Predictable Directory Structure Allows Theft of Netscape Preferences File
21 Nov. 2002
Summary
Netscape Communications Corp.'s Communicator is a popular package that includes a web browser (Navigator), e-mail client, news client, and address book. A vulnerability in the product allows stealing of the user's preferences.
Credit:
The information has been provided by David Endler of iDEFENSE, the vulnerability was discovered by Bennett Haselton.
Socially engineering users of Netscape Communicator 4.x's web browser and e-mail client into clicking on a malicious link could return the contents of the targeted user's preferences file back to a remote attacker.
The attack involves the redefinition of user_pref(), which is an internal JavaScript function. The redefined function constructs a string of all user preferences stored in the hidden field of a form and later submitted by another JavaScript routine. In order for the redefinition to occur, an attacker must store the exploit script in a Windows (or Samba) share and coerce a victim into following a link to it. A sample link to an attack script would look like file:///attacker.example.com/thief.html. Communicator only allows local files to redefine internal functions.
Analysis:
Remote exploitation allows an attacker to steal user preferences, including the victim's real name, e-mail address, e-mail server, URL history and, in some cases, e-mail password.
Detection:
Netscape Communicator 4.x is vulnerable. Communicator 6 and later is not vulnerable, being it stores the prefs.js file in a randomized location.
Disclosure timeline:
08/29/2002 Issue disclosed to iDEFENSE
10/14/2002 Netscape notified (support@netscape.com, info@netscape.com, pradmin@netscape.com)
10/14/2002 iDEFENSE clients notified
10/31/2002 Second attempt at vendor contact
11/07/2002 Third attempt at vendor contact
11/19/2002 Public disclosure
