Web Browser Information Leakage through NetFilter:

Web Browser Information Leakage through NetFilter:

[Stewart Thompson]

Hi All:

	Excuse me for the somewhat off topic query.
I am running Redhat 7.2 with Iptables 1.2.5. I have
developed what I believe to be a pretty secure firewall
script on the Linux Machine. So here is the problem.

	I was redirected to some German web site.
I couldn't read the text obviously, but the gist was I
was insecure, it showed a completely accurate listing
of all the folders on my Windows machine I was using
the browser on at the time. Obviously I wasn't to please
about this. I am assuming it is a function of the Browser
and Server, and not a direct problem with my firewall.
I am running IE V6 on that machine.
	So the question is, can a malicious website access
Sensitive data with this method? Is there some way to block
this with Netfilter and/or Browser settings?

	Thank you for your patience. Any ideas or suggestions
would be greatly appreciated.

Stu...........

Re: Web Browser Information Leakage through NetFilter:

[Antony Stone]

On Friday 27 September 2002 12:49 am, Stewart Thompson wrote:

> Hi All:
>
> 	I was redirected to some German web site.

Please could you post the URL - either to the list, or to me privately - I 
would like to investigate what you have seen.

> I couldn't read the text obviously, but the gist was I
> was insecure, it showed a completely accurate listing
> of all the folders on my Windows machine I was using
> the browser on at the time.

That indicates either:

a) that your firewall was allowing some subset (I can't remember the precise 
details offhand) of TCP/UDP ports 137,138,139 *IN* from the remote server to 
your browsing machine, and the remote server could therefore peruse your 
Windows shares, or

b) that your browser downloaded some active content from the web server, 
executed that active content (which scanned local directories), and then 
either displayed it in the window of your browser (you hope), or sent it back 
to the server for it to return as an html view in the window of your browser

> Obviously I wasn't to please
> about this. I am assuming it is a function of the Browser
> and Server, and not a direct problem with my firewall.
> I am running IE V6 on that machine.

I would not be at all surprised if this simply ran some active content (Java, 
VBScript, ActiveX, that sort of thing) without telling you, and may or may 
not have returned something just as interesting to the remote server.

> 	So the question is, can a malicious website access
> Sensitive data with this method?

Yes - definitely.

> Is there some way to block this with Netfilter and/or Browser settings?

Netfilter ?   No.   Browser ?   Yes.   I would suggest upgrading to Netscape, 
Konqueror, Mozilla, Opera.......

To quote from the KDE website:
"KDE 3.0.3 contains an important fix for handling SSL certificates," 
explained Waldo Bastian, the KDE developer responsible for implementing a fix 
shortly after the KDE Project became aware of the issue. "Anyone who uses 
Konqueror for secure transactions on the Internet is strongly urged to 
upgrade. Users of Internet Explorer, which suffers from the same problem but 
which does not yet have a fix available, are also encouraged to switch to KDE 
3.0.3." 

Seriously though, there is going to be something in the Options available in 
either IE6 or possibly on Control Panel - Internet Connection to say what 
active content you are prepared to accept.   I can't point you straight at 
the bit you need to change, because I've never used IE on a machine, however 
there must be something there somewhere.   A search on Google for Internet 
Explorer Security Settings might be a good place to start.

I'd still be interested to see the URL.

Antony.

-- 

There are only 10 types of people in the world:
those who understand binary notation,
and those who don't.

RE: Web Browser Information Leakage through NetFilter:

[Rowan Reid]

This may be a hoax, In the past I've seen pages that have
Java scripts which do one of two things, they list a generic
Windows 98 C drive configuration. The page scrolls by so fast is seems
it has you exact drive contents. The next one I've seen is an actual
java script that reads your drive locally and makes it look like it's on
the page but I don’t think IE allows this anymore. The third and most
likely possibility is you have been nimda and it's left your shares
open. In order to do this though yoru firewall needs to allow port 138

> was insecure, it showed a completely accurate listing
> of all the folders on my Windows machine I was using
> the browser on at the time. Obviously I wasn't to please
> about this. I am assuming it is a function of the Browser
> and Server, and not a direct problem with my firewall.
> I am running IE V6 on that machine.
> 	So the question is, can a malicious website access
> Sensitive data with this method? Is there some way to block 
> this with Netfilter and/or Browser settings?
>

RE: Web Browser Information Leakage through NetFilter:

[Stewart Thompson]

Hi Rowan:

	Thanks for the reply. IT may be the second option where it
shows you it locally. It is an accurate display of my C drive. Not a
generic one. I run Norton every day. First it does a live update, then
a full system scan. So, I am pretty sure I don't have any viruses.
I have security on IE6 set to high, likewise for cookies, but it still
seems to act the same.

