Title: Netscape Browser, Netscape 7 and K-Meleon Multiple Arbitrary Script Code Execution Vulnerabilities
Criticality: Issues #1, #2 and #4: High, Issue #3: Medium. Issue #5 is Medium/High depending of operating system.
Affected software: Netscape Browser 8, Netscape 7 and K-Meleon 0.9 web browsers
Non-affected: Netscape Browser 8.0.3.3
Platforms tested: Microsoft Windows XP Home Edition SP2 SF, Windows XP Professional SP1 US
Author: Juha-Matti Laurio info [at] networksecurity.fi, juha-matti.laurio [at] netti.fi
Date: 14th July, 2005
Advisory ID: N/A (#8)
Location URL: http://www.networksecurity.fi/advisories/netscape-multiple-issues.html (HTML)
CVE references:
Issue #1: CAN-2005-2262
Issue #2: CAN-2005-2269
Issue #3: CAN-2005-2261
Issue #4: CAN-2005-2260
Issue #5: CAN-2005-2265
Overview:
Five new remote type vulnerabilities has been reported in Netscape Browser, which can be exploited by malicious people to execute malicious code or script code in an affected system and to perform dangerous actions affecting browser's UI. Vulnerability #3 affects K-Meleon browser too.
Details:
These are code execution, script code execution and erroneous event handling type vulnerabilities.
Tested software versions:
Netscape Browser 8.0.2, Netscape 7.2 and K-Meleon 0.9
Vulnerabilities has been confirmed in versions 0.8.2 and partly in version 7.2 in Netscape (NS) and 0.9 in K-Meleon (K-M). Other versions may
also be affected as well.
Exact user-agent in use:
A) Netscape Browser:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20050603 Netscape/8.0.2
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax)
B) K-Meleon:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041220 K-Meleon/0.9
Vulnerability #1 "Set as Background" Feature Code Execution Vulnerability:
- Description:
The newest Netscape Browser version 8.0.2 is confirmed as affected to new remote type Firefox 1.0.3 and 1.0.4 code execution vulnerability via "Set As Background..." feature. Tests was done with PoC test page
www.mikx.de/firewalling/, i.e. so-called Firewalling issue containing a special sample image.
This vulnerability can be exploited by malicious people to execute some arbitrary code on affected system, if an attacker can persuade victim to visit a Web page containing specially drafted picture and to use Set As Background right-click function.
This security issue is handled in Mozilla Foundation Security Advisory (MFSA) 2005-47. Test result were similar as tested with (affected) Firefox 1.0.4 version.
Tests results:
I) Windows XP Home Edition SP2, laptop computer
Netscape Browser 8.0.2 is affected. (NS7.2 is immune.)
File booom.bat was generated to C: drive's root directory containing for example Dir and Pause commands. This batch file was executed automatically and the content of one My Documents folder subdirectory was shown with Command Prompt's DIR command. When test was repeated, files booom-1.bat, booom-2.bat etc. were generated. Finally a Set Wallpaper dialog box was appeared to the screen.
NOTE: Firefox 1.x "Set As Wallpaper..." context menu is implemented as "Set As Background..." in Netscape Browser 8.0.2.
II) Windows XP Professional SP1, desktop computer
Results were similar, but the content of Netscape installation directory, e.g. C:\Program Files\Netscape\Netscape Browser was listed with CMD.EXE executing DIR command automatically.
See MFSA 2005-47 too.
- Solution status:
Update:
A fixed version released on 8th August, 2005.
Issue #1 (MFSA 2005-47) was fixed in Netscape 8.0.3.1 earlier.
(Version 8.0.3.1 was available from SillyDog701 Netscape Browser Archive.)
- Solution:
Update to version Netscape Browser 8.0.3.3: browser.netscape.com/ns8/download/default.jsp
- Workarounds:
Do not use 'Set As Background...' functionality to save Windows Desktop wallpaper images from untrusted sources. Save background images needed via 'Save Image As...' feature.
After this it is possible to use normal Control Panel feature to select and use saved wallpaper image.
These workarounds are provided and tested by me.
