymagic.com>
Sänt av: joel@lysator.liu.se
Importerad: 2002-04-30 17:20 av Brevbäraren
Extern mottagare: NTBugtraq <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>
Extern mottagare: Bugtraq <bugtraq@securityfocus.com>
Mottagare: Bugtraq (import) <22115>
Mottagare: NTBugTraq (import) <4619>
Sänt: 2002-04-30 23:45
Markerad av 1 person.
Ärende: Reading local files in Netscape 6 and Mozilla (GM#001-NS)
------------------------------------------------------------
From: "GreyMagic Software" <security@greymagic.com>
To: "NTBugtraq" <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>,
"Bugtraq" <bugtraq@securityfocus.com>
Message-ID: <LPBBLDGNEFOGMGAEHJPBAEEHCNAA.security@greymagic.com>
GreyMagic Security Advisory GM#001-NS
=====================================
By GreyMagic Software, Israel.
30 Apr 2002.
Available in HTML format at
http://security.greymagic.com/adv/gm001-ns/.
Topic: Reading local files in Netscape 6 and Mozilla.
Discovery date: 30 Mar 2002.
Affected applications:
======================
* All tested versions of Mozilla (0.9.7+) on Windows, other
versions/platforms are believed to be vulnerable.
* All tested versions of Netscape (6.1+) on Windows, other
versions/platforms are believed to be vulnerable.
Important notes:
================
Netscape was contacted on 24 Apr 2002 through a form on their web
site and through email to security@netscape.com and
secure@netscape.com.
They did not bother to respond AT ALL, and we think we know why.
A while ago Netscape started a "Bug Bounty" program, which entitles
researchers who find a bug that allows an attacker to run unsafe code
or access files to a $1000 reward.
By completely disregarding our post Netscape has earned themselves a
$1000 and lost any credibility they might have had. The money is
irrelevant, but using such a con to attract researchers into
disclosing bugs to Netscape is extremely unprofessional.
Netscape's faulty conducts made us rethink our disclosure guidelines
and we came to the following decisions:
* Release all future Netscape advisories without notifying Netscape
at all.
* Advise the security community to do the same. Netscape is deceiving
researchers and should not be rewarded.
* Advise customers to stop using Netscape Navigator through our
security advisories and business contacts.
[1] http://home.netscape.com/security/bugbounty.html
Introduction:
=============
XMLHTTP is a component that is primarily used for retrieving XML
documents from a web server.
On 15 Dec 2001 "Jelmer" published an advisory titled "MSIE6 can read
local files", which demonstrated how Microsoft's XMLHTTP component
allows reading of local files by blindly following server-side
redirections (patched by MS02-008).
[1] http://www.xs4all.nl/~jkuperus/bug.htm
[2] http://www.microsoft.com/technet/security/bulletin/MS02-008.asp
Discussion:
===========
Mozilla's version of XMLHTTP, the XMLHttpRequest object, is
vulnerable to the exact same attack.
By directing the "open" method to a web page that will redirect to a
local/remote file it is possible to fool Mozilla into thinking it's
still in the allowed zone, therefore allowing us to read it.
It is then possible to inspect the content by using the responseText
property.
Exploit:
========
This example attempts to read "c:/test.txt", "getFile.asp" internally
redirects to "file://c:/test.txt":
var oXML=new XMLHttpRequest();
oXML.open("GET","getFile.asp",false);
oXML.send(null);
alert(oXML.responseText);
Solution:
=========
Users of Netscape Navigator should move to a better performing, less
buggy browser.
Tested on:
==========
Mozilla 0.9.7, NT4.
Mozilla 0.9.9, NT4.
Mozilla 0.9.9, Win2000.
Netscape 6.1, NT4.
Netscape 6.2.1, Win2000.
Netscape 6.2.2, NT4.
Netscape 6.2.2, Win2000.
Demonstration:
==============
A fully dynamic proof-of-concept demonstration of this issue is
available at http://security.greymagic.com/adv/gm001-ns/.
Feedback:
=========
Please mail any questions or comments to security@greymagic.com.
- Copyright © 2002 GreyMagic Software.
