(A Javascript-enabled browser is required to email me.)

TBTF for 1995-09-27: Nutscape cracked again

Keith Dawson (dawson dot tbtf at gmail dot com)
Wed, 27 Sep 1995 01:20:00 -0400



The following correspondence, anonymized and already much forwarded, came
my way this morning at 11:46. The story of the third crack discovered in
Netscape in the last month ran in today's Wall Street Journal and was pick-
ed up by Edupage. The reported problem may not be limited to Netscape, but
could exist in other web browsers that support the mailto: tag (which is
most of them except MacWeb/WinWeb).

This flaw does not represent a threat to encrypted transactions; rather it
is a security hole through which a miscreant (love that word) could cause
the execution of an arbitrary program, script, or command on a client ma-
chine. (Rather like the mail-attachment, right-button boo-boo in Windows 95/
MSN that Microsoft has been dismissing a lot of late.)

>> mailto: hyperlinks containing extra-long domain names
>> seem to be handled comparatively safely in both Netscape and Mosaic.
>> (Perhaps they just have longer buffers ? ;)

> My guess is, Netscape doesn't do any processing on the
> mailto: hyperlink at all, but merely passes it to a real mail delivery
> agent like Sendmail (or it uses MAPI under Win'95). Which begs
> the question, if Netscape is executing an external delivery agent,
> there may be the possiblity of sneaking an attack in there and getting
> the shell to execute something.
>
> Hmm, let me try something . . .
>
> WOW!! Unbelievable! Stop the presses! I Can't believe no one ever
> discovered this before! Try a page with the following URL
>
> <a href="mailto:blah at foo dot com|xterm&"> test </a>
>
> Muahaha! Yet another security hole! Clicking on this mailto brings up
> an xterm on my machine! Simply change the xterm& to "rm -rf /" and
> bingo!
>
> Sheesh. I better stop before I am on Netscape's most hated list.

The "Muahaha" lends a nice tone. Obviously this correspondent has not
seen <http://www.c2.org/hacknetscape/>, a contest sponsored by Berkeley
ISP Community Connexion (with web site and prize tee shirt designed by
Eye Candy). The tee shirt is to die for. Thanks to bill@atria.com for
this one:

> Hack Netscape and win a T-shirt! Yes, expose security flaws in the
> most widely used commercial WWW software and you too can have your
> very own limited edition T-shirt, awarded only to people who have
> exposed security holes in Netscape internet products or managed
> widely publicized Netscape cracking events.

When I learn the identity of the two anonymous correspondents above I'll
let you know.


Emendation:

Sounds so much nicer than "correction," don't you think? Karyn German,
TIA product manager at Cyberspace Development, wrote to correct a mis-
impression from my List Hijacking piece in TBTF for 1995-09-24 (see
<1995-09-24.html>). The Majordomo
mailing list at CyberDev has never been open to posting by outsiders --
so my posited evil marketing genius could steal the list, but could not
make CyberDev pay for his use of it. Majordomo in fact offers a number
of such security knobs, as I assume the other list servers do. My point
was that Net oldtimers may not have been tweaking them, so far... but
they will.

The hijacker hijacked:

Karl Hakkarainen sent me a mailing originating from Atria Software,
Inc. -- in fact from just down the hall from my office. The announce-
ment of a seminar displayed what appeared to be Atria's entire New
England mailing list in its "To:" field. Thanks, Karl, the sender has
now been requested to use the "Bcc:" field in future.


>>From WEBster (1995-09-19):

Microport introduced the NetMark 1000 at Unix Expo. It is a complete,
out-of-the-box Web server solution including hardware, ready to plug
into a LAN and/or an Internet access provider. Based on a Pentium PC
with two Ethernet ports, an external SCSI port, and a CD-ROM drive,
the server runs Novell (soon to be SCO) UnixWare. Preinstalled are a
full suite of TCP/IP applications including news, mail, gopher, and a
Web server that seems to be based on NCSA/UIUC, as well as web author-
ing tools. Prices start at $6,800. Microport is positioning the NetMark
1000 as a quick way for companies to bring up a Web presence for either
internal or external information serving. For more details see the WEB-
ster story at <http://www.tgc.com/websec/20454.html>. I checked the Mi-
croport Web site, <http://www.mport.com/>, and it is remarkably content
free.

Sun, SGI, DEC, and others have been selling out-of-the-box, hardware/
software web-server solutions for some time now; Microport's offering
represents the first such that I am aware of priced significantly below
$10,000.


>>From the Internet Patent News Service (1995-09-05):

Finally, some numbers on the growth of software patents since 1971,
courtesy of the indispensible Greg Aharonian. Total patents have risen
on a leisurely straight line, doubling in number over the past 25 years.
Software patents have been on a clear exponential uptrend. For the data
set and a graph see <sw-patents.html>.
Greg claims that there has been no statistically significant change in
the quality and process of handling software patents since the Compton's
debacle. He says that "Knuth is digging a grave just to have something
to roll over in."


>>Sources:

>>Edupage -- mail listproc@educom.edu without subject
> and with message: subscribe edupage <your name> .

>>WEBster -- send mail without text to 4free@webster.tgc.com .

>>Internet Patent News Service -- mail patents@world.std.com
> with message: help .


TBTF alerts you twice a week to bellwethers in computer and communications
technology, with special attention to commerce on the Internet. See the
archive at <http://www.tbtf.com/>. To subscribe send the
message "subscribe" to tbtf-request@world.std.com.
______________________________________________________
Keith Dawson dawson dot tbtf at gmail dot com dawson@atria.com
Layer of ash separates morning and evening milk.