Vulnerability #2 < IMG > Element Security Check Bypass Vulnerability:*)
- Description:
The newest Netscape Browser version 8.0.2 is confirmed as affected to new remote type < IMG >*) element security checking bypass vulnerability.
Tests was done with testcase URL located in Bugzilla report #298892 containing special sample image. This can be used to XHTML node spoofing.
NOTE: *) Samples '< IMG >' inside the text includes two extra spaces around IMG tag to prevent generating IMG tag to report's HTML code.
This vulnerability can be exploited by malicious people to execute some user-supplied script with elevated "chrome" privilege on affected system, if an attacker can persuade victim to visit a Web page containing specially drafted picture and to use Set As Background... right-click context function.
This security issue is handled in Mozilla Foundation Security Advisory 2005-55. Test result were similar as tested with (affected) Firefox 1.0.4 version. This vulnerability is reportedly affecting Mozilla Firefox versions prior than 1.0.5.
Tests results:
Netscape Browser 8.0.2 is affected. (NS7.2 is immune.)
Test case #1:
bugzilla.mozilla.org/attachment.cgi?id=187392
located at https://bugzilla.mozilla.org/show_bug.cgi?id=298892#c2
This is so-called Arbitrary code execution via setWallpaper() test.
How to procedure:
1. Right click on the image.
2. Choose "Set As Wallpaper..." from the context menu.
A dialog that shows Components.stack will appear.
Result:
The following JavaScript dialog box was appeared to the screen:
"Alert
Exploit!
JS frame ::javascript:eval('alert("Exploit!\\n\\n" Components.stack);') :: < TOP_LEVEL> :: line 1
[OK]"
Finally a Set Wallpaper dialog box was appeared to the screen. It was closed with 'X' button without saving background image. Set Wallpaper window was English-language in Finnish-language Windows XP. This result differs from Firefox's results, where the Set Wallpaper window was Finnish-language. Mozilla Firefox 1.0.4 used was Finnish-language fi-FI version.
According to reporter a dialog that shows 'Components.stack' will appear in an affected browser version.
See MFSA 2005-55 too.
- Solution:
Do not visit untrusted Web pages.
- Workaround:
Do not use Save Background as... feature when visiting untrusted Web sites.
This workaround is provided and tested by me.
Vulnerability #3 XBL Scripts JavaScript State Bypass Vulnerability:
- Description:
The newest Netscape Browser version 8.0.2, Netscape 7.2 and K-Meleon version 0.9 are confirmed as affected to new remote type vulnerability, where scripts used in XBL controls from web content are run even when JavaScript support is disabled.
Tests was done with testcase URL located in Bugzilla report #292591 containing a testcase for QA purposes. This can be used to run malicious XBL script when user has disabled JavaScript support from browser's Options menu to avoid JS type attacks.
This vulnerability can be exploited by malicious people to execute some malicious XBL scripts if an attacker can persuade victim to visit a Web page containing malicious XBL script code.
Tests results:
Netscape Browser 8.0.2 is affected.
Later K-Meleon browser 0.9 and Netscape 7.2 were confirmed as affected.
Test case:
bugzilla.mozilla.org/attachment.cgi?id=185575
located at https://bugzilla.mozilla.org/show_bug.cgi?id=292591#c23
Technical description:
How to procedure:
1. Disable JavaScript.
2. Mouse-down on the box below.
3. JS alert would appear, if affected.
- Result:
A JavaScript dialog box titled as [JavaScript Application] and text "This is JS alert" was appeared to the screen when "mouse-down" action was done to a test line ontaining text 'Mouse-down on me'. This text was automatically selected when mouse pointer was moved over the text. No double-click operation etc. was needed.
According to reporter moz_bug_r_a4 [at] yahoo.com a dialog that shows 'JS Alert' will appear in an affected browser version.
Finally a dialog box was closed by selecting "OK" or with 'X' button.
It is possible to check manually that JavaScript support is disabled, e.g. JavaScript test page used by me:
gemal.dk/browserspy/js.html
Results:
"Generic JavaScript support: [result]
JavaScript build: [build level]
JavaScript version 1.1 .. 2.0: [result]
External JavaScript support: [result]"
When tested Netscape Browser 8, JavaScript support was disabled from Tools / Options... / Site Controls / Web Features menu. Selection from Enable JavaScript was removed and changes was saved with OK button. No browser restart was needed. JavaScript Menu in Netscape 7: Edit / Preferences... / Advanced / Scripts & Plugins: remove selection from 'Navigator'.
