Firescrolling 2 [Firefox 1.0.1]

• Previous message: Serge Vondandamo: "XP SP2 netfw.inf issues"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Thu, 24 Mar 2005 11:34:04 +0100
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

__Summary

Even though Firefox 1.0.1 patched one of the key bugs behind my
firescrolling exploit (the ability of plugins to load chrome files in a
hidden frame) the ability to hijack a drag and drop operation and open a
privileged xul file is still available.

The demo opens "chrome://global/content/alerts/alert.xul" when dragging the
scrollbar the first time. This XUL file automaticly runs an inline script to
turn the window into a tray notification alert. This demo is just an example
of an annoying usage, but if the browser or an extension contains an inline
script that uses an eval/setTimeout with a parameter an attacker can
influence it turns into an arbitrary code execution bug. Also update or
uninstall scripts could be a valuable target. I doubt most extension
developers think about problems that could occure if a XUL file in their
extensions is opened directly.

__Proof-of-Concept

http://www.mikx.de/firescrolling2/

__Status

The bug is fixed in Firefox 1.0.2.

2005-03-09 Vendor informed (bugzilla.mozilla.org #285438)
2005-03-11 Vendor confirmed bug
2005-03-23 Vendor published fixed version and advisory
2005-03-24 Public disclosure

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2005-0401 to this issue.

__Affected Software

Tested with Firefox 1.0.1

__Contact Informations

Michael Krax <mikx@mikx.de>
http://www.mikx.de/?p=12

mikx

--
NTBugtraq Editor's Note:
Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.
--

• Previous message: Serge Vondandamo: "XP SP2 netfw.inf issues"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [Full-disclosure] Firescrolling 2 [Firefox 1.0.1] ... hidden frame) the ability to hijack a drag and drop operation and open a ... The bug is fixed in Firefox 1.0.2. ... 2005-03-11 Vendor confirmed bug ... (Full-Disclosure) Firescrolling 2 [Firefox 1.0.1] ... hidden frame) the ability to hijack a drag and drop operation and open a ... The bug is fixed in Firefox 1.0.2. ... 2005-03-11 Vendor confirmed bug ... (Bugtraq) Fireflashing [Firefox 1.0] ... Using plugins like Flash and the -moz-opacity filter it is possible to ... The bug is marked as fixed in bugzilla. ... 2005-02-01 Vendor confirmed bug ... Tested with Firefox 1.0 and Mozilla 1.7.5 ... (NT-Bugtraq) [Full-Disclosure] Fireflashing [Firefox 1.0] ... Using plugins like Flash and the -moz-opacity filter it is possible to ... The bug is marked as fixed in bugzilla. ... 2005-02-01 Vendor confirmed bug ... Tested with Firefox 1.0 and Mozilla 1.7.5 ... (Full-Disclosure) Fireflashing [Firefox 1.0] ... Using plugins like Flash and the -moz-opacity filter it is possible to ... The bug is marked as fixed in bugzilla. ... 2005-02-01 Vendor confirmed bug ... Tested with Firefox 1.0 and Mozilla 1.7.5 ... (Bugtraq)