(8368866) /GreyMagic Software <security@greymagic.com>/(Ombruten)
Kommentar i text 8369640 av Jordan K Wiens <jwiens@nersp.nerdc.ufl.edu>
8369640 2002-04-30 11:59 -0400 /27 rader/ Jordan K Wiens <jwiens@nersp.nerdc.ufl.edu>
Sänt av: joel@lysator.liu.se
Importerad: 2002-04-30 21:37 av Brevbäraren
Extern mottagare: GreyMagic Software <security@greymagic.com>
Extern kopiemottagare: Bugtraq <bugtraq@securityfocus.com>
Mottagare: Bugtraq (import) <22119>
Kommentar till text 8368866 av GreyMagic Software <security@greymagic.com>
Ärende: Re: Reading local files in Netscape 6 and Mozilla (GM#001-NS)
------------------------------------------------------------
From: Jordan K Wiens <jwiens@nersp.nerdc.ufl.edu>
To: GreyMagic Software <security@greymagic.com>
Cc: Bugtraq <bugtraq@securityfocus.com>
Message-ID: <Pine.A41.4.33.0204301158280.18410-100000@spnode43.nerdc.ufl.edu>
Yes, this does work in other operating systems as well. Exploit
worked as expected in Redhat 7.2 environment running Mozilla 0.9.9.
--
Jordan Wiens
UF Network Incident Response Team
(352)392-2061
On Tue, 30 Apr 2002, GreyMagic Software wrote:
> GreyMagic Security Advisory GM#001-NS
> =====================================
>
> By GreyMagic Software, Israel.
> 30 Apr 2002.
>
> Available in HTML format at http://security.greymagic.com/adv/gm001-ns/.
>
> Topic: Reading local files in Netscape 6 and Mozilla.
>
(8369640) /Jordan K Wiens <jwiens@nersp.nerdc.ufl.edu>/(Ombruten)
8369651 2002-04-30 17:42 +0200 /191 rader/ Thor Larholm <Thor@jubii.dk>
Sänt av: joel@lysator.liu.se
Importerad: 2002-04-30 21:43 av Brevbäraren
Extern mottagare: 'GreyMagic Software' <security@greymagic.com>
Extern mottagare: NTBugtraq <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>
Extern mottagare: Bugtraq <bugtraq@securityfocus.com>
Mottagare: Bugtraq (import) <22120>
Ärende: RE: Reading local files in Netscape 6 and Mozilla (GM#001-NS)
------------------------------------------------------------
From: Thor Larholm <Thor@jubii.dk>
To: 'GreyMagic Software' <security@greymagic.com>,
NTBugtraq <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>,
Bugtraq <bugtraq@securityfocus.com>
Message-ID: <52D05AEFB0D95C4BAD179A054A54CDEB1BD37A@mailsrv1.jubii.dk>
Disturbing.
Netscape sure must be in financial problems since they are selling
out on their users security for a lousy $1000.
I know for one that I personally will release any future Netscape
advisories with full public disclosure and without prior Netscape
notification. As a matter of fact, why not start now ?
The IRC:// protocol inhibited by Mozilla/NS6 seems to have a buffer
overrun. A typical IRC URL could look like this:
IRC://IRC.YOUR.TLD/#YOURCHANNEL
The #YOURCHANNEL part is copied to a buffer that has a limit of 32K.
If the input exceeds this limit, Mozilla 1.0 RC1 crashes with the
following error:
The exception unknown software exception (0xc00000fd) occured in the
application at location 0x60e42edf
Mozilla 0.9.9 gives a similar exception:
The exception unknown software exception (0xc00000fd) occured in the
application at location 0x60dd2c79.
Other versions of Mozilla/NS6/Galeon likely share the same flaw.
I haven't tested further on how practically exploitable this is.
Short example online at
http://jscript.dk/2002/4/moz1rc1tests/ircbufferoverrun.html
Furthermore, Mozilla/Galeon/NS6 is prone to a local file detection
vulnerability.
When embedding a stylesheet with the <LINK> element, access to CSS
files from other protocols is prohibited by the security manager. A
simple HTTP redirect circumvents this security restriction and it
becomes possible to use local or remote files of any type, with the
side effect that you can detect if specific local files exist.
http://jscript.dk/2002/4/NS6Tests/LinkLocalFileDetect.asp
Regards
Thor Larholm
Jubii A/S - Internet Programmer
-----Original Message-----
From: GreyMagic Software [mailto:security@greymagic.com]
Sent: 30. april 2002 03:11
To: NTBugtraq; Bugtraq
Subject: Reading local files in Netscape 6 and Mozilla (GM#001-NS)
GreyMagic Security Advisory GM#001-NS
=====================================
By GreyMagic Software, Israel.
