[Full-Disclosure] Firespoofing [Firefox 1.0]

From: mikx (mikx_at_mikx.de)
Date: 01/11/05

  • Next message: Team SHATTER (Application Security, Inc.): "[VulnWatch] [AppSecInc Team SHATTER Security Advisory] Microsoft Windows LPC heap overflow"
    To: <full-disclosure@lists.netsys.com>, <bugtraq@securityfocus.com>, <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>
    Date: Tue, 11 Jan 2005 00:22:09 +0100
    
    

    __Summary

    Using javascript it is possible to spoof the content of security and
    download dialogs by partly covering them with a popup window. This can fool
    a user to download and automaticly execute a file (if a file extension
    association exists) or to grant a script local data access (if codebase
    principals are enabled).

    __Expected Behavior

    Modal dialogs should always be on top and it should not be possible to
    obfuscate their appearance.

    __Proof-of-Concept

    http://www.mikx.de/firespoofing/

    The PoC is designed for Firefox 1.0 running in a maximized window.

    Part 1 - download dialog spoofing
    Shows how to cover a download dialog and fool the user to execute a file
    with a standard windows file association (in this case a .ht file). BTW,
    remember the latest .ht buffer overflow...

    Part 2 - security dialog spoofing
    Shows how to cover a security dialog. Make sure codebase principals are
    enabled (not default but encouraged by many XUL sites). Creates the file
    c:\booom.txt to proof local system access.

    __Status

    The bug is confirmed but currently unfixed (open for more than 3 months). As
    a partial workaround set dom.disable_window_flip to true in about:config.
    The vendor failed to respond to multiple status requests which led to this
    public disclosure.

    2004-09-20 Vendor informed (bugzilla.mozilla.org #260560)
    2004-09-20 Vendor confirmed bug
    2004-10-20 Status request (open for 1 month - no reply)
    2005-01-03 Status request (open for 3 months - no reply)
    2005-01-07 Status request (disclosure warning - no reply)
    2005-01-11 Public disclosure

    __Affected Software

    Tested with Firefox 1.0, Mozilla 1.7.5 and Netscape 7.1 on Windows XP SP2.

    __Contact Informations

    Michael Krax <mikx@mikx.de>
    http://www.mikx.de/?p=7

    mikx

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Team SHATTER (Application Security, Inc.): "[VulnWatch] [AppSecInc Team SHATTER Security Advisory] Microsoft Windows LPC heap overflow"

    Relevant Pages

    • Re: trojan has infected my laptop my laptop
      ... Download SYSCLEAN.COM and place it in that directory. ... the process's window in my task manage is completely greyed out... ... will not pull so i can look at the registry settings... ... | Description:General Windows Security Issue. ...
      (microsoft.public.windowsupdate)
    • Firespoofing [Firefox 1.0]
      ... download dialogs by partly covering them with a popup window. ... The PoC is designed for Firefox 1.0 running in a maximized window. ... Shows how to cover a download dialog and fool the user to execute a file ... Part 2 - security dialog spoofing ...
      (NT-Bugtraq)
    • Firespoofing [Firefox 1.0]
      ... download dialogs by partly covering them with a popup window. ... The PoC is designed for Firefox 1.0 running in a maximized window. ... Shows how to cover a download dialog and fool the user to execute a file ... Part 2 - security dialog spoofing ...
      (Bugtraq)
    • Firespoofing [Firefox 1.0]
      ... download dialogs by partly covering them with a popup window. ... The PoC is designed for Firefox 1.0 running in a maximized window. ... Shows how to cover a download dialog and fool the user to execute a file ... Part 2 - security dialog spoofing ...
      (Full-Disclosure)
    • Re: File extensions spoofable in MSIE download dialog
      ... File extensions spoofable in MSIE download dialog ... I don't have internet explorer to test but rfc 2616 describes some "security considerations". ... > extension without a sign of EXE, and issue no Security Warning dialog ...
      (Bugtraq)