RE: [Full-Disclosure] Firespoofing [Firefox 1.0]

From: Soderland, Craig (craig.soderland_at_sap.com)
Date: 01/11/05

  • Next message: stonersavant: "Re: [Full-Disclosure] Shoe 1.0 - Remote Lace Overflow"
    Date: Tue, 11 Jan 2005 15:37:20 +0100
    To: "mikx" <mikx@mikx.de>, <full-disclosure@lists.netsys.com>, <bugtraq@securityfocus.com>, <NTBUGTRAQ@listserv.ntbugtraq.com>
    
    

    This does not work if you are using the FireFox 1.0 tabbed browsing
    feature, as your pop up window simply opens a new tab, and it then
    becomes immediately obvious what you are trying to pull off here.

    > -----Original Message-----
    > From: full-disclosure-bounces@lists.netsys.com
    [mailto:full-disclosure-
    > bounces@lists.netsys.com]
    > Sent: Monday, January 10, 2005 6:22 PM
    > To: full-disclosure@lists.netsys.com; bugtraq@securityfocus.com;
    > NTBUGTRAQ@listserv.ntbugtraq.com
    > Subject: [Full-Disclosure] Firespoofing [Firefox 1.0]
    >
    > __Summary
    >
    > Using javascript it is possible to spoof the content of security and
    > download dialogs by partly covering them with a popup window. This can
    > fool
    > a user to download and automaticly execute a file (if a file extension
    > association exists) or to grant a script local data access (if
    codebase
    > principals are enabled).
    >
    > __Expected Behavior
    >
    > Modal dialogs should always be on top and it should not be possible to
    > obfuscate their appearance.
    >
    > __Proof-of-Concept
    >
    > http://www.mikx.de/firespoofing/
    >
    > The PoC is designed for Firefox 1.0 running in a maximized window.
    >
    > Part 1 - download dialog spoofing
    > Shows how to cover a download dialog and fool the user to execute a
    file
    > with a standard windows file association (in this case a .ht file).
    BTW,
    > remember the latest .ht buffer overflow...
    >
    > Part 2 - security dialog spoofing
    > Shows how to cover a security dialog. Make sure codebase principals
    are
    > enabled (not default but encouraged by many XUL sites). Creates the
    file
    > c:\booom.txt to proof local system access.
    >
    > __Status
    >
    > The bug is confirmed but currently unfixed (open for more than 3
    months).
    > As
    > a partial workaround set dom.disable_window_flip to true in
    about:config.
    > The vendor failed to respond to multiple status requests which led to
    this
    > public disclosure.
    >
    > 2004-09-20 Vendor informed (bugzilla.mozilla.org #260560)
    > 2004-09-20 Vendor confirmed bug
    > 2004-10-20 Status request (open for 1 month - no reply)
    > 2005-01-03 Status request (open for 3 months - no reply)
    > 2005-01-07 Status request (disclosure warning - no reply)
    > 2005-01-11 Public disclosure
    >
    > __Affected Software
    >
    > Tested with Firefox 1.0, Mozilla 1.7.5 and Netscape 7.1 on Windows XP
    SP2.
    >
    > __Contact Informations
    >
    > Michael Krax <mikx@mikx.de>
    > http://www.mikx.de/?p=7
    >
    > mikx
    >
    >
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.netsys.com/full-disclosure-charter.html

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: stonersavant: "Re: [Full-Disclosure] Shoe 1.0 - Remote Lace Overflow"

    Relevant Pages

    • Re: [Full-Disclosure] Firespoofing [Firefox 1.0]
      ... > download dialogs by partly covering them with a popup window. ... > The PoC is designed for Firefox 1.0 running in a maximized window. ... Make sure codebase principals ...
      (NT-Bugtraq)
    • Re: Observations from a Windows user
      ... Firefox is in when under XP, I have closed the app / window / ... At that point, the app should exit. ... You say if you close all windows except the download ...
      (uk.comp.sys.mac)
    • Re: Observations from a Windows user
      ... The "download manager" as you put it, is a Firefox ... When you have shut the last Firefox window, ...
      (uk.comp.sys.mac)
    • Re: Not to be that guy, but...
      ... usenet and email and firebird then Firefox for browsing. ... Yes I do love the addons - latest one I started using places the window ... accepts "search terms, any number, any order" and you can't force it to ...
      (comp.sys.ibm.pc.games.action)
    • Re: Firefox 4 reversed Open in a new window, and Open in a new tab
      ... Although I started 3 new windows instead of tabs before I figured out ... problem I had with "Start new window" is that it turns out, ... A newer version of Firefox, will use information from the older ... For example, if I look for sqlite (a database type), I find the program ...
      (microsoft.public.windowsxp.general)