Firescrolling [Firefox 1.0]

• Previous message: Marc Maiffret: "Remote Windows Kernel Exploitation - Step Into the Ring 0"
• Next in thread: Brian Bergin: "Re: Firescrolling [Firefox 1.0]"
• Reply: Brian Bergin: "Re: Firescrolling [Firefox 1.0]"
• Maybe reply: Russ: "Re: Firescrolling [Firefox 1.0]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Fri, 25 Feb 2005 09:10:30 +0100
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

__Summary

Remember my Internet Explorer "scrollbar exploit" based on http-equiv's
"What a Drag"? When will people ever learn that "unusual user interaction"
can be hidden by common tasks...

Let's combine fireflashing, firetabbing, xul and javascript to run arbitrary
code by dragging a scrollbar two times.

__Proof-of-Concept

http://www.mikx.de/firescrolling/

__Status

The exploit is based on multiple vulnerabilities:

bugzilla.mozilla.org #280664 (fireflashing)
bugzilla.mozilla.org #280056 (firetabbing)
bugzilla.mozilla.org #281807 (firescrolling)

Upgrade to Firefox 1.0.1 or disable javascript.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2005-0527 to this issue.

__Affected Software

Tested with Firefox 1.0 on Windows and Linux (Fedora Core)

__Contact Informations

Michael Krax <mikx@mikx.de>
http://www.mikx.de/?p=11

mikx

--
NTBugtraq Editor's Note:
Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.
--

• Previous message: Marc Maiffret: "Remote Windows Kernel Exploitation - Step Into the Ring 0"
• Next in thread: Brian Bergin: "Re: Firescrolling [Firefox 1.0]"
• Reply: Brian Bergin: "Re: Firescrolling [Firefox 1.0]"
• Maybe reply: Russ: "Re: Firescrolling [Firefox 1.0]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Firescrolling [Firefox 1.0] ... Remember my Internet Explorer "scrollbar exploit" based on http-equiv's ... The exploit is based on multiple vulnerabilities: ... The Common Vulnerabilities and Exposures project has ... Tested with Firefox 1.0 on Windows and Linux ... (Bugtraq) [Full-Disclosure] Firescrolling [Firefox 1.0] ... Remember my Internet Explorer "scrollbar exploit" based on http-equiv's ... The exploit is based on multiple vulnerabilities: ... The Common Vulnerabilities and Exposures project has ... Tested with Firefox 1.0 on Windows and Linux ... (Full-Disclosure) Firescrolling [Firefox 1.0] ... Remember my Internet Explorer "scrollbar exploit" based on http-equiv's ... The exploit is based on multiple vulnerabilities: ... The Common Vulnerabilities and Exposures project has ... Tested with Firefox 1.0 on Windows and Linux ... (Full-Disclosure) RE: Firescrolling [Firefox 1.0] ... Remember my Internet Explorer "scrollbar exploit" based on http-equiv's ... The exploit is based on multiple vulnerabilities: ... Upgrade to Firefox 1.0.1 or disable javascript. ... (Bugtraq) Re: Upgrade Firefox 1.07 to 1.5 ... >>> I could workaround the broken extensions OK, ... >>> scrollbar is unacceptable. ... > I agree with your opinion on the preferences dialog! ... > Firefox internal preferences. ... (alt.os.linux.suse)