30 Apr 2002.
Available in HTML format at
http://security.greymagic.com/adv/gm001-ns/.
Topic: Reading local files in Netscape 6 and Mozilla.
Discovery date: 30 Mar 2002.
Affected applications:
======================
* All tested versions of Mozilla (0.9.7+) on Windows, other
versions/platforms are believed to be vulnerable.
* All tested versions of Netscape (6.1+) on Windows, other
versions/platforms are believed to be vulnerable.
Important notes:
================
Netscape was contacted on 24 Apr 2002 through a form on their web
site and through email to security@netscape.com and
secure@netscape.com.
They did not bother to respond AT ALL, and we think we know why.
A while ago Netscape started a "Bug Bounty" program, which entitles
researchers who find a bug that allows an attacker to run unsafe code
or access files to a $1000 reward.
By completely disregarding our post Netscape has earned themselves a
$1000 and lost any credibility they might have had. The money is
irrelevant, but using such a con to attract researchers into
disclosing bugs to Netscape is extremely unprofessional.
Netscape's faulty conducts made us rethink our disclosure guidelines
and we came to the following decisions:
* Release all future Netscape advisories without notifying Netscape
at all.
* Advise the security community to do the same. Netscape is deceiving
researchers and should not be rewarded.
* Advise customers to stop using Netscape Navigator through our
security advisories and business contacts.
[1] http://home.netscape.com/security/bugbounty.html
Introduction:
=============
XMLHTTP is a component that is primarily used for retrieving XML
documents from a web server.
On 15 Dec 2001 "Jelmer" published an advisory titled "MSIE6 can read
local files", which demonstrated how Microsoft's XMLHTTP component
allows reading of local files by blindly following server-side
redirections (patched by MS02-008).
[1] http://www.xs4all.nl/~jkuperus/bug.htm
[2] http://www.microsoft.com/technet/security/bulletin/MS02-008.asp
Discussion:
===========
Mozilla's version of XMLHTTP, the XMLHttpRequest object, is
vulnerable to the exact same attack.
By directing the "open" method to a web page that will redirect to a
local/remote file it is possible to fool Mozilla into thinking it's
still in the allowed zone, therefore allowing us to read it.
It is then possible to inspect the content by using the responseText
property.
Exploit:
========
This example attempts to read "c:/test.txt", "getFile.asp" internally
redirects to "file://c:/test.txt":
var oXML=new XMLHttpRequest();
oXML.open("GET","getFile.asp",false);
oXML.send(null);
alert(oXML.responseText);
Solution:
=========
Users of Netscape Navigator should move to a better performing, less
buggy browser.
Tested on:
==========
Mozilla 0.9.7, NT4.
Mozilla 0.9.9, NT4.
Mozilla 0.9.9, Win2000.
Netscape 6.1, NT4.
Netscape 6.2.1, Win2000.
Netscape 6.2.2, NT4.
Netscape 6.2.2, Win2000.
Demonstration:
==============
A fully dynamic proof-of-concept demonstration of this issue is
available at http://security.greymagic.com/adv/gm001-ns/.
Feedback:
=========
Please mail any questions or comments to security@greymagic.com.
- Copyright © 2002 GreyMagic Software.
(8369651) /Thor Larholm <Thor@jubii.dk>/--(Ombruten)
Kommentar i text 8370583 av Rui Miguel Silva Seabra <rms@1407.org>
Kommentar i text 8372166 av the Pull <osioniusx@YAHOO.COM>
Kommentar i text 8372170 av Georgi Guninski <guninski@GUNINSKI.COM>
8370583 2002-04-30 18:43 +0100 /37 rader/ Rui Miguel Silva Seabra <rms@1407.org>
Sänt av: joel@lysator.liu.se
Importerad: 2002-05-01 02:03 av Brevbäraren
Extern mottagare: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Extern mottagare: Bugtraq <bugtraq@securityfocus.com>
Mottagare: Bugtraq (import) <22137>
Kommentar till text 8369651 av Thor Larholm <Thor@jubii.dk>
Ärende: RE: Reading local files in Netscape 6 and Mozilla (GM#001-NS)
------------------------------------------------------------
From: Rui Miguel Silva Seabra <rms@1407.org>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM,
Bugtraq <bugtraq@securityfocus.com>
Message-ID: <1020188627.22102.88.camel@roque>
Funny,
so much rant about not receiving any contact from Netscape (AOL
subsidiary) or about not even giving prior notification to the
developers about the bug AND, all in all, no one even posts to a
bugzilla entry on bugzilla.mozilla.org which is the best place for bug
reports on Mozilla (ie, *not marketdroid webpages*).
