RE: Two Vulnerabilities in Mozilla may lead to remote compromise

From: Darren Pilgrim (dmp_at_bitfreak.org)
Date: 07/13/04

  • Next message: Sym Security: "RE: Norton AntiVirus Denial Of Service Vulnerability [Part: !!!]"
    To: "'Mind Warper'" <mindwarper@linuxmail.org>, <bugtraq@securityfocus.com>
    Date: Tue, 13 Jul 2004 12:33:28 -0700
    
    

    > From: Mind Warper [mailto:mindwarper@linuxmail.org]
    >
    > Since the known cache file names have no extention by default
    > on windows, if the attacker uses the NULL
    > byte bug, he/she can cause mozilla to show the contents of
    > one of the cache files as an html file,
    > and therefore cause mozilla to execute whatever scripts that
    > exist in the cache files.

    Within the limitations of the security settings for the browser. If you
    have Java/JS disabled, the attack won't work.

    > The first vulnerability does not require an exploit.
    > On windows 2000, there are 3 cache files with known names. They are:
    >
    > 1. C:\Documents and Settings\Administrator\Application
    > Data\Mozilla\Firefox\Profiles\default.nop\Cache\_CACHE_001_
    > [ This cache file stores the http headers ]
    >
    > 2. C:\Documents and Settings\Administrator\Application
    > Data\Mozilla\Firefox\Profiles\default.nop\Cache\_CACHE_002_
    > 3. C:\Documents and Settings\Administrator\Application
    > Data\Mozilla\Firefox\Profiles\default.nop\Cache\_CACHE_003_
    > [ These 2 cache files store the html data ]

    The profile folder isn't consistent. The default folder created during the
    install has an extension that changes. On my machine, for example, the
    folder created was default.cuo. If you set up additional profiles, the
    default folder name is "Default User" and you can change it from within the
    profile creation wizard. You also have to know the Windows username to
    create the path.

    While the above does work if you change the path to match your
    configuration, the _CACHE_002_ and _CACHE_003_ files don't contain complete
    copies of the HTML files, so it's not guaranteed that a malicious script
    would be there. The actual cache files are named with non-sequential,
    32-bit numbers.


  • Next message: Sym Security: "RE: Norton AntiVirus Denial Of Service Vulnerability [Part: !!!]"

    Relevant Pages

    • Re: db files
      ... These are cache files for the thumbnail images for the files in that folder. ... If you don't want them created, in Windows Explorer go to Tools, Folder Options, View and put the check mark in Do not cache thumbnails. ...
      (microsoft.public.windowsxp.security_admin)
    • Re: FP 2002 - unable to expand the folder list
      ... Download FP Cleaner fro http://www.95isalive.com/fixes/fpclean.htm and run the routines that delete the hidden web cache files, and delete the hidden FrontPage temporary files. ... opening the web on two machines with the same result. ... if I add another folder under the web ... > - then running a Tools Recalculate Hyperlinks in FP after Opening the> site in FP ...
      (microsoft.public.frontpage.client)
    • Re: Cannot delete files in Entourage
      ... > Items folder that refuse to delete or purge. ... > cache files for these mail folders. ... Seen the Entourage FAQ pages? ...
      (microsoft.public.mac.office.entourage)
    • Re: cache
      ... I have SP1, but I have another task form and it is working properly. ... doesn't increment the cache files, it just keeps one item.task.xxxx folder ... Sue Mosher, Outlook MVP ...
      (microsoft.public.outlook.program_forms)
    • Re: FP98 updated page wont show changes on web????
      ... but I need it to update for any web user so they can ... >Have you cleared your browser cache files. ... >> I make a daily update to a file on the web that shows ... >> have to open the folder where the FronPage files are ...
      (microsoft.public.frontpage.programming)