[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] Re: Comcast(tm) Email Manager allows arbitrary java and activex code execution

Hi Michael,

 do ya mean Java (comes in class/jar files) or Javascript (simple text) ? If
 Java, which I doubt, how does it execute ? Which version (JPI/MSJVM?),
 please provide stackdumps ...

Marc


On Thu, 22 Jul 2004, Michael Scheidell wrote:

> Date: Thu, 22 Jul 2004 11:36:07 -0400
> From: Michael Scheidell <scheidell@xxxxxxxxxx>
> To: full-disclosure@xxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx,
>      intrusions@xxxxxxxxxxxxx
> Cc: cert@xxxxxxxx, vulnwatch@xxxxxxxxxxxxx, snpmarq@xxxxxxxxxxxxxxxxxxxxxx
> Subject: Comcast(tm) Email Manager allows arbitrary java and activex code
>     execution
>
> Vulnerability in Comcast Webmail Manager allows arbitrary java and activex 
> code execution
> Systems: Comcast Webmail email system. www.comcast.net
> Vulnerable: X-Mailer: AT&T Message Center Version 1 (Mar 22 2004)
> Not Vulnerable: Unknown
> Severity: Serious / Low (Fixed now)
> Category: Arbitrary Execution of Code of Hackers Choice
> Classification: Input Validation Error
> BugTraq-ID: TBA
> CVE-Number: TBA
> Remote Exploit: yes
> Local Exploit: no
> Vendor URL: www.comcast.net
> Author: Michael S. Scheidell, SECNAP Network Security
> Original Release date: April 7, 2004
> Notifications: Comcast notified April 7, 2004
> Public Release date: July 22, 2004
>
> Discussion: from www.comcast.com
> High-Speed Internet. This is the fastest way to travel the Web! It's 
> cable-powered, so it's always connected and you won't tie up your phone 
> lines. It's a faster, more powerful and more convenient Internet experience.
>
> Note: This is not so much a warning to Comcast or their users, since Comcast 
> has fixed this problem, but more of a warning to every developer or CSIO to 
> make sure that web based email, blogs, information, memos must check their 
> code to make sure it is safe. See additional notifications of similar 
> problems with GoldMine(tm) http://www.secnap.com/security/gm001.html, and 
> sprintmail picture mail at http://www.secnap.com/security/030711.html
>
> Problem: There was a potential for hackers to use this vulnerability to 
> specially craft emails that will run random code of their choice on users' 
> computers - including remote Trojans, irc zombies, spyware, malware, and 
> remote key loggers. This program would run inside the corporate network, 
> behind the firewall and access anything the infected user has access to.
>
> The Comcast Webmail did not run the html email in the 'security zone' as does 
> Microsoft(tm) Outlook, but passed anything that looks like HTML to be 
> executed unrestricted directly to the default Browser (usually IE). Linux/or 
> Unix users with Netscape may have the javascript, page redirection and popup 
> email run, however, the activeX component will not run.
>
> Comcast users have the option of using Comcast Webmail or Outlook Express.  
> Because of the inability to disable html/java/or active-x in Comcast Webmail, 
> those using Webmail had an increased chance of their computers' becoming 
> infected in the event of a potential hacker either a) referencing active-x 
> controls or b) including javascript within an HTML e-mail message.
>
> The above has been tested on a Windows(tm) 2000 system with service pack 4, 
> all Internet Explorer patches and default (factory) Internet zone security 
> settings. Also tested were two Windows XP(tm) systems with service pack 1 and 
> all patches as well as Netscape 7.1 on Linux.
>
> The security community first became aware of the potential for this kind of 
> threat about two years ago.  Software companies that produce Web-based email, 
> blog or input system must check for arbitrary java and html code.  Note:  the 
> original Web Mail system was written by AT&T and was inherited by Comcast 
> during their purchase of AT&T's broadband business.
>
> Exploit: No exploit is necessary, as there are already examples in viruses 
> and trojans that were designed to attack Microsoft Outlook and Outlook 
> Express.
>
> Microsoft fixed these by patching both readers and allowing the user to set 
> the security zone for reading HTML email in the 'insecure' settings.
>
> To see an exhaustive list of what can happen when email is passed to IE, see 
> <http://www.guninski.com/browsers.html>
>
> Vendor Response: April 7, 2004. A Comcast representative called our office 
> immediately.  Comcast worked quickly on fixing this bug and rolling it out to 
> their servers, with a solution in place by April 13, 2004.  Release of this 
> notification was held back waiting for Comcast to decide how and when to 
> self-release.
>
> Solution:
> Comcast is now filtering out various forms of scripting.
>
> Credit:
> Michael Scheidell, SECNAP Network Security, www.secnap.com
> The original problem with IIE, Microsoft Outlook and Outlook Express was 
> found by George Grunski and involved insecure default reading of a malformed 
> HTML in Outlook and OE and insecure running of HTML (see 
> <http://www.guninski.com/browsers.html>) And thanks to Johannes B. Ullrich, 
> CTO SANS Internet Storm Center for assistance.
>
> Original copy of this report can be found here
> <http://www.secnap.com/security/20040406.html>
>
> Copyright:
> Above Copyright(c) 2004, SECNAP Network Security Corporation. World rights 
> reserved.
>
> This security report can be copied and redistributed electronically provided 
> it is not edited and is quoted in its entirety without written consent of 
> SECNAP Network Security Corporation. Additional information or permission may 
> be obtained by contacting SECNAP Network Security at 561-999-5000
>

--

Never be afraid to try something new. Remember, amateurs built the
ark; professionals built the Titanic. -- Anonymous

Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html