From Bugzilla Bug report #292591:
"Disabling JavaScript doesn't stop the XBL version of bug NN and NN."
See MFSA 2005-46 too.
According to XULPlanet.com's XUL Tutorial:
"XUL has a sister language, XBL (eXtensible Bindings Language). This language is used for declaring the behavior of XUL widgets.
....
For example, you might want to change how the pieces of a scroll bar function. For this, you need XBL."
When tested K-Meleon test results were similar.
JavaScript support was disabled from Edit / Preferences / General / Enhancements: Enable JavaScript or via Tools / Privacy / 'Block' function.
According to vendor response the following GRE packages are immune:
"1.7.9 beta
1.7.9-modified
1.7.9-modified2
1.7.9-modified3
1.8b2-modified6
Older versions seem to be affected."
Vendor has informed that K-Meleon 0.9_1.79 beta 4 GRE update is available from unofficial download location.
UPDATE: Later one localized German version 'K-Meleon (gekko-eye) 0.9.713 deutsch' based to Mozilla 1.7.10 was informed as immune.
It is worth of mentioning that K-Meleon is based on Mozilla Suite, not Mozilla Firefox.
Solution:
Do not visit untrusted Web pages to avoid malicious XBL scripts running.
Workarounds:
No working workarounds.
Vulnerability #4 Content-generated Events Affecting Browser UI Vulnerability:
- Description:
The newest Netscape Browser version 8.0.2 and version 7.2 are confirmed as affected to new remote type vulnerability, where content-generated untrusted events affect browser's UI (User Interface).
Tests was done with https://bugzilla.mozilla.org/show_bug.cgi?id=294323 containing the following test case URL:
www.krickelkrackel.de/testing/fullscreen.htm
This demonstrates the following effect mentioned at Mozilla Foundation Security Advisory 2005-45: "The problems ranged from minor annoyances like switching tabs or entering full-screen mode."
- Test results:
Browser's Status Bar, Tab Bar, Bookmark Toolbar and dropdown menus disappeared after clicking krickelkrackel.de test link. New browser window (Ctrl+N) was needed to open to use dropdown menus etc.
If My Sidebar was enabled, there was no changes in My Sidebar or its visibility.
Sample screenshot images (PNG) are located at www.networksecurity.fi/samples/ns802_broken_UI.PNG and www.networksecurity.fi/samples/ns802_broken_UI_2.PNG. Screenshot from version 7.2 is at www.networksecurity.fi/samples/ns72_broken_UI.PNG.
According to Bugzilla report #294323:
"Go to http://www.krickelkrackel.de/testing/fullscreen.htm
and see some toolbars and the statusbar go away"
From Bugzilla entry #289940:
"Right now our chrome code generally excpects its event handlers to be called onyl from the code that normally fires the events in question, but lots of event
handlers listen for events that can be synthesized by untrusted content, and we're thus vulnerable to security problems, or at least unexpected code
execution."
Solution:
Do not visit untrusted Web pages and do not click untrusted/suspicious hyperlinks to avoid effects mentioned.
Workarounds:
No working workarounds.
See MFSA 2005-45 too.
Vulnerability #5 JavaScript InstallVersion.compareTo() Function Vulnerability:
- Description:
The newest Netscape Browser version 8.0.2 and version 7.2 are confirmed as affected to new remote type vulnerability, which can cause malicious code execution and denial of service conditions.
Tests was done with the following PoC URL:
=======
WARNING: Click at your own risk in lab environment.
According to original reporter "this is possibly remotely exploitable if the address of the heap memory is predictable (depends on OS/libc/etc...)".
=======
https://bugzilla.mozilla.org/attachment.cgi?id=184834
This PoC is made by original reporter shutdown [at] flashmail.com. Proof of Concept test page is titled as "mozilla InstallVersion#compareTo exploit PoC".
