[NEWS] Mozilla Browsers OnFire (Firescrolling, Fireflashing, Firetabbing, Firedragging)

From: SecuriTeam (support_at_securiteam.com)
Date: 03/28/05

  • Next message: SecuriTeam: "[NT] ACS Blog Cross Site Vulnerability" 
    To: list@securiteam.com
Date: 28 Mar 2005 10:18:59 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Mozilla Browsers OnFire (Firescrolling, Fireflashing, Firetabbing,
    Firedragging)
    ------------------------------------------------------------------------

    SUMMARY

    Mozilla's web browsers contains multiple vulnerabilities of
    "Firescrolling", "Fireflashing", "Firetabbing" and "Firedragging". These
    vulnerabilities allow web sites to steal information from the user
    sessions and cookies to execute arbitrary code, install malicious XUL
    plugins and change configuration of Firefox.

    DETAILS

    Vulnerable Systems:
     * Mozilla Firefox version 1.0
     * Mozilla Suite version 1.7.5

    Immune Systems:
     * Mozilla Firefox version 1.0.2
     * Mozilla Suite version 1.7.6

    Fireflashing
    By making the user double-click at a specific screen position (e.g. using
    a DHTML game) you can silently toggle the status of boolean config
    parameters.

    As long as the number of about:config parameters is unchanged (unlikely a
    casual user will change them) you can move the parameter you want to the
    specified screen position by using CSS.

    You can also load about:config using the real player plugin and merged URL
    events.

    Proof of Concept
     <http://www.mikx.de/fireflashing/> http://www.mikx.de/fireflashing/

    Firetabbing
    The JavaScript security manager usually prevents that a javascript: URL
    from one host is opened in a window displaying content from another host.
    But when the link is dropped to a tab, the security manager does not kick
    in. This can lead to several security problems scaling from stealing
    session cookies to the ability to run arbitrary code on the client system
    (depending on the displayed site or security settings).

    Tabbed browsing is a great feature to organize multiple website, but after
    a while also tabs become too much. Now you have two options: Close tabs
    and open new ones (CTRL+W to close a tab, followed by a CTRL+click on a
    link to open a new one), or just recycle already open tabs by dragging
    links to them - the solution i prefer.

    Proof of Concept
     <http://www.mikx.de/firetabbing/> http://www.mikx.de/firetabbing/

    Firedragging
    Usually Firefox does not allow that an executable, non-image file gets
    directly dragged to the desktop (e.g. by supplying malware.exe as the src
    of an image tag). Instead Firefox creates a link to the file on the
    desktop. If you create a hybrid of a gif image and a batch file you can
    trick Firefox. Since the hybrid renders as a valid image, Firefox tries to
    copy the image to the desktop when dropped. By creating the image
    dynamically and forcing the content type image/gif, the file can be of any
    extension (e.g. image.bat or image.exe).

    The windows batch file parser is pretty forgiving. It just ignores the
    first line of "gif trash" and executes whatever you append to the end of
    the hybrid file.

    Since windows hides known file extensions by default, a user can only tell
    that something went wrong by looking at the file icon, which is different
    of course. If the user does not care or know what this different icon
    means, a double click to view or edit the "image" he just dropped executes
    the batch file instead.

    Proof of Concept
     <http://www.mikx.de/firedragging/> http://www.mikx.de/firedragging/

    Firescrolling
    Using XPCOM, the "firescrolling" allow an arbitrary code execution by
    convincing the user to scroll twice.

    Proof of Concept
     <http://www.mikx.de/firescrolling/> http://www.mikx.de/firescrolling/
     <http://www.mikx.de/firescrolling2/> http://www.mikx.de/firescrolling2/

    CVE Information:
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0527>
    CAN-2005-0527
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0401>
    CAN-2005-0401
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0230>
    CAN-2005-0230
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0231>
    CAN-2005-0231

    Bug Reports:
     <https://bugzilla.mozilla.org/show_bug.cgi?id=280056>
    https://bugzilla.mozilla.org/show_bug.cgi?id=280056.
     <https://bugzilla.mozilla.org/show_bug.cgi?id=279945>
    https://bugzilla.mozilla.org/show_bug.cgi?id=279945.
     <https://bugzilla.mozilla.org/show_bug.cgi?id=281807>
    https://bugzilla.mozilla.org/show_bug.cgi?id=281807.
     <https://bugzilla.mozilla.org/show_bug.cgi?id=285438>
    https://bugzilla.mozilla.org/show_bug.cgi?id=285438

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:mikx@mikx.de> mikx.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] ACS Blog Cross Site Vulnerability"

    Relevant Pages