'[VulnWatch] Comcast(tm) Email Manager allows arbitrary java and activex code execution'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       vulnwatch
Subject:    [VulnWatch] Comcast(tm) Email Manager allows arbitrary java and activex code execution
From:       "Michael Scheidell" <scheidell () secnap ! net>
Date:       2004-07-22 15:36:07
Message-ID: B3BCAF4246A8A84983A80DAB50FE724214AFC0 () secnap2 ! secnap ! com
[Download RAW message or body]

Vulnerability in Comcast Webmail Manager allows arbitrary java and activex code \
                execution 
Systems: Comcast Webmail email system. www.comcast.net
Vulnerable: X-Mailer: AT&T Message Center Version 1 (Mar 22 2004)
Not Vulnerable: Unknown
Severity: Serious / Low (Fixed now)
Category: Arbitrary Execution of Code of Hackers Choice 
Classification: Input Validation Error 
BugTraq-ID: TBA 
CVE-Number: TBA
Remote Exploit: yes 
Local Exploit: no 
Vendor URL: www.comcast.net
Author: Michael S. Scheidell, SECNAP Network Security 
Original Release date: April 7, 2004
Notifications: Comcast notified April 7, 2004
Public Release date: July 22, 2004

Discussion: from www.comcast.com
High-Speed Internet. This is the fastest way to travel the Web! It's cable-powered, \
so it's always connected and you won't tie up your phone lines. It's a faster, more \
powerful and more convenient Internet experience.

Note: This is not so much a warning to Comcast or their users, since Comcast has \
fixed this problem, but more of a warning to every developer or CSIO to make sure \
that web based email, blogs, information, memos must check their code to make sure it \
is safe. See additional notifications of similar problems with GoldMine(tm) \
http://www.secnap.com/security/gm001.html, and sprintmail picture mail at \
http://www.secnap.com/security/030711.html

Problem: There was a potential for hackers to use this vulnerability to specially \
craft emails that will run random code of their choice on users' computers - \
including remote Trojans, irc zombies, spyware, malware, and remote key loggers. This \
program would run inside the corporate network, behind the firewall and access \
anything the infected user has access to. 

The Comcast Webmail did not run the html email in the 'security zone' as does \
Microsoft(tm) Outlook, but passed anything that looks like HTML to be executed \
unrestricted directly to the default Browser (usually IE). Linux/or Unix users with \
Netscape may have the javascript, page redirection and popup email run, however, the \
activeX component will not run. 

Comcast users have the option of using Comcast Webmail or Outlook Express.  Because \
of the inability to disable html/java/or active-x in Comcast Webmail, those using \
Webmail had an increased chance of their computers' becoming infected in the event of \
a potential hacker either a) referencing active-x controls or b) including javascript \
within an HTML e-mail message.

The above has been tested on a Windows(tm) 2000 system with service pack 4, all \
Internet Explorer patches and default (factory) Internet zone security settings. Also \
tested were two Windows XP(tm) systems with service pack 1 and all patches as well as \
Netscape 7.1 on Linux.

The security community first became aware of the potential for this kind of threat \
about two years ago.  Software companies that produce Web-based email, blog or input \
system must check for arbitrary java and html code.  Note:  the original Web Mail \
system was written by AT&T and was inherited by Comcast during their purchase of \
AT&T's broadband business.

Exploit: No exploit is necessary, as there are already examples in viruses and \
trojans that were designed to attack Microsoft Outlook and Outlook Express. 

Microsoft fixed these by patching both readers and allowing the user to set the \
security zone for reading HTML email in the 'insecure' settings.

To see an exhaustive list of what can happen when email is passed to IE, see \
<http://www.guninski.com/browsers.html> 

Vendor Response: April 7, 2004. A Comcast representative called our office \
immediately.  Comcast worked quickly on fixing this bug and rolling it out to their \
servers, with a solution in place by April 13, 2004.  Release of this notification \
was held back waiting for Comcast to decide how and when to self-release.

Solution: 
Comcast is now filtering out various forms of scripting.

Credit: 
Michael Scheidell, SECNAP Network Security, www.secnap.com
The original problem with IIE, Microsoft Outlook and Outlook Express was found by \
George Grunski and involved insecure default reading of a malformed HTML in Outlook \
and OE and insecure running of HTML (see <http://www.guninski.com/browsers.html>) And \
thanks to Johannes B. Ullrich, CTO SANS Internet Storm Center for assistance.

Original copy of this report can be found here 
<http://www.secnap.com/security/20040406.html>

Copyright: 
Above Copyright(c) 2004, SECNAP Network Security Corporation. World rights reserved. 

This security report can be copied and redistributed electronically provided it is \
not edited and is quoted in its entirety without written consent of SECNAP Network \
Security Corporation. Additional information or permission may be obtained by \
contacting SECNAP Network Security at 561-999-5000


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic