-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

iDEFENSE Security Advisory 11.19.02c:
http://www.idefense.com/advisory/11.19.02c.txt
Predictable Directory Structure Allows Theft of Netscape Preferences
File
November 19, 2002

I. BACKGROUND

Netscape Communications Corp.'s Communicator is a popular package
that includes a web browser (Navigator), e-mail client, news client,
and address book.

II. DESCRIPTION

Socially engineering users of Netscape Communicator 4.x's web browser
and e-mail client into clicking on a malicious link could return the
contents of the targeted user's preferences file back to a remote
attacker.

The attack involves the redefinition of user_pref(), which is an
internal JavaScript function. The redefined function constructs a
string of all user preferences stored in the hidden field of a form
and later submitted by another JavaScript routine. In order for the
redefinition to occur, an attacker must store the exploit script in a
Windows (or Samba) share and coerce a victim into following a link to
it. A sample link to an attack script would look like
file:///attacker.example.com/thief.html. Communicator only allows
local files to redefine internal functions.

III. ANALYSIS

Remote exploitation allows an attacker to steal user preferences,
including the victim's real name, e-mail address, e-mail server, URL
history and, in some cases, e-mail password.

IV. DETECTION

Netscape Communicator 4.x is vulnerable. Communicator 6 and later is
not vulnerable, being it stores the prefs.js file in a randomized
location.

V. CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
assigned the identification number CAN-2002-1204 to this issue.

VI. DISCLOSURE TIMELINE

08/29/2002 Issue disclosed to iDEFENSE
10/14/2002 Netscape notified (support@netscape.com,
info@netscape.com, pradmin@netscape.com)
10/14/2002 iDEFENSE clients notified
10/31/2002 Second attempt at vendor contact
11/07/2002 Third attempt at vendor contact
11/19/2002 Public disclosure

VII. CREDIT

Bennett Haselton (bennett@peacefire.org) discovered this
vulnerability.


Get paid for security research
http://www.idefense.com/contributor.html

Subscribe to iDEFENSE Advisories:
send email to listserv@idefense.com, subject line: "subscribe"


About iDEFENSE:

iDEFENSE is a global security intelligence company that proactively
monitors sources throughout the world - from technical
vulnerabilities and hacker profiling to the global spread of viruses
and other malicious code. Our security intelligence services provide
decision-makers, frontline security professionals and network
administrators with timely access to actionable intelligence
and decision support on cyber-related threats. For more information,
visit http://www.idefense.com.


- -dave

David Endler, CISSP
Director, Technical Intelligence
iDEFENSE, Inc.
14151 Newbrook Drive
Suite 100
Chantilly, VA 20151
voice: 703-344-2632
fax: 703-961-1071

dendler@idefense.com
www.idefense.com

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1.2
Comment: http://pgp.mit.edu:11371/pks/lookup?...rch=0x4B0ACC2A

iQA/AwUBPdrFIUrdNYRLCswqEQJO8QCeLSkaHcdHYKxSR+4gP4b3gX 8KADcAnj7p
M0apHRqvhaWN4jthj57zhgNO
=QPPR
-----END PGP SIGNATURE-----