Comcast(tm) Email Manager allows arbitrary java and activex code execution

To: <full-disclosure@xxxxxxxxxxxxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>, <intrusions@xxxxxxxxxxxxx>
Subject: Comcast(tm) Email Manager allows arbitrary java and activex code execution
From: "Michael Scheidell" <scheidell@xxxxxxxxxx>
Date: Thu, 22 Jul 2004 11:36:07 -0400
Cc: <cert@xxxxxxxx>, <vulnwatch@xxxxxxxxxxxxx>, <snpmarq@xxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Thread-index: AcQct5b6fuwB+7dqQhm8+tbv3XcctxTQ/BoQ
Thread-topic: Comcast(tm) Email Manager allows arbitrary java and activex code execution

Vulnerability in Comcast Webmail Manager allows arbitrary java and activex code 
execution 
Systems: Comcast Webmail email system. www.comcast.net
Vulnerable: X-Mailer: AT&T Message Center Version 1 (Mar 22 2004)
Not Vulnerable: Unknown
Severity: Serious / Low (Fixed now)
Category: Arbitrary Execution of Code of Hackers Choice 
Classification: Input Validation Error 
BugTraq-ID: TBA 
CVE-Number: TBA
Remote Exploit: yes 
Local Exploit: no 
Vendor URL: www.comcast.net
Author: Michael S. Scheidell, SECNAP Network Security 
Original Release date: April 7, 2004
Notifications: Comcast notified April 7, 2004
Public Release date: July 22, 2004

Discussion: from www.comcast.com
High-Speed Internet. This is the fastest way to travel the Web! It's 
cable-powered, so it's always connected and you won't tie up your phone lines. 
It's a faster, more powerful and more convenient Internet experience.

Note: This is not so much a warning to Comcast or their users, since Comcast 
has fixed this problem, but more of a warning to every developer or CSIO to 
make sure that web based email, blogs, information, memos must check their code 
to make sure it is safe. See additional notifications of similar problems with 
GoldMine(tm) http://www.secnap.com/security/gm001.html, and sprintmail picture 
mail at http://www.secnap.com/security/030711.html

Problem: There was a potential for hackers to use this vulnerability to 
specially craft emails that will run random code of their choice on users' 
computers - including remote Trojans, irc zombies, spyware, malware, and remote 
key loggers. This program would run inside the corporate network, behind the 
firewall and access anything the infected user has access to. 

The Comcast Webmail did not run the html email in the 'security zone' as does 
Microsoft(tm) Outlook, but passed anything that looks like HTML to be executed 
unrestricted directly to the default Browser (usually IE). Linux/or Unix users 
with Netscape may have the javascript, page redirection and popup email run, 
however, the activeX component will not run. 

Comcast users have the option of using Comcast Webmail or Outlook Express.  
Because of the inability to disable html/java/or active-x in Comcast Webmail, 
those using Webmail had an increased chance of their computers' becoming 
infected in the event of a potential hacker either a) referencing active-x 
controls or b) including javascript within an HTML e-mail message.

The above has been tested on a Windows(tm) 2000 system with service pack 4, all 
Internet Explorer patches and default (factory) Internet zone security 
settings. Also tested were two Windows XP(tm) systems with service pack 1 and 
all patches as well as Netscape 7.1 on Linux.

The security community first became aware of the potential for this kind of 
threat about two years ago.  Software companies that produce Web-based email, 
blog or input system must check for arbitrary java and html code.  Note:  the 
original Web Mail system was written by AT&T and was inherited by Comcast 
during their purchase of AT&T's broadband business.

Exploit: No exploit is necessary, as there are already examples in viruses and 
trojans that were designed to attack Microsoft Outlook and Outlook Express. 

Microsoft fixed these by patching both readers and allowing the user to set the 
security zone for reading HTML email in the 'insecure' settings.

To see an exhaustive list of what can happen when email is passed to IE, see 
<http://www.guninski.com/browsers.html> 

Vendor Response: April 7, 2004. A Comcast representative called our office 
immediately.  Comcast worked quickly on fixing this bug and rolling it out to 
their servers, with a solution in place by April 13, 2004.  Release of this 
notification was held back waiting for Comcast to decide how and when to 
self-release.

Solution: 
Comcast is now filtering out various forms of scripting.

Credit: 
Michael Scheidell, SECNAP Network Security, www.secnap.com
The original problem with IIE, Microsoft Outlook and Outlook Express was found 
by George Grunski and involved insecure default reading of a malformed HTML in 
Outlook and OE and insecure running of HTML (see 
<http://www.guninski.com/browsers.html>) And thanks to Johannes B. Ullrich, CTO 
SANS Internet Storm Center for assistance.

Original copy of this report can be found here 
<http://www.secnap.com/security/20040406.html>

Copyright: 
Above Copyright(c) 2004, SECNAP Network Security Corporation. World rights 
reserved. 

This security report can be copied and redistributed electronically provided it 
is not edited and is quoted in its entirety without written consent of SECNAP 
Network Security Corporation. Additional information or permission may be 
obtained by contacting SECNAP Network Security at 561-999-5000

Prev by Date: TSSA-2004-014 - samba
Next by Date: SWAT PreAuthorization PoC
Previous by thread: TSSA-2004-014 - samba
Next by thread: SWAT PreAuthorization PoC
Index(es):
- Date
- Thread