'[Full-Disclosure] SECNAP Security Advisory: Invalid HTML processing in GoldMine(tm)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-Disclosure] SECNAP Security Advisory: Invalid HTML processing in GoldMine(tm)
From:       <scheidell () secnap ! net>
Date:       2003-05-28 23:46:05
[Download RAW message or body]

Weakness in GoldMine(tm) Email Manager allows arbitrary code execution
Systems: GoldMine 5.70 and 6.00 prior to version 30503
Vulnerable: 5.70.11111,5.70.20404,6.00.21021,6.00.30203,6.00.30403
Not Vulnerable: 5.70.30503, 6.00.30503
Severity: Serious
Category: Arbitrary Execution of Code of Hackers Choice
Classification: Input Validation Error
BugTraq-ID: TBA 
CVE-Number: CAN-2003-0241
Remote Exploit: yes
Local Exploit: no
Vendor URL: www.frontrange.com
Author: Michael S. Scheidell, SECNAP Network Security 
Scheduled Release date: May 29th, 2003
Notifications: FrontRange(tm) notified April 27th, 2003, Fix released May 29th, 2003

Discussion: (From FrontRange web site)
Quickly and easily equips professionals, SOHOs (Small Offices/Home Offices), small businesses \
and teams with automated customer/contact management and workgroup tools.

Problem: By sending a specially mal-crafted email to a user who opens it with the GoldMine mail \
agent, a hacker can run arbitrary code of the hackers choice on the users computer. This \
includes remote trojans, irc zombies, spyware, malware, remote key loggers, or any program a \
hackers wants to. This program will be running inside the corporate network, behind the \
firewall and access anything the infected user has access to. The GoldMine mail agent does not \
even run the html email in the 'security zone' as does Microsoft(tm) Outlook, but passes \
anything that looks like HTML to be executed unrestricted directly to the default Browser \
(usually IE). 

User does not even have to open the email, as the default 'preview' option will pass the first \
few lines of the email to IE which will trigger the exploit, in fact, just highlighting the \
email in order to delete it could trigger the exploit.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2003-0241 \
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0241> this issue. This is a candidate \
for inclusion in the CVE list (<http://cve.mitre.org>), which standardizes names for security \
problems.

Exploit: No exploit is necessary, as there are already examples in viruses and trojans that \
were designed to attack Microsoft Outlook and Outlook Express. 

Microsoft fixed these by patching both readers and allowing the user to set the security zone \
for reading HTML email in the 'insecure' settings.

To see an exhaustive list of what can happen when email is passed to IE, see \
<http://www.guninski.com/browsers.html>

Vendor Response: FrontRange immediately verified the existence of this vulnerability, created a \
patch and scheduled its release as soon as QA testing was done. FrontRange is concerned about \
it's users security and has issued a patch on May 29th for their current 6.0 version, as well \
as their legacy 5.70 version.

Solution: FrontRange advises its clients that they should upgrade to the latest version of \
GoldMine Business Contact Manager. Please see FrontRange support page for more information: \
<http://support.frontrange.com/>.

SECNAP has tested FrontRange provided solution on 5.70.30503 and it runs HTML through IE \
restricted security zone now, just like outlook and outlook express.  If you still fail the \
test, you need to check the IE restricted security zone settings.

Workaround:
If you cannot upgrade, then you should immediately disable IE as email viewer, in "Edit >> \
Preferences >> Internet >> More Options >> Advanced"

Administrators can change user preferences from "File >> Configure >> User Settings" or via \
editing the users ini files and change [Internet] section EmailReadertype to 1

[Internet]
EmailReaderType=1

To test to see if you are vulnerable, you can send a blank email to gmtest@secnap.net Note: \
this test will be discontinued after July 1st, 2003 and is only available to GoldMine email).

Michael Scheidell, SECNAP Network Security, www.secnap.net

Credit: 
The original problem with IIE, Microsoft Outlook and Outlook Express was found by George \
Grunski and involved insecure default reading of a malformed HTML Email in Outlook and OE and \
insecure running of HTML (see <http://www.guninski.com/browsers.html>). Also, thanks to Jeff \
Bell, VP Information Technology, Zino Mortgage <http://www.zinomortgage.com> and Angel \
Alexander Magaña of FrontRange for their assistance in verifying the problem.

Original copy of this report can be found here
<http://www.secnap.net/security/gm001.html>

Copyright:
Above Copyright(c) 2003, SECNAP Network Security, LLC. World rights reserved.

This security report can be copied and redistributed electronically provided it is not edited \
and is quoted in its entirety without written consent of SECNAP Network Security, LLC. \
Additional information or permission may be obtained by contacting SECNAP Network Security at \
561-368-9561 _______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic