Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » iDEFENSE Security Advisory 11.19.02c: Netscape Predictable Directory Structure A

iDEFENSE Security Advisory 11.19.02c: Netscape Predictable Directory Structure A

by Nikola Strahija on November 24th, 2002 Netscape Communications Corp.'s Communicator is a popular package that includes a web browser (Navigator), e-mail client, news client, and address book.


II. DESCRIPTION

Socially engineering users of Netscape Communicator 4.x's web browser
and e-mail client into clicking on a malicious link could return the
contents of the targeted user's preferences file back to a remote
attacker.

The attack involves the redefinition of user_pref(), which is an
internal JavaScript function. The redefined function constructs a
string of all user preferences stored in the hidden field of a form
and later submitted by another JavaScript routine. In order for the
redefinition to occur, an attacker must store the exploit script in a
Windows (or Samba) share and coerce a victim into following a link to
it. A sample link to an attack script would look like
file:///attacker.example.com/thief.html. Communicator only allows
local files to redefine internal functions.

III. ANALYSIS

Remote exploitation allows an attacker to steal user preferences,
including the victim's real name, e-mail address, e-mail server, URL
history and, in some cases, e-mail password.

IV. DETECTION

Netscape Communicator 4.x is vulnerable. Communicator 6 and later is
not vulnerable, being it stores the prefs.js file in a randomized
location.

V. CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
assigned the identification number CAN-2002-1204 to this issue.

VI. DISCLOSURE TIMELINE

08/29/2002 Issue disclosed to iDEFENSE
10/14/2002 Netscape notified ([email protected],
[email protected], [email protected])
10/14/2002 iDEFENSE clients notified
10/31/2002 Second attempt at vendor contact
11/07/2002 Third attempt at vendor contact
11/19/2002 Public disclosure

VII. CREDIT

Bennett Haselton ([email protected]) discovered this
vulnerability.


Get paid for security research
http://www.idefense.com/contributor.html

Subscribe to iDEFENSE Advisories:
send email to [email protected], subject line: "subscribe"


About iDEFENSE:

iDEFENSE is a global security intelligence company that proactively
monitors sources throughout the world — from technical
vulnerabilities and hacker profiling to the global spread of viruses
and other malicious code. Our security intelligence services provide
decision-makers, frontline security professionals and network
administrators with timely access to actionable intelligence
and decision support on cyber-related threats. For more information,
visit http://www.idefense.com.


- -dave

David Endler, CISSP
Director, Technical Intelligence
iDEFENSE, Inc.
14151 Newbrook Drive
Suite 100
Chantilly, VA 20151
voice: 703-344-2632
fax: 703-961-1071

[email protected]
www.idefense.com


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »