Title: Netscape/K-Meleon "View Image" local resources vulnerability
Criticality: Low (1/3)
Affected software: Netscape Browser version 8.1 and prior, K-Meleon version 0.9.13 and prior
Author: Juha-Matti Laurio juha-matti.laurio [at] netti.fi
Date: 9th May, 2006
Advisory ID: Networksecurity.fi Security Advisory (09-05-2006) (#17)
Location URL: http://www.networksecurity.fi/advisories/netscape-view-image.html
CVE reference: CVE-2006-1942
CVSS Severity: 5.6 (Medium)
- From the vendors:
A) "The revolutionary new Netscape Browser 8.1 provides more security options, streamlines more standard browsing tasks and arms internet users with more timesaving solutions to their browsing needs."
B) "K-Meleon is an extremely fast, customizable, lightweight web browser for the win32 (Windows) platform based on the Gecko layout engine (the rendering engine of Mozilla)."
- Description:
The newest versions of Netscape and K-Meleon browsers are confirmed as affected to "View Image" funtion local resource access vulnerability.
This can be exploited to launch files from local file system via broken image file.
- Detailed description:
Test results:
When selecting View Image funtion at test URL http://www.gavinsharp.com/tmp/ImageVuln.html listed at Bugzilla report https://bugzilla.mozilla.org/show_bug.cgi?id=334341 browsers launched Window Media Player opening .wav file (C:\WINDOWS\Media\ringin.wav).
Behavior was similar than tested with Mozilla Firefox version 1.5.0.3.
(The location of test URL changed later on 7th May to http://www.gavinsharp.com/tmp/ImageVuln2.html .)
This happened because of a SRC attribute with a non-image file:// URL included to an IMG element.
NOTE: Link to working sample code was posted to BugTraq mailing list on 7th May 2006.
- Affected versions:
The vulnerability has been confirmed in versions 8.1, 8.0.4 and 7.2 in Netscape and version 0.9.13 in K-Meleon. Other previous versions may also be affected.
Software:
Netscape Browser 8.x
Netscape 7.x
K-Meleon 0.x
- OS:
Microsoft Windows
Tests was done with Microsoft Windows XP Home Edition and Windows 2000 Professional SP4 fully patched.
Older operating systems like Windows NT4.0 and Windows 2000 are not affected to this specific sample case mentioned due to default C:\Winnt installation directory. Sample code tries to launch file from C:\Windows\Media folder.
Vendor and vendor Home Pages:
A) Netscape Communications Corp.
http://www.netscape.com/
B) K-Meleon Project
http://kmeleon.sourceforge.net/
Product Home Pages:
A) http://browser.netscape.com/ns8/
http://channels.netscape.com/ns/browsers/default.jsp
B) http://kmeleon.sourceforge.net/
Vendors has been contacted on 7th May, 2006.
- Solution:
No updated version available from the vendors at the time of reporting.
Workaround:
Do not use View Image function to untrusted image files.
The following symbols disclose using broken file, which could be non-image:
Netscape: Square and red triange inside
K-Meleon: The piece of puzzle
Criticality: Low (1/3)
- CVE information:
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2006-1942 on 10th May to this issue (see References). This is a candidate for inclusion in the CVE list (http://cve.mitre.org ), which standardizes names for security problems.
The CVSS (Common Vulnerability Scoring System) severity level metric of issue CVE-2006-1942:
5.6 (Medium)
Credit information:
This issue was earlier researched in Firefox by Eric Foley.
Juha-Matti Laurio confirmed and reported this vulnerability in Netscape and K-Meleon.
- References:
www.osvdb.org/displayvuln.php?osvdb_id=24713
bugzilla.mozilla.org/show_bug.cgi?id=334341
www.addict3d.org/index.php?page=viewarticle&type=security&ID=6314
networksecurity.typepad.com/networksecurity/2006/05/mys_netscape_kr.html
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1942
Timeline:
07-May-2006 - Vulnerability researched and confirmed
07-May-2006 - Vendor was contacted
07-May-2006 - Security companies and several CERT units contacted
08-May-2006 - Vendor's reply from K-Meleon, vendor confirms vulnerability
08-May-2006 - Security companies and several CERT units contacted
09-May-2006 - CVE information submission sent to Mitre.org
09-May-2006 - Link to the advisory sent to security companies and several CERT units
10-May-2006 - Mitre.org assigns CVE name
Revision history:
09-05-2006 1.0: Advisory published
09-05-2006 1.1: Updated advisory and added references
10-05-2006 1.2: Updated advisory and added references
14-05-2006 1.3: Added new reference
Local Finnish time is used.
Best regards,
Juha-Matti Laurio
security researcher
Finland
Copyright © Networksecurity.fi and Juha-Matti Laurio 2006
- To the Main Page
Read more about 60 other security vulnerabilities at
www.networksecurity.fi