lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Sat, 24 Jul 2004 03:05:19 +0200 (MES)
From: Marc Schoenefeld <schonef@...-muenster.de>
To: Michael Scheidell <scheidell@...nap.net>
Cc: full-disclosure@...ts.netsys.com, bugtraq@...urityfocus.com
Subject: Re: Comcast(tm) Email Manager allows arbitrary java and activex code
 execution


Hi Michael,

 do ya mean Java (comes in class/jar files) or Javascript (simple text) ? If
 Java, which I doubt, how does it execute ? Which version (JPI/MSJVM?),
 please provide stackdumps ...

Marc


On Thu, 22 Jul 2004, Michael Scheidell wrote:

> Date: Thu, 22 Jul 2004 11:36:07 -0400
> From: Michael Scheidell <scheidell@...nap.net>
> To: full-disclosure@...ts.netsys.com, bugtraq@...urityfocus.com,
>      intrusions@...idents.org
> Cc: cert@...t.org, vulnwatch@...nwatch.org, snpmarq@...uritynewsportal.com
> Subject: Comcast(tm) Email Manager allows arbitrary java and activex code
>     execution
>
> Vulnerability in Comcast Webmail Manager allows arbitrary java and activex code execution
> Systems: Comcast Webmail email system. www.comcast.net
> Vulnerable: X-Mailer: AT&T Message Center Version 1 (Mar 22 2004)
> Not Vulnerable: Unknown
> Severity: Serious / Low (Fixed now)
> Category: Arbitrary Execution of Code of Hackers Choice
> Classification: Input Validation Error
> BugTraq-ID: TBA
> CVE-Number: TBA
> Remote Exploit: yes
> Local Exploit: no
> Vendor URL: www.comcast.net
> Author: Michael S. Scheidell, SECNAP Network Security
> Original Release date: April 7, 2004
> Notifications: Comcast notified April 7, 2004
> Public Release date: July 22, 2004
>
> Discussion: from www.comcast.com
> High-Speed Internet. This is the fastest way to travel the Web! It's cable-powered, so it's always connected and you won't tie up your phone lines. It's a faster, more powerful and more convenient Internet experience.
>
> Note: This is not so much a warning to Comcast or their users, since Comcast has fixed this problem, but more of a warning to every developer or CSIO to make sure that web based email, blogs, information, memos must check their code to make sure it is safe. See additional notifications of similar problems with GoldMine(tm) http://www.secnap.com/security/gm001.html, and sprintmail picture mail at http://www.secnap.com/security/030711.html
>
> Problem: There was a potential for hackers to use this vulnerability to specially craft emails that will run random code of their choice on users' computers - including remote Trojans, irc zombies, spyware, malware, and remote key loggers. This program would run inside the corporate network, behind the firewall and access anything the infected user has access to.
>
> The Comcast Webmail did not run the html email in the 'security zone' as does Microsoft(tm) Outlook, but passed anything that looks like HTML to be executed unrestricted directly to the default Browser (usually IE). Linux/or Unix users with Netscape may have the javascript, page redirection and popup email run, however, the activeX component will not run.
>
> Comcast users have the option of using Comcast Webmail or Outlook Express.  Because of the inability to disable html/java/or active-x in Comcast Webmail, those using Webmail had an increased chance of their computers' becoming infected in the event of a potential hacker either a) referencing active-x controls or b) including javascript within an HTML e-mail message.
>
> The above has been tested on a Windows(tm) 2000 system with service pack 4, all Internet Explorer patches and default (factory) Internet zone security settings. Also tested were two Windows XP(tm) systems with service pack 1 and all patches as well as Netscape 7.1 on Linux.
>
> The security community first became aware of the potential for this kind of threat about two years ago.  Software companies that produce Web-based email, blog or input system must check for arbitrary java and html code.  Note:  the original Web Mail system was written by AT&T and was inherited by Comcast during their purchase of AT&T's broadband business.
>
> Exploit: No exploit is necessary, as there are already examples in viruses and trojans that were designed to attack Microsoft Outlook and Outlook Express.
>
> Microsoft fixed these by patching both readers and allowing the user to set the security zone for reading HTML email in the 'insecure' settings.
>
> To see an exhaustive list of what can happen when email is passed to IE, see <http://www.guninski.com/browsers.html>
>
> Vendor Response: April 7, 2004. A Comcast representative called our office immediately.  Comcast worked quickly on fixing this bug and rolling it out to their servers, with a solution in place by April 13, 2004.  Release of this notification was held back waiting for Comcast to decide how and when to self-release.
>
> Solution:
> Comcast is now filtering out various forms of scripting.
>
> Credit:
> Michael Scheidell, SECNAP Network Security, www.secnap.com
> The original problem with IIE, Microsoft Outlook and Outlook Express was found by George Grunski and involved insecure default reading of a malformed HTML in Outlook and OE and insecure running of HTML (see <http://www.guninski.com/browsers.html>) And thanks to Johannes B. Ullrich, CTO SANS Internet Storm Center for assistance.
>
> Original copy of this report can be found here
> <http://www.secnap.com/security/20040406.html>
>
> Copyright:
> Above Copyright(c) 2004, SECNAP Network Security Corporation. World rights reserved.
>
> This security report can be copied and redistributed electronically provided it is not edited and is quoted in its entirety without written consent of SECNAP Network Security Corporation. Additional information or permission may be obtained by contacting SECNAP Network Security at 561-999-5000
>

--

Never be afraid to try something new. Remember, amateurs built the
ark; professionals built the Titanic. -- Anonymous

Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