Firespoofing [Firefox 1.0]
From: mikx (mikx_at_MIKX.DE)
Date: 01/11/05
- Previous message: Rafel Ivgi, The-Insider: "All Symantec Products All Versions Until 2005 - Remote Stack Buffer Overflow"
- Next in thread: Pavel Kankovsky: "Re: Firespoofing [Firefox 1.0]"
- Reply: Pavel Kankovsky: "Re: Firespoofing [Firefox 1.0]"
- Reply: Matthias Fichtner: "Re: Firespoofing [Firefox 1.0]"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 11 Jan 2005 00:22:09 +0100 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
__Summary
Using javascript it is possible to spoof the content of security and
download dialogs by partly covering them with a popup window. This can fool
a user to download and automaticly execute a file (if a file extension
association exists) or to grant a script local data access (if codebase
principals are enabled).
__Expected Behavior
Modal dialogs should always be on top and it should not be possible to
obfuscate their appearance.
__Proof-of-Concept
http://www.mikx.de/firespoofing/
The PoC is designed for Firefox 1.0 running in a maximized window.
Part 1 - download dialog spoofing
Shows how to cover a download dialog and fool the user to execute a file
with a standard windows file association (in this case a .ht file). BTW,
remember the latest .ht buffer overflow...
Part 2 - security dialog spoofing
Shows how to cover a security dialog. Make sure codebase principals are
enabled (not default but encouraged by many XUL sites). Creates the file
c:\booom.txt to proof local system access.
__Status
The bug is confirmed but currently unfixed (open for more than 3 months). As
a partial workaround set dom.disable_window_flip to true in about:config.
The vendor failed to respond to multiple status requests which led to this
public disclosure.
2004-09-20 Vendor informed (bugzilla.mozilla.org #260560)
2004-09-20 Vendor confirmed bug
2004-10-20 Status request (open for 1 month - no reply)
2005-01-03 Status request (open for 3 months - no reply)
2005-01-07 Status request (disclosure warning - no reply)
2005-01-11 Public disclosure
__Affected Software
Tested with Firefox 1.0, Mozilla 1.7.5 and Netscape 7.1 on Windows XP SP2.
__Contact Informations
Michael Krax <mikx@mikx.de>
http://www.mikx.de/?p=7
mikx
-- NTBugtraq Editor's Note: Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered. --
- Previous message: Rafel Ivgi, The-Insider: "All Symantec Products All Versions Until 2005 - Remote Stack Buffer Overflow"
- Next in thread: Pavel Kankovsky: "Re: Firespoofing [Firefox 1.0]"
- Reply: Pavel Kankovsky: "Re: Firespoofing [Firefox 1.0]"
- Reply: Matthias Fichtner: "Re: Firespoofing [Firefox 1.0]"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
