From owner-freebsd-security Tue Apr 10 16:25: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from blues.jpj.net (blues.jpj.net [204.97.17.146]) by hub.freebsd.org (Postfix) with ESMTP id D486137B423; Tue, 10 Apr 2001 16:24:53 -0700 (PDT) (envelope-from trevor@jpj.net) Received: from localhost (trevor@localhost) by blues.jpj.net (8.11.1/8.11.1) with ESMTP id f3ANOqN04504; Tue, 10 Apr 2001 19:24:52 -0400 (EDT) Date: Tue, 10 Apr 2001 19:24:52 -0400 (EDT) From: Trevor Johnson To: , Subject: Netscape 4.76 gif comment flaw (fwd) Message-ID: <20010410192130.X3987-100000@blues.jpj.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-ID: <20010410192132.W3987@blues.jpj.net> Content-Disposition: INLINE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I tried this with the 4.75 BSD/OS version, and found it has the bug. -- Trevor Johnson ---------- Forwarded message ---------- Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.7]) by blues.jpj.net (8.11.1/8.11.1) with ESMTP id f39LbDa19977; Mon, 9 Apr 2001 17:37:13 -0400 (EDT) Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.7]) by lists.securityfocus.com (Postfix) with ESMTP id 84B7E24C9AD; Mon, 9 Apr 2001 15:32:36 -0600 (MDT) Received: from LISTS.SECURITYFOCUS.COM by LISTS.SECURITYFOCUS.COM (LISTSERV-TCP/IP release 1.8d) with spool id 32328086 for BUGTRAQ@LISTS.SECURITYFOCUS.COM; Mon, 9 Apr 2001 15:32:01 -0600 Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Received: from securityfocus.com (mail.securityfocus.com [66.38.151.9]) by lists.securityfocus.com (Postfix) with SMTP id 9B7D124C476 for ; Mon, 9 Apr 2001 05:48:19 -0600 (MDT) Received: (qmail 6555 invoked by alias); 9 Apr 2001 11:48:18 -0000 Delivered-To: BUGTRAQ@SECURITYFOCUS.COM Received: (qmail 6534 invoked from network); 9 Apr 2001 11:48:17 -0000 Received: from mail-ffm-p.arcor-ip.de (HELO mail.arcor-ip.de) (145.253.2.10) by mail.securityfocus.com with SMTP; 9 Apr 2001 11:48:17 -0000 Received: from parallax.dividuum.com (145.253.171.27) by mail.arcor-ip.de; 9 Apr 2001 13:48:15 +0200 Received: by parallax.dividuum.com (Postfix, from userid 500) id 3F3F23AD60; Mon, 9 Apr 2001 13:48:26 +0200 (CEST) Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="FL5UXtIhxfXey3p5" Content-Disposition: inline User-Agent: Mutt/1.2.5i Message-ID: <20010409134826.A2541@dividuum.de> Date: Mon, 9 Apr 2001 13:48:26 +0200 Reply-To: Florian Wesch Sender: Bugtraq List From: Florian Wesch Subject: Netscape 4.76 gif comment flaw To: BUGTRAQ@SECURITYFOCUS.COM Product: Netscape Navigator/Communicator Tested on: 4.76 (on Linux and Win98/NT) Vendor Contact: Reported 2001-03-22 { Problem }-------------------------------------------------------- - Overview: The Netscape browser does not escape the gif file comment in the image information page. This allows javascript execution in the "about:" protocol and can for example be used to upload the History (about:global) to a webserver. - Detail: Netscape does not allow javascript to access documents from a different domain. This stops a javascript from one domain that tries to mess around with login forms/private data from other domain. The following error message is shown "access disallowed from scripts at to documents at another domain." Now there is the protocol "about:" that is used for some special tasks. about: - shows Netscape version and copyrights about:blank - shows a blank document about:config - shows Browser configuration. about:global - shows Information about the Netscape global history about: - shows Information about the specified url .. There are some other about: documents (try grepping the netscape binary). about:global is very interesting since all visited documents are listed there. So I tried to find a way to access this information. I created a frameset with 2 frames. The first Frame (called foo) contains about:global. Using , or document.location.href="about.global"; for setting this url did not work. So I used the following trick to make it work:
My intention is that the second frame (called bar) grabs 10 urls in the first frame using javascript and sends them to the server. Accessing parent.frames["foo"].document.links does not work since foo is displaying an about: document and bar is a normal http document: "access disallowed from scripts at blah to documents..." So I tried to find a way to start a javascript within an about: document. about: comes into mind since there are a lot server specified values. First I tried to inject javascript using the url of the script. But since this url is encoded (space => %20 etc.) there is no way in. Modifying the Content-Type (File MIME Type) did not work either because Netscape opens a "Save as..." window when supplying an unknown mimetype. Then I remembered that Netscape shows the comment included in gif files. A quick test showed that the comment is not escaped. So Javascript in gif comments is executed in the about: realm. This means that this script can then access the content of about:global. nice. The following script included in the comment reads 10 urls in the about:global frame (foo), stores them in the form and finally submits this form.
The server has 10 urls of about:global urls now. Accessing about:config should be possible too, but I did not try it. { Solution }-------------------------------------------------------- Disable Javascript or Upgrade to 4.77 { Exploit }--------------------------------------------------------- attached or http://dividuum.de/security/netscape/ -------------------------------------------------------------------- Regards, Florian Wesch http://dividuum.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message