Firedragging [Firefox 1.0]

From: mikx (mikx_at_MIKX.DE)
Date: 02/07/05

  • Next message: mikx: "Fireflashing [Firefox 1.0]" 
    Date:         Mon, 7 Feb 2005 18:48:08 +0100
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    __Summary

    Usually Firefox does not allow that an executable, non-image file gets
    directly dragged to the desktop (e.g. by supplying malware.exe as the src of
    an image tag). Instead Firefox creates a link to the file on the desktop.

    If you create a hybrid of a gif image and a batch file you can trick
    Firefox. Since the hybrid renders as a valid image, Firefox tries to copy
    the image to the desktop when dropped. By creating the image dynamicly and
    forcing the content type image/gif, the file can be of any extension (e.g.
    image.bat or image.exe).

    The windows batch file parser is pretty forgiving. It just ignores the first
    line of "gif trash" and executes whatever you append to the end of the
    hybrid file.

    Since windows hides known file extensions by default, a user can only tell
    that something went wrong by looking at the file icon, which is different of
    course. If the user does not care or know what this different icon means, a
    double click to view or edit the "image" he just dropped executes the batch
    file instead.

    __Proof-of-Concept

    http://www.mikx.de/firedragging/

    __Status

    The bug is marked as fixed in bugzilla. Get a nightly build, compile on your
    own or wait for Firefox 1.0.1.

    2005-01-26 Vendor informed (bugzilla.mozilla.org #279945)
    2005-01-31 Vendor confirmed bug
    2005-02-03 Vendor fixed bug
    2005-02-07 Public disclosure

    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the name CAN-2005-0230 to this issue.

    __Affected Software

    Tested with Firefox 1.0 and Mozilla 1.7.5

    __Contact Informations

    Michael Krax <mikx@mikx.de>
    http://www.mikx.de/?p=8

    mikx 

    --
NTBugtraq Editor's Note:
Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.
--
  • Next message: mikx: "Fireflashing [Firefox 1.0]"

    Relevant Pages

    • Fireflashing [Firefox 1.0]
      ... Using plugins like Flash and the -moz-opacity filter it is possible to ... The bug is marked as fixed in bugzilla. ... 2005-02-01 Vendor confirmed bug ... Tested with Firefox 1.0 and Mozilla 1.7.5 ...
      (NT-Bugtraq)
    • [Full-Disclosure] Fireflashing [Firefox 1.0]
      ... Using plugins like Flash and the -moz-opacity filter it is possible to ... The bug is marked as fixed in bugzilla. ... 2005-02-01 Vendor confirmed bug ... Tested with Firefox 1.0 and Mozilla 1.7.5 ...
      (Full-Disclosure)
    • Fireflashing [Firefox 1.0]
      ... Using plugins like Flash and the -moz-opacity filter it is possible to ... The bug is marked as fixed in bugzilla. ... 2005-02-01 Vendor confirmed bug ... Tested with Firefox 1.0 and Mozilla 1.7.5 ...
      (Bugtraq)
    • Fireflashing [Firefox 1.0]
      ... Using plugins like Flash and the -moz-opacity filter it is possible to ... The bug is marked as fixed in bugzilla. ... 2005-02-01 Vendor confirmed bug ... Tested with Firefox 1.0 and Mozilla 1.7.5 ...
      (Full-Disclosure)
    • Firescrolling 2 [Firefox 1.0.1]
      ... hidden frame) the ability to hijack a drag and drop operation and open a ... The bug is fixed in Firefox 1.0.2. ... 2005-03-11 Vendor confirmed bug ...
      (NT-Bugtraq)