Bugtraq mailing list archives

Misleading sense of security in Netscape

From: ruefenac () DIGSIGTRUST COM (Craig Ruefenacht)
Date: Thu, 13 Jan 2000 12:15:40 -0700


Hi,

Over the last week I've been playing around with the Netscape
Communicator package, version 4.7, on multiple Microsoft Windows
platforms, including Windows95, Windows98, WindowsNT workstation, and
Windows2000 Server Release Candidate #2.  I have discovered a couple of
things with a utility that comes with the Netscape Communicator package
which could lead a user into a false sence of security while reading
email.

I have tested the issues I describe in this email on Windows95,
Windows98, WindowsNT 4.0 workstation, and Windows2000 Server Release
Candidate 2, using Netscape Communicator 4.7, 128-bit encryption (US
strong encryption version), using both already existing and newly
created Windows users on the Windows box.  I have reported the issues
described in this email to Netscape a few days ago but haven't heard
back from them yet.

First, some history...

It is well known throughout the Internet that the two most common
protocols for reading email, POP3 (port 110) and IMAP (port 143), are
sent in the clear over the network.  When users use either of these
protocols to read email, they send their email server username and
password in the clear over the network.  A malicious person with access
to the network where this traffic flows could sniff that network and
obtain the email username and password of unsuspecting users.  Netscape
Messenger is one such email client that lets users use POP3 and IMAP to
read email.

To improve security and prevent email server usernames and passwords
from going over the Internet as clear text, there is built-in support
for using the IMAP protocol over a SSL channel.  When using this setup,
information that travels on the Internet from the user's computer to the
email server is encrypted.  A malicious person would have a hard time
getting the email username and password of users using this setup.  IMAP
over SSL uses port 993, and it requires that, on the server end, you use
a SSL wrapper like stunnel or SSLwrap around the IMAP server to handle
the SSL connection on the server's end.  Netscape Messenger, Microsoft
Outlook and Outlook Express (and probably others) support the IMAP over
SSL setup.

Now the things I've discovered...

Netscape Communicator comes with a utility called "Netscape Mail
Notification".  The binary is named nsnotify.exe.  This utility program,
when run, places a small icon in the shape of an envelope on the taskbar
of Windows95/98/NT/2000.  This utility will go out at specified time
intervals to the email server, log into the email server, and check to
see if any new email has arrived for the user.  If new email is
detected, a small red flag is animated on top of the envelope icon to
visually let the user know that new email is waiting to be read.  You
cannot use this utility to read email - it is designed to simply let
users know when new email arrives.  Many users place this utility in
their Startup group so that it starts up every time they log into
Windows.  You should note that it isn't placed there automatically.
During a normal install of Netscape Communicator, this utility program
is placed in Start->Programs->Wherever_Netscape_Is->Utilities.

This utility program (Netscape Mail Notification) has its own options
that you can set by right-mouse clicking on the envelope icon once the
program is running, but, settings such as the email server name, email
server type, and email server username, it gets from the preferences
found in the Netscape Communicator preferences settings.  This is where
I discovered some interesting things.

----------------------------------------------
1. In Netscape Messenger, in
Edit->Preferences->Mail_and_Newsgroups->Mail_Servers, regardless of
whether the user has told Messenger to remember or not remember their
email server password, the Netscape Mail Notification program will
always remember the email server password for the user.  The first time
a user runs Netscape Mail Notification it will ask for their email
server password (it gets the email server hostname, email server type
(POP3 or IMAP), and email server username from Messenger preferences).
It then remembers that password and never asks the user for it again,
even if the user logs out and logs back into Windows, regardless of
whether the user wants it to remember it or not..

For users who are concerned about security and would prefer that their
email client not remember their email server password (ie they have to
type it in every time they start their email client), if they use
Netscape Mail Notification, it could lead to a false sense of security
because Netscape Mail Notification remembers the user's email server's
password regardless.

----------------------------------------------
2. The other item I discovered in Netscape Mail Notification, and which
I feel is a greater problem that #1 above, is that regardless of whether
the user has told Netscape Messenger to use a SSL connection when
retreiving email using IMAP (on port 993), Netscape Mail Notification
will always use IMAP without SSL.  Here again Netscape Mail Notification
gets the email server hostname, email server type (POP3 or IMAP), and
email server username from Netscape Messenger preferences, but, if the
user is using IMAP, Netscape Mail Notification fails to use IMAP over
SSL when the user has told Netscape Messenger to require a SSL
connection.

For users who use IMAP over SSL because they don't want their email
server username and password to go over the Internet as clear text, if
that user uses the Netscape Mail Notification utility to watch for new
messages, using IMAP over SSL will achieve nothing, because Netscape
Mail Notification will never use a SSL connection, and the user's email
server username and password will still be sent in clear text to the
email server every time Netscape Mail Notification goes out to check for
new email.


--
-------------------------------------------------------------
Craig Ruefenacht                             Systems Engineer
ruefenac () digsigtrust com              Digital Signature Trust
(801) 983-4401                    http://www.digsigtrust.com/
-------------------------------------------------------------

Current thread:

Re: Hotmail security hole - injecting JavaScript using <IMG, (continued)
- - - Re: Hotmail security hole - injecting JavaScript using <IMG Ajax (Jan 11)
    - Serious Bug in Corel Linux.(Local root exploit) tascon () ENETE GUI UVA ES (Jan 12)
    - secure-programs howto Signal 11 (Jan 09)
    - strace can lie ... but LTT might be handy Karim Yaghmour (Jan 09)
    - 2nd attempt: AIX techlibss follows links Klaus.Kusche () OOE GV AT (Jan 10)
    - NIS2k Bacano (Jan 11)
    - Password issue in Axent ESM 5.0.1 Console Todd (Jan 12)
    - Re: Password issue in Axent ESM 5.0.1 Console Scott Blake (Jan 14)
    - Local / Remote D.o.S Attack in Super Mail Transfer Package (SMTP) Server for WinNT Version 1.9x Ussr Labs (Jan 13)
    - Re: NIS2k Brad Griffin (Jan 13)
    - Misleading sense of security in Netscape Craig Ruefenacht (Jan 13)
    - Re: Misleading sense of security in Netscape Jefferson Ogata (Jan 18)
    - New MySQL Available Scott (Jan 13)
    - BindView Security Advisory: Local Promotion Vulnerability in Windows NT 4 BindView Security Advisory (Jan 13)
    - Microsoft Security Bulletin (MS00-003) Microsoft Product Security (Jan 13)
    - ICQ Buffer Overflow Exploit drew copley (Jan 11)
    - Re: ICQ Buffer Overflow Exploit Dennis W. Mattison (Little Wolf) (Jan 12)
    - Re: ICQ Buffer Overflow Exploit Michael DeSimone (Jan 13)
    - Re: ICQ Buffer Overflow Exploit Tom Schumm (Jan 14)
    - Re: ICQ Buffer Overflow Exploit Simon Steed (Jan 13)
    - Anyone can take over virtually any domain on the net... Thomas Reinke (Jan 11)

(Thread continues...)