iDEFENSE Security Advisory 11.19.02c - Users of Netscape Communicator 4.x's web browser and e-mail client who can be tricked into clicking on a malicious link can return the contents of the targeted user's preferences file often including e-mail password and URL history back to a remote attacker who redefines user_pref(), a javascript function.
5eab9de58ab811abe7daf58eecc2038d3161def28aef9bc2de99db7a39f21201
iDEFENSE Security Advisory 11.19.02c:
http://www.idefense.com/advisory/11.19.02c.txt
Predictable Directory Structure Allows Theft of Netscape Preferences File
November 19, 2002
I. BACKGROUND
Netscape Communications Corp.'s Communicator is a popular web-browsing
package that includes a web browser (Navigator), e-mail client, news client,
and address book.
II. DESCRIPTION
Socially engineering users of Netscape Communicator 4.x's web browser and
e-mail client into clicking on a malicious link could return the contents of the
targeted user's preferences file back to a remote attacker.
The attack involves the redefinition of user_pref(), which is an internal
JavaScript function. The redefined function constructs a string of all user
preferences stored in the hidden field of a form and later submitted by
another JavaScript routine. In order for the redefinition to occur, an attacker
must store the exploit script in a Windows (or Samba) share and coerce a
victim into following a link to it. A sample link to an attack script would look
like file:///attacker.example.com/thief.html. Communicator only allows local
files to redefine internal functions.
III. ANALYSIS
Remote exploitation allows an attacker to steal user preferences, including
the victim's real name, e-mail address, e-mail server, URL history and, in
some cases, e-mail password.
IV. DETECTION
Netscape Communicator 4.x is vulnerable. Communicator 6 and later is not
vulnerable, being it stores the prefs.js file in a randomized location.
V. CVE INFORMATION
The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
assigned the identification number CAN-2002-1204 to this issue.
VI. DISCLOSURE TIMELINE
08/29/2002 Issue disclosed to iDEFENSE
10/14/2002 Netscape notified (support@netscape.com,
info@netscape.com, pradmin@netscape.com)
10/14/2002 iDEFENSE clients notified
10/31/2002 Second attempt at vendor contact
11/07/2002 Third attempt at vendor contact
11/19/2002 Public disclosure
VII. CREDIT
Bennett Haselton (bennett@peacefire.org) discovered this vulnerability.