When tested, 'invoke an exploit' link was clicked. Browser Status Bar shows the following text when selecting a link:
javascript:exploitCode();
- Test results:
Netscape browser crashed.
"netscape.exe
netscape.exe has encountered a problem and needs to close. We are sorry for the inconvenience. For more information about this error, [click here]."
Normal Error Reporting and Don't Send etc. buttons were available. 'Don't Send' button was selected.
Finally Netscape Browser process was not running when checked with Task Manager.
This can be possibly exploited by malicious people to run arbitrary code or conduct denial of service conditions in certain cases.
Tests was done with Microsoft Windows XP Home SP2.
Problem is an input validation-type error in object handling.
See MFSA 2005-50 too.
- Solution:
Do not visit untrusted Web pages.
Vendor:
A) Netscape Communications Corp.
B) K-Meleon Project
Vendor homepage:
A) browser.netscape.com/ns8/
B) kmeleon.sourceforge.net/
Vendor A) was contacted on 13th, 14th, 15th and 16th July with Security Center's Netscape Browser Bug Submission Form and submissions were titled as 'SECURITY ISSUE'.
Vendor B) was contacted on 15th July (K-Meleon developer team).
References:
US-CERT Cyber Security Bulletin SB05-201 High Risk warning:
www.us-cert.gov/cas/bulletins/SB05-201.html#netscape
secunia.com/advisories/16044/
secunia.com/advisories/16185/
www.frsirt.com/english/advisories/2005/1214
www.securityfocus.com/bid/14242
www.secwatch.org/advisories/1011137/
www.secwatch.org/advisories/1011224/
www.securiteam.com/securitynews/5XP0K20GBQ.html
www.osvdb.org/displayvuln.php?osvdb_id=17942
www.osvdb.org/displayvuln.php?osvdb_id=17964
www.osvdb.org/displayvuln.php?osvdb_id=17965
www.osvdb.org/displayvuln.php?osvdb_id=17969
Issue #1: www.mozilla.org/security/announce/mfsa2005-47.html
Issue #2: www.mozilla.org/security/announce/mfsa2005-55.html
Issue #3: www.mozilla.org/security/announce/mfsa2005-46.html
Issue #4: www.mozilla.org/security/announce/mfsa2005-45.html
Issue #5: www.mozilla.org/security/announce/mfsa2005-50.html
In Finnish:Viestintäviraston CERT-FI varoitus 51/2005
Additional references:
XULPlanet / XUL Tutorial / Introduction to XBL
www.xulplanet.com/tutorials/xultu/introxbl.html
Devmo / XUL Tutorial / Introduction to XBL
developer-test.mozilla.org/en/docs/XUL_Tutorial:Introduction_to_XBL
The World Wide Web Consortium / Technical Reports and Publications / XBL - XML Binding Language (W3C Note 23 February 2001)
www.w3.org/TR/2001/NOTE-xbl-20010223/
Wikipedia / XML standards / XBL
en.wikipedia.org/wiki/XBL
These issues were originally discovered in Mozilla Firefox by Michael Krax (aka mikx), moz_bug_r_a4, Omar Khan, Jochen, shutdown and Matthew Mastracci.
- CVE information:
The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues: CAN-2005-2262, CAN-2005-2269, CAN-2005-2261, CAN-2005-2260 and CAN-2005-2265. These are candidates for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for security problems.
Credit:
Netscape and K-Meleon vulnerabilities discovered by Juha-Matti Laurio, Networksecurity.fi.
Timeline:
13-07-2005 Vulnerabilities discovered
13-07-2005 Vendor contacted about vulnerabilities #1 and #2
13-07-2005 Security companies and several CERT units informed
13-07-2005 Additional information about 'Set As Background' implementation sent to security companies and CERT units
14-07-2005 Vendor contacted about vulnerability #3
14-07-2005 Security companies and several CERT units informed about vulnerability #3
14-07-2005 Mozilla Foundation security team contacted
14-07-2005 Detailed research
14-07-2005 Advisory published
14-07-2005 Link to advisory sent to security companies and CERT units
15-07-2005 CERT-FI in Finland published an updated advisory "Viestintäviraston CERT-FI-ryhmän varoitus 51/2005"
15-07-2005 Links to published security advisories and researcher's advisory sent to MITRE Corporation for CVE candidate assign process
15-07-2005 Vendor contacted about vulnerability #4
15-07-2005 Security companies and several CERT units informed about vulnerability #4
15-07-2005 Additional tests done with another workstation (Windows XP Professional)
15-07-2005 Vulnerability #5 researched
15-07-2005 Vulnerability #3 confirmed in K-Meleon
15-07-2005 Vendor contacted about vulnerability #3 in K-Meleon
16-07-2005 Vendor's (K-Meleon) reply. They are working on updated GRE package.