This is either ignorance of bugzilla (bad but I can understand that),
or intention to difamate the mozilla developers, which is very bad,
since a lot of them dedicate their free time on providing us an
extremely standards compliant, Free Software, cross platform web
browser, and so we actually owe them a favour (so to speak).
If it is ignorance, I will, then, try to educate:
1. load your favorite browser, and go to http://bugzilla.mozilla.org
2. submit bug
3. if very urgent, go to irc.mozilla.org, /join #mozillazine and
SCREAM SECURITY BUG, can anyone urgently look at *URL*FOR*BUG*ID,
please? I can help with details.
In any other case than having first tryed to do that, this rant seems
absolutely unecessary.
Regards
--
+ No matter how much you do, you never do enough -- unknown
+ Whatever you do will be insignificant,
| but it is very important that you do it -- Ghandi
+ So let's do it...?
(8370583) /Rui Miguel Silva Seabra <rms@1407.org>/(Ombruten)
Bilaga (application/pgp-signature) i text 8370584
8370584 2002-04-30 18:43 +0100 /9 rader/ Rui Miguel Silva Seabra <rms@1407.org>
Bilagans filnamn: "signature.asc"
Importerad: 2002-05-01 02:03 av Brevbäraren
Extern mottagare: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Extern mottagare: Bugtraq <bugtraq@securityfocus.com>
Mottagare: Bugtraq (import) <22138>
Bilaga (text/plain) till text 8370583
Ärende: Bilaga (signature.asc) till: RE: Reading local files in Netscape 6 and Mozilla (GM#001-NS)
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQA8ztfTo+C50no0+t4RAujJAKCWwe8rQ5BAhWU7APBoZWEOFmkqYgCgzJJq
WHkTXaBvbop1wFVb7Ue8yp4=
=+ibL
-----END PGP SIGNATURE-----
(8370584) /Rui Miguel Silva Seabra <rms@1407.org>/--
8372166 2002-04-30 14:41 -0700 /42 rader/ the Pull <osioniusx@YAHOO.COM>
Sänt av: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Importerad: 2002-05-01 14:23 av Brevbäraren
Extern mottagare: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Externa svar till: osioniusx@YAHOO.COM
Mottagare: NTBugTraq (import) <4626>
Kommentar till text 8369651 av Thor Larholm <Thor@jubii.dk>
Ärende: Re: Reading local files in Netscape 6 and Mozilla (GM#001-NS)
------------------------------------------------------------
--- Thor Larholm <Thor@jubii.dk> wrote:
<snip>
> The IRC:// protocol inhibited by Mozilla/NS6 seems
> to have a buffer overrun.
<snip>
> If the input exceeds this limit, Mozilla 1.0 RC1
> crashes with the following
> error:
>
> The exception unknown software exception
> (0xc00000fd) occured in the
> application at location 0x60e42edf
>
Exception xfd is a stack overflow, not a buffer
overflow and tends not to be exploitable in browsers.
> Mozilla 0.9.9 gives a similar exception:
>
> The exception unknown software exception
> (0xc00000fd) occured in the
> application at location 0x60dd2c79.
Again, a stack overflow, not a buffer overflow.
If you actually see that you have control over
anything in memory, it may be exploitable; otherwise
basically it just that your stack has become
exhausted, eg, ESP and EBP hit their noses against
each other.
<snip>
__________________________________________________
Do You Yahoo!?
Yahoo! Health - your guide to health and wellness
http://health.yahoo.com
(8372166) /the Pull <osioniusx@YAHOO.COM>/----------
8372170 2002-05-01 11:57 +0300 /25 rader/ Georgi Guninski <guninski@GUNINSKI.COM>
Sänt av: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Importerad: 2002-05-01 14:23 av Brevbäraren
Extern mottagare: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Externa svar till: guninski@guninski.com
Mottagare: NTBugTraq (import) <4629>
Kommentar till text 8369651 av Thor Larholm <Thor@jubii.dk>
Ärende: Re: Reading local files in Netscape 6 and Mozilla (GM#001-NS)
------------------------------------------------------------
[Allmighty moderator, please check the stuff at the end]
Thor Larholm wrote:
> Disturbing.
>
> Netscape sure must be in financial problems since they are selling out on
> their users security for a lousy $1000.