Stu........


-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Rowan Reid
Sent: September 26, 2002 5:25 PM
To: stewart.thompson@shaw.ca; netfilter@lists.netfilter.org
Subject: RE: Web Browser Information Leakage through NetFilter:


This may be a hoax, In the past I've seen pages that have
Java scripts which do one of two things, they list a generic
Windows 98 C drive configuration. The page scrolls by so fast is seems
it has you exact drive contents. The next one I've seen is an actual
java script that reads your drive locally and makes it look like it's on
the page but I don't think IE allows this anymore. The third and most
likely possibility is you have been nimda and it's left your shares
open. In order to do this though yoru firewall needs to allow port 138

> was insecure, it showed a completely accurate listing
> of all the folders on my Windows machine I was using
> the browser on at the time. Obviously I wasn't to please
> about this. I am assuming it is a function of the Browser
> and Server, and not a direct problem with my firewall.
> I am running IE V6 on that machine.
>       So the question is, can a malicious website access
> Sensitive data with this method? Is there some way to block
> this with Netfilter and/or Browser settings?
>

RE: Web Browser Information Leakage through NetFilter:

[Rowan Reid]

> Hi Rowan:
> 
> 	Thanks for the reply. IT may be the second option where 
> it shows you it locally. It is an accurate display of my C 
> drive. Not a generic one. I run Norton every day. First it 
> does a live update, then a full system scan. So, I am pretty 
> sure I don't have any viruses. I have security on IE6 set to 
> high, likewise for cookies, but it still seems to act the same.
> 

Below is an extrodinary tool to audit a system and firewall. It not only
Test for open port, but it impliments known rootkits for both windows
and
Unix. Trust me if you have a compramized system this will tell you .

http://www.gfi.com/ 

Re: Web Browser Information Leakage through NetFilter:

[Matt Parlane]

> I was redirected to some German web site.
> I couldn't read the text obviously, but the gist was I
> was insecure, it showed a completely accurate listing
> of all the folders on my Windows machine I was using
> the browser on at the time. Obviously I wasn't to please
> about this. I am assuming it is a function of the Browser
> and Server, and not a direct problem with my firewall.
> I am running IE V6 on that machine.
> So the question is, can a malicious website access
> Sensitive data with this method? Is there some way to block
> this with Netfilter and/or Browser settings?

Hi Stu...

This is probably an IFrame with a location of file:///C:/ which basically
shows you a listing of your c:\ directory.  Pretty sneaky... but rest
assured that if this is what it is, they can't get at anything on your
machine.

Matt

Re: Web Browser Information Leakage through NetFilter:

[Chris Poupart]

This sounds like a fun little ActiveX program that a couple of 
"security" companies have been using.  I know that 
Evidence-eliminator.com does this.  Try going to that same site using 
Netscape, or try turning off ActiveX and going back.  My guess is that 
it will not show up.

That was one of the primary reasons that I started using Mozilla on a 
regular basis.

-- Chris

Stewart Thompson wrote:

>Hi Rowan:
>
>	Thanks for the reply. IT may be the second option where it
>shows you it locally. It is an accurate display of my C drive. Not a
>generic one. I run Norton every day. First it does a live update, then
>a full system scan. So, I am pretty sure I don't have any viruses.
>I have security on IE6 set to high, likewise for cookies, but it still
>seems to act the same.
>
>Stu........
>
>
>-----Original Message-----
>From: netfilter-admin@lists.netfilter.org
>[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Rowan Reid
>Sent: September 26, 2002 5:25 PM
>To: stewart.thompson@shaw.ca; netfilter@lists.netfilter.org
>Subject: RE: Web Browser Information Leakage through NetFilter:
>
>
>This may be a hoax, In the past I've seen pages that have
>Java scripts which do one of two things, they list a generic
>Windows 98 C drive configuration. The page scrolls by so fast is seems
>it has you exact drive contents. The next one I've seen is an actual
>java script that reads your drive locally and makes it look like it's on
>the page but I don't think IE allows this anymore. The third and most
>likely possibility is you have been nimda and it's left your shares
>open. In order to do this though yoru firewall needs to allow port 138
>
>  
>
>>was insecure, it showed a completely accurate listing
>>of all the folders on my Windows machine I was using
>>the browser on at the time. Obviously I wasn't to please
>>about this. I am assuming it is a function of the Browser
>>and Server, and not a direct problem with my firewall.
>>I am running IE V6 on that machine.
>>      So the question is, can a malicious website access
>>Sensitive data with this method? Is there some way to block
>>this with Netfilter and/or Browser settings?
>>
>>    
>>
>
>
>
>  
>

Re: Web Browser Information Leakage through NetFilter:

[Bishop]

You know what I agree about a Java Script . Below you will see what it is.
Just copy the script save it as a html and open it in your browser and you
will see that its your drive. .... Hope it helps you out ....

----- Html Begins ---------

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<html>
<head>
 <title>Untitled</title>
</head>

<body>
<script language="javaScript"><!--
if (navigator.appName=='Microsoft Internet Explorer'){

// ©2002 www.hadi.isgreat.net

document.write('<br><hr>')

document.write('<center><h3>H.D.D. viewer</h3></center>')

document.write('<center>')

document.write('<object id="browserIcons"
classid="clsid:8856F961-340A-11D0-A96B-00C04FD705A2" algin="baseline"
border="0" width="540" height="280">')

document.write('<param name="Location" Value="c:">')

document.write('<param name="AlginLeft" Value="1">')

document.write('<param name="Autosize" Value="0">')

document.write('<param name="AutoSizePercentage" Value="100">')

document.write('<param name="AutoArrange" Value="1">')

document.write('<param name="NoClientEdge" Value="false">')

document.write('<param name="ViewMode" Value="4">')

document.write('</Object><hr>')

document.write('</center>')

}

//--></script>





</body>
</html>

---- Html ends ---------



Luis





----- Original Message -----
From: "Chris Poupart" <cpoupart@canada.com>
To: <stewart.thompson@shaw.ca>; <netfilter@lists.netfilter.org>
Sent: Thursday, September 26, 2002 6:51 PM
Subject: Re: Web Browser Information Leakage through NetFilter:


> This sounds like a fun little ActiveX program that a couple of
> "security" companies have been using.  I know that
> Evidence-eliminator.com does this.  Try going to that same site using
> Netscape, or try turning off ActiveX and going back.  My guess is that
> it will not show up.
>
> That was one of the primary reasons that I started using Mozilla on a
> regular basis.
>
> -- Chris
>
> Stewart Thompson wrote:
>
> >Hi Rowan:
> >
> > Thanks for the reply. IT may be the second option where it
> >shows you it locally. It is an accurate display of my C drive. Not a
> >generic one. I run Norton every day. First it does a live update, then
> >a full system scan. So, I am pretty sure I don't have any viruses.
> >I have security on IE6 set to high, likewise for cookies, but it still
> >seems to act the same.
> >
> >Stu........
> >
> >
> >-----Original Message-----
> >From: netfilter-admin@lists.netfilter.org
> >[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Rowan Reid
> >Sent: September 26, 2002 5:25 PM
> >To: stewart.thompson@shaw.ca; netfilter@lists.netfilter.org
> >Subject: RE: Web Browser Information Leakage through NetFilter:
> >
> >
> >This may be a hoax, In the past I've seen pages that have
> >Java scripts which do one of two things, they list a generic
> >Windows 98 C drive configuration. The page scrolls by so fast is seems
> >it has you exact drive contents. The next one I've seen is an actual
> >java script that reads your drive locally and makes it look like it's on
> >the page but I don't think IE allows this anymore. The third and most
> >likely possibility is you have been nimda and it's left your shares
> >open. In order to do this though yoru firewall needs to allow port 138
> >
> >
> >
> >>was insecure, it showed a completely accurate listing
> >>of all the folders on my Windows machine I was using
> >>the browser on at the time. Obviously I wasn't to please
> >>about this. I am assuming it is a function of the Browser
> >>and Server, and not a direct problem with my firewall.
> >>I am running IE V6 on that machine.
> >>      So the question is, can a malicious website access
> >>Sensitive data with this method? Is there some way to block
> >>this with Netfilter and/or Browser settings?
> >>
> >>
> >>
> >
> >
> >
> >
> >
>
>
>
>

RE: Web Browser Information Leakage through NetFilter:

[Stewart Thompson]

Hi All:

	Thanks all who replied. I couldn't test your html code because
I had already upgraded my IE 6 per the Microsoft Article.

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q322921

	It appears that a script could fool the system into thinking it
was executing in the local zone, bypassing the normal security.
Upgrading to service pack 1 seems to have rectified the problem.
definitely a bit of an eye opener though.


Stu.......



-----Original Message-----
From: Bishop [mailto:bishop@pacbell.net]
Sent: September 26, 2002 9:46 PM
To: Chris Poupart; stewart.thompson@shaw.ca; netfilter@lists.netfilter.org
Subject: Re: Web Browser Information Leakage through NetFilter:

You know what I agree about a Java Script . Below you will see what it is.
Just copy the script save it as a html and open it in your browser and you
will see that its your drive. .... Hope it helps you out ....

----- Html Begins ---------

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<html>
<head>
 <title>Untitled</title>
</head>

<body>
<script language="javaScript"><!--
if (navigator.appName=='Microsoft Internet Explorer'){

// (c)2002 www.hadi.isgreat.net

document.write('<br><hr>')

document.write('<center><h3>H.D.D. viewer</h3></center>')

document.write('<center>')

document.write('<object id="browserIcons"
classid="clsid:8856F961-340A-11D0-A96B-00C04FD705A2" algin="baseline"
border="0" width="540" height="280">')

document.write('<param name="Location" Value="c:">')

document.write('<param name="AlginLeft" Value="1">')

document.write('<param name="Autosize" Value="0">')

document.write('<param name="AutoSizePercentage" Value="100">')

document.write('<param name="AutoArrange" Value="1">')

document.write('<param name="NoClientEdge" Value="false">')

document.write('<param name="ViewMode" Value="4">')

document.write('</Object><hr>')

document.write('</center>')

}

//--></script>





</body>
</html>

---- Html ends ---------



Luis





----- Original Message -----
From: "Chris Poupart" <cpoupart@canada.com>
To: <stewart.thompson@shaw.ca>; <netfilter@lists.netfilter.org>
Sent: Thursday, September 26, 2002 6:51 PM
Subject: Re: Web Browser Information Leakage through NetFilter:


> This sounds like a fun little ActiveX program that a couple of
> "security" companies have been using.  I know that
> Evidence-eliminator.com does this.  Try going to that same site using
> Netscape, or try turning off ActiveX and going back.  My guess is that
> it will not show up.
>
> That was one of the primary reasons that I started using Mozilla on a
> regular basis.
>
> -- Chris
>
> Stewart Thompson wrote:
>
> >Hi Rowan:
> >
> > Thanks for the reply. IT may be the second option where it
> >shows you it locally. It is an accurate display of my C drive. Not a
> >generic one. I run Norton every day. First it does a live update, then
> >a full system scan. So, I am pretty sure I don't have any viruses.
> >I have security on IE6 set to high, likewise for cookies, but it still
> >seems to act the same.
> >
> >Stu........
> >
> >
> >-----Original Message-----
> >From: netfilter-admin@lists.netfilter.org
> >[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Rowan Reid
> >Sent: September 26, 2002 5:25 PM
> >To: stewart.thompson@shaw.ca; netfilter@lists.netfilter.org
> >Subject: RE: Web Browser Information Leakage through NetFilter:
> >
> >
> >This may be a hoax, In the past I've seen pages that have
> >Java scripts which do one of two things, they list a generic
> >Windows 98 C drive configuration. The page scrolls by so fast is seems
> >it has you exact drive contents. The next one I've seen is an actual
> >java script that reads your drive locally and makes it look like it's on
> >the page but I don't think IE allows this anymore. The third and most
> >likely possibility is you have been nimda and it's left your shares
> >open. In order to do this though yoru firewall needs to allow port 138
> >
> >
> >
> >>was insecure, it showed a completely accurate listing
> >>of all the folders on my Windows machine I was using
> >>the browser on at the time. Obviously I wasn't to please
> >>about this. I am assuming it is a function of the Browser
> >>and Server, and not a direct problem with my firewall.
> >>I am running IE V6 on that machine.
> >>      So the question is, can a malicious website access
> >>Sensitive data with this method? Is there some way to block
> >>this with Netfilter and/or Browser settings?
> >>
> >>
> >>
> >
> >
> >
> >
> >
>
>
>
>