Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Firefox onload() History Access Bug and Install Function Scripting Execution Flaw Lets Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1013913
|
|
SecurityTracker URL: http://securitytracker.com/id?1013913
|
|
CVE Reference: CAN-2005-1476
, CAN-2005-1477
(Links to External Site)
|
Updated: May 11 2005
|
Original Entry Date: May 8 2005
|
Impact: Execution of arbitrary code via network, User access via network
|
Exploit Included: Yes
|
Version(s): 1.0.3
|
Description: Several vulnerabilities were reported in Firefox. A remote user can execute arbitrary code on the target user's system.
A remote user can create specially crafted HTML that, when loaded by the target user, will execute arbitrary code on the target user's
system.
A remote user can cause a Firefox chrome page to load a 'javascript:' URL with privileges. The addon install function
can be made to display an icon containing a 'javascript:' URL to achieve this.
Because the vulnerable install function can only
be loaded via 'update.mozilla.org' or 'addon.mozilla.org', the remote user must exploit a separate vulnerability to trigger the
flaw. The onload() event can be exploited via a frame within a javascript page to access ostensibly restricted elements of the
window object, such as the history. The history object can be accessed to navigate back to the calling javascript page and execute
the page within the context of a window (displaying 'mozilla.org' web page content).
A demonstration exploit is available at:
http://greyhatsecurity.org/vulntests/f
frc.htm
Paul from Greyhats Security reported this vulnerability. Michael Krax assisted in researching this vulnerability.
|
Impact: A remote user can execute arbitrary code on the target user's system.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.mozilla.org/products/firefox/ (Links to External Site)
|
Cause: Access control error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: tuytumadre@att.net
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Sun, 08 May 2005 14:36:40 +0000
From: tuytumadre@att.net
Subject: [Full-disclosure] Firefox Remote Compromise Technical Details
|
Firefox Remote Compromise Technical Details
Before I start, I need to say that this thing has been patched on Mozilla's server. If you take a loo
k at any of the extension install
pages on their site, you will see that the install function has a bunch of random letters and number
s after it. Even though this
would probably be an easy thing to bypass, I am not going to attempt it because of the uselessness o
f such a bypass. A patch is already
in development and so any more work going into fine-tuning this exploit would be a waist of time.
There are three core vulnerabilities being used in my example. A friend of mine (Michael Krax, http:/
/www.mikx.de) helped me with
the research.
To understand why the example works, one must understand the basics of how Firefox works. Everything
you see in firefox is essentially
a webpage being rendered by a compiler. This is what the gui is made of, and this is why firefox is
so easy to customize. However,
it also allows for some security bugs. If one could get one of the chrome pages to request a javascr
ipt:[script] url, that individual
would be given complete access to the system because chrome urls are given full rights in firefox. M
y example works by tricking the
addon install function into displaying an icon with a javascript url.
However, this would not be enough to compromise the system. By default, the install feature only work
s when called from a page within
update.mozilla.org or addon.mozilla.org. Therefore, another (cross site scripting) vulnerability had
to be found to call the install
feature from mozilla.org. This vulnerability navigates to a javascript page and displays a link (poi
nting to a mozilla.org page)
within a frame that follows the user's cursor. After the user clicks, the link is navigated to, whic
h fires the onload event. This
is a buggy event in Firefox because with it we can now access certain parts of the window object tha
t we shouldnt, such as the history
object. After the page loads, we use the history object to navigate backwards to the javascript page
. The javascript is executed
again, now from update.mozilla.org because when we navigated backwards, we essentially navigated to
a javascript:[script] page. Now
we call the install addon feature, which displays a dialog with det
ails of the requested addon, including an image with a specified image. This image points to a javas
cript:[script] url, which gets
executed in the context of chrome. Now we have compromised the system :)
Whew, that was quite a mouthful.
I am still trying to gather all the details as to how my research was leaked, but recent conversation
s are leading me to believe that
it was a misplacement of trust, not a server compromise. However, I do not want to jump to conclusio
ns too quickly, as this will
only lead to more problems. That's all I will say about that subject, as I don't want to offend anyb
ody.
Also, I would like to let everyone know that this is not the only vulnerability that Mikx and I have
found. We still have a couple
of tricks up our sleeves, and you can be sure that we will not make the same mistake twice.
If you want to see the original PoC, here is the url:
http://greyhatsecurity.org/vulntests/ffrc.htm
Paul
Greyhats Security
http://greyhatsecurity.org
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
|
|
Go to the Top of This SecurityTracker Archive Page
|
