RE: CommonName Toolbar potentially exposes LAN web addresses

[Anders Blockmar <anders.blockmar () exicom se>]

I used ad-aware from www.ad-aware.com to remove all my spyware. The
CommonName bar required some reative registry hacking due to file locking.
Use ad-aware to help you locate the regkeys and then edit the reistry to
prevent CommonName to load into IE upon startup. When it isn't loaded it's
easy to remove.

/Anders

-----Original Message-----
From: Eric Stevens [mailto:mightye () mightye org] 
Sent: den 3 oktober 2002 15:10
To: Bugtraq; support () commonname com
Subject: CommonName Toolbar potentially exposes LAN web addresses


Due to a bug in the URL validation done in CommonName Toolbar (in at least
dll version 3.5.2.0 on IE 6), addresses from local intranets may be exposed
to the CommonName organization.  It would appear on early evaluation that
valid URLs such as
http://someserver/some/path
are deemed an attempt to locate an organization named "someserver," with
reference to "some path."

The key seems to be the lack of a dot in the server name.

The danger of this is relatively low, only CommonName is exposed to this
information, and other search engines as configured by the user on the
CommonName website, and even then only after a clickthrough on the
CommonName website.  All are reputable organizations, though it does still
represent a breach in data security.

Though danger is low, annoyance factor is high, users are prevented from
accessing their Intranet unless they use a dot-included version of the
server name.

More annoying to me than the bug, and the fact that users here who had it
installed were prevented from actually being able to access our Intranet
servers, however, is that when I turned off all CommonName options, users
were still being directed to the CommonName website on Intranet requests.
Further, in an attempt to allow these users access to our Intranet again, I
closed out of all browsers and uninstalled the CommonName toolbar, restarted
the system, and found that they were still being directed to the CommonName
website on Intranet requests; my best efforts to disable the CommonName
toolbar by supplied mechanisms were futile.

The working solution was to remove all non-administrative access to the
Program Files\CommonName directory, preventing users' IE sessions from being
able to read the DLL's, and finally disabling the CommonNames auto-search
functionality.

As an asside, that caused me to stumble on an idea to proactively protect
yourself from spyware; intentionally install it, or else find out what paths
are used to install it, then deny yourself access to those paths, and even
the sneakiest spyware will be unable to install itself on your system,
unless it chooses random locations and file names.

Further testing with CommonNames toolbar is left as an exercise to those
with out a database due tomorrow (read: the user).

-MightyE