RE: Reading local files in Netscape 6 and Mozilla (GM#001-NS)

[Thor Larholm <Thor () jubii dk>]

Disturbing.

Netscape sure must be in financial problems since they are selling out on
their users security for a lousy $1000.

I know for one that I personally will release any future Netscape advisories
with full public disclosure and without prior Netscape notification. As a
matter of fact, why not start now ?

The IRC:// protocol inhibited by Mozilla/NS6 seems to have a buffer overrun.
A typical IRC URL could look like this:

IRC://IRC.YOUR.TLD/#YOURCHANNEL

The #YOURCHANNEL part is copied to a buffer that has a limit of 32K. 
If the input exceeds this limit, Mozilla 1.0 RC1 crashes with the following
error: 

The exception unknown software exception (0xc00000fd) occured in the
application at location 0x60e42edf 

Mozilla 0.9.9 gives a similar exception: 

The exception unknown software exception (0xc00000fd) occured in the
application at location 0x60dd2c79.

Other versions of Mozilla/NS6/Galeon likely share the same flaw.
I haven't tested further on how practically exploitable this is.
Short example online at

http://jscript.dk/2002/4/moz1rc1tests/ircbufferoverrun.html

Furthermore, Mozilla/Galeon/NS6 is prone to a local file detection
vulnerability.

When embedding a stylesheet with the <LINK> element, access to CSS files
from other protocols is prohibited by the security manager. A simple HTTP
redirect circumvents this security restriction and it becomes possible to
use local or remote files of any type, with the side effect that you can
detect if specific local files exist.

http://jscript.dk/2002/4/NS6Tests/LinkLocalFileDetect.asp


Regards
Thor Larholm
Jubii A/S - Internet Programmer



-----Original Message-----
From: GreyMagic Software [mailto:security () greymagic com]
Sent: 30. april 2002 03:11
To: NTBugtraq; Bugtraq
Subject: Reading local files in Netscape 6 and Mozilla (GM#001-NS)


GreyMagic Security Advisory GM#001-NS
=====================================

By GreyMagic Software, Israel.
30 Apr 2002.

Available in HTML format at http://security.greymagic.com/adv/gm001-ns/.

Topic: Reading local files in Netscape 6 and Mozilla.

Discovery date: 30 Mar 2002.

Affected applications:
======================

* All tested versions of Mozilla (0.9.7+) on Windows, other
versions/platforms are believed to be vulnerable.

* All tested versions of Netscape (6.1+) on Windows, other
versions/platforms are believed to be vulnerable.


Important notes:
================

Netscape was contacted on 24 Apr 2002 through a form on their web site and
through email to security () netscape com and secure () netscape com.

They did not bother to respond AT ALL, and we think we know why.

A while ago Netscape started a "Bug Bounty" program, which entitles
researchers who find a bug that allows an attacker to run unsafe code or
access files to a $1000 reward.

By completely disregarding our post Netscape has earned themselves a $1000
and lost any credibility they might have had. The money is irrelevant, but
using such a con to attract researchers into disclosing bugs to Netscape is
extremely unprofessional.

Netscape's faulty conducts made us rethink our disclosure guidelines and we
came to the following decisions:

* Release all future Netscape advisories without notifying Netscape at all.

* Advise the security community to do the same. Netscape is deceiving
researchers and should not be rewarded.

* Advise customers to stop using Netscape Navigator through our security
advisories and business contacts.


[1] http://home.netscape.com/security/bugbounty.html


Introduction:
=============

XMLHTTP is a component that is primarily used for retrieving XML documents
from a web server.

On 15 Dec 2001 "Jelmer" published an advisory titled "MSIE6 can read local
files", which demonstrated how Microsoft's XMLHTTP component allows reading
of local files by blindly following server-side redirections (patched by
MS02-008).

[1] http://www.xs4all.nl/~jkuperus/bug.htm
[2] http://www.microsoft.com/technet/security/bulletin/MS02-008.asp

Discussion:
===========

Mozilla's version of XMLHTTP, the XMLHttpRequest object, is vulnerable to
the exact same attack.

By directing the "open" method to a web page that will redirect to a
local/remote file it is possible to fool Mozilla into thinking it's still in
the allowed zone, therefore allowing us to read it.

It is then possible to inspect the content by using the responseText
property.


Exploit:
========

This example attempts to read "c:/test.txt", "getFile.asp" internally
redirects to "file://c:/test.txt":

var oXML=new XMLHttpRequest();
oXML.open("GET","getFile.asp",false);
oXML.send(null);
alert(oXML.responseText);


Solution:
=========

Users of Netscape Navigator should move to a better performing, less buggy
browser.


Tested on:
==========

Mozilla 0.9.7, NT4.
Mozilla 0.9.9, NT4.
Mozilla 0.9.9, Win2000.
Netscape 6.1, NT4.
Netscape 6.2.1, Win2000.
Netscape 6.2.2, NT4.
Netscape 6.2.2, Win2000.


Demonstration:
==============

A fully dynamic proof-of-concept demonstration of this issue is available at
http://security.greymagic.com/adv/gm001-ns/.


Feedback:
=========

Please mail any questions or comments to security () greymagic com.

- Copyright © 2002 GreyMagic Software.