16-07-2005 Vendor contacted about vulnerability #5
16-07-2005 Security companies and CERT units informed about vulnerability #5
16-07-2005 Vulnerability #6 researched
16-07-2005 Security companies and CERT units informed about vulnerability #6
17-07-2005 Security companies informed about vulnerability #3 in K-Meleon
19-07-2005 Several issues confirmed in Netscape 7.2. Security companies and CERT units informed about vulnerabilities #3, #4 and #5 in Netscape 7 and Netscape being not affected to vulnerability #6.
20-07-2005 Summary about issues sent to Netscape developer team
20-07-2005 Firefox 1.0.6 released, an updated version Netscape 8.0.3 is possibly coming in the near future
20-07-2005 More security companies and CERT units informed about K-Meleon issue
20-07-2005 US-CERT released High Risk warning at weekly Cyber Security Bulletin SB05-201
21-07-2005 Vendor's (Netscape developers) reply
22-07-2005 Mozilla Suite 1.7.10 released
25-07-2005 Netscape Browser 8.0.3.1 released. Detailed tests started.
26-07-2005 More tests done. Security companies and CERT units informed about vulnerability #1 fixed in Netscape 8.0.3.1.
04-08-2005 Because of some reported download-related issues the newest version at Netscape's download page is still version 8.0.2. Security companies and some CERT units informed.
08-08-2005 Vendor issues fix. Security companies and CERT units informed about Netscape 8.0.3.3 release.
09-08-2005 CERT-FI updated its advisory "varoitus 51/2005"
Revision history:
14-07-2005 1.0: Advisory published
14-07-2005 1.1: Updated advisory
14-07-2005 1.2: Updated advisory by adding additional references
15-07-2005 1.3: Updated advisory
15-07-2005 1.4: Updated advisory by adding information about additional tests in Windows XP Professional SP1, added upcoming CVE candidates and CVE information section
16-07-2005 1.5: Updated advisory by adding information about K-Meleon and its vulnerability
16-07-2005 1.6: Updated advisory by adding information about vulnerability #5
17-07-2005 1.7: Updated advisory by adding information about vulnerability #6 and added links to screenshots in vulnerability #4
18-07-2005 1.8: Updated advisory and added OSVDB references, updated CVEs
19-07-2005 1.9: Added information about vulnerabilities #3, #4 and #5 in Netscape 7, after additional tests removed issue #6 (MFSA2005-49)
20-07-2005 2.0: Updated advisory and added information about Firefox 1.0.6 release
21-07-2005 2.1: Added Cyber Security Bulletin reference, updated advisory
22-07-2005 2.2: Added information about Mozilla 1.7.10 release
25-07-2005 2.3: Added information about Netscape Browser 8.0.3.1 release
26-07-2005 2.4: Added information about issue #1 (MFSA 2005-47) fixed in Netscape 8.0.3.1 and added references
27-07-2005 2.5: Added new reference
04-08-2005 2.6: Added information about version 8.0.3.1 replaced with version 8.0.2 at Netscape's download page and SillyDog701 Netscape Browser Archive mirror link
08-08-2005 2.7: Netscape 8.0.3.3 released. Updated advisory.
09-08-2005 2.8: Updated advisory and added new reference
12-08-2005 2.9: Updated advisory
- To the Main Page
- Issues in the news
Copyright © Networksecurity.fi and Juha-Matti Laurio 2005
Best regards,
Juha-Matti Laurio
IT security researcher
Finland
Read more about 32 other security vulnerabilities discovered by the researcher at
www.networksecurity.fi