Re: [Full-Disclosure] Firespoofing [Firefox 1.0]
From: Soderland, Craig (craig.soderland_at_SAP.COM)
Date: 01/11/05
- Previous message: mikx: "Firespoofing [Firefox 1.0]"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 11 Jan 2005 15:37:20 +0100 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
This does not work if you are using the FireFox 1.0 tabbed browsing
feature, as your pop up window simply opens a new tab, and it then
becomes immediately obvious what you are trying to pull off here.
> -----Original Message-----
> From: full-disclosure-bounces@lists.netsys.com
[mailto:full-disclosure-
> bounces@lists.netsys.com]
> Sent: Monday, January 10, 2005 6:22 PM
> To: full-disclosure@lists.netsys.com; bugtraq@securityfocus.com;
> NTBUGTRAQ@listserv.ntbugtraq.com
> Subject: [Full-Disclosure] Firespoofing [Firefox 1.0]
>
> __Summary
>
> Using javascript it is possible to spoof the content of security and
> download dialogs by partly covering them with a popup window. This can
> fool
> a user to download and automaticly execute a file (if a file extension
> association exists) or to grant a script local data access (if
codebase
> principals are enabled).
>
> __Expected Behavior
>
> Modal dialogs should always be on top and it should not be possible to
> obfuscate their appearance.
>
> __Proof-of-Concept
>
> http://www.mikx.de/firespoofing/
>
> The PoC is designed for Firefox 1.0 running in a maximized window.
>
> Part 1 - download dialog spoofing
> Shows how to cover a download dialog and fool the user to execute a
file
> with a standard windows file association (in this case a .ht file).
BTW,
> remember the latest .ht buffer overflow...
>
> Part 2 - security dialog spoofing
> Shows how to cover a security dialog. Make sure codebase principals
are
> enabled (not default but encouraged by many XUL sites). Creates the
file
> c:\booom.txt to proof local system access.
>
> __Status
>
> The bug is confirmed but currently unfixed (open for more than 3
months).
> As
> a partial workaround set dom.disable_window_flip to true in
about:config.
> The vendor failed to respond to multiple status requests which led to
this
> public disclosure.
>
> 2004-09-20 Vendor informed (bugzilla.mozilla.org #260560)
> 2004-09-20 Vendor confirmed bug
> 2004-10-20 Status request (open for 1 month - no reply)
> 2005-01-03 Status request (open for 3 months - no reply)
> 2005-01-07 Status request (disclosure warning - no reply)
> 2005-01-11 Public disclosure
>
> __Affected Software
>
> Tested with Firefox 1.0, Mozilla 1.7.5 and Netscape 7.1 on Windows XP
SP2.
>
> __Contact Informations
>
> Michael Krax <mikx@mikx.de>
> http://www.mikx.de/?p=7
>
> mikx
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
-- NTBugtraq Editor's Note: Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered. --
- Previous message: mikx: "Firespoofing [Firefox 1.0]"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