>
I don't agree with your logic. Netscape are giving a free (as in
beer) product which may run on free OSes. AFAIK Netscape are the
only vendor who gives monetary rewards for disclosing bugs - can you
please point me another vendor with such program, I am interesting in
making some easy money? :) I can understand GreyMagic may have some
reasons for being angry, but let me share some real world
experience. Some vendors just reply "Thanks for the 0day" and when it
comes to the press they say "He is a bad irresponsible person".
[Moderator: I realize this may be kind of off topic for your mailing
list. Hope you realize your mailing list is kind of off topic for my
0days.]
Regards,
Georgi Guninski
http://www.guninski.com
(8372170) /Georgi Guninski <guninski@GUNINSKI.COM>/(Ombruten)
8369913 2002-04-30 20:07 +0200 /34 rader/ Thor Larholm <Thor@jubii.dk>
Sänt av: joel@lysator.liu.se
Importerad: 2002-04-30 23:06 av Brevbäraren
Extern mottagare: 'GreyMagic Software' <security@greymagic.com>
Extern mottagare: NTBugtraq <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>
Extern mottagare: Bugtraq <bugtraq@securityfocus.com>
Mottagare: Bugtraq (import) <22127>
Ärende: RE: Reading local files in Netscape 6 and Mozilla (GM#001-NS)
------------------------------------------------------------
From: Thor Larholm <Thor@jubii.dk>
To: 'GreyMagic Software' <security@greymagic.com>,
NTBugtraq <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>,
Bugtraq <bugtraq@securityfocus.com>
Message-ID: <52D05AEFB0D95C4BAD179A054A54CDEB1BD382@mailsrv1.jubii.dk>
> Demonstration:
> ==============
>
> A fully dynamic proof-of-concept demonstration
> of this issue is available at
> http://security.greymagic.com/adv/gm001-ns/.
As some of you may have noticed, the above proof-of-concept does not
work in Mozilla 1.0 Release Candidate 1.
Don't get your hopes high about this though, the issue has not been
fixed in moz1rc1 - the XMLHttpRequest was simply broken in this
version of the browser for unknown reasons, a fact not mentioned in
the release notes. When trying to use it, either nothing happens or
the browser crashes. The proof-of-concept works just fine in Mozilla
0.9.9 (and NS6.1+), and would work fine in moz1rc1 if the
XMLHttpRequest object could be used at all.
The Mozilla XML-Extras project also includes a document.load method
that is used to load XML documents. The same issue applies to this
method, and a proof-of-concept demonstration that also works in
moz1rc1 can be found at
http://jscript.dk/2002/4/NS6Tests/documentload.html
Regards
Thor Larholm
Jubii A/S - Internet Programmer
(8369913) /Thor Larholm <Thor@jubii.dk>/--(Ombruten)
8390414 2002-05-04 11:43 +0200 /33 rader/ GreyMagic Software <security@greymagic.com>
Sänt av: joel@lysator.liu.se
Importerad: 2002-05-04 17:06 av Brevbäraren
Extern mottagare: Bugtraq <bugtraq@securityfocus.com>
Mottagare: Bugtraq (import) <22174>
Ärende: UPDATE (1-May-2002): Reading local files in Netscape 6 and Mozilla (GM#001-NS)
------------------------------------------------------------
From: "GreyMagic Software" <security@greymagic.com>
To: "Bugtraq" <bugtraq@securityfocus.com>
Message-ID: <LPBBLDGNEFOGMGAEHJPBKEINCNAA.security@greymagic.com>
Hello,
A bit after we released the advisory we received two emails, which
notified us that through testing in our demonstration, they found out
that this bug can also be used to list files in folders.
That alone, makes this bug far more volatile than the one patched by
MS02-008. It is possible to recursively build a tree of the victim's
file system, along with size, date and the content of files.
This vulnerability opens the entire file system up for reading (as
long as the browser user has access).
We added a "Mozilla Disk Explorer" demonstration to our advisory,
which lets you browse through your local disk, entering folders and
reading files with a simple click. Everything you see in this
demonstration could be easily transferred to an attacking server,
logging your file system structure and contents (without need for
user interaction, of course).
You can view it at
http://sec.greymagic.com/adv/gm001-ns/mozexplorer.html
Thanks to "loon" and Gerd Zemella for letting us know.
On a different note, this issue has been fixed by the Mozilla crew,
thanks for the quick patch.
- GMS
(8390414) /GreyMagic Software <security@greymagic.com>/(Ombruten)