download dialogs by partly covering them with a popup window. This can fool
a user to download and automaticly execute a file (if a file extension
association exists) or to grant a script local data access (if codebase
principals are enabled).
Modal dialogs should always be on top and it should not be possible to
obfuscate their appearance.
The PoC is designed for Firefox 1.0 running in a maximized window.
Part 1 - download dialog spoofing
Shows how to cover a download dialog and fool the user to execute a file
with a standard windows file association (in this case a .ht file). BTW,
remember the latest .ht buffer overflow...
Part 2 - security dialog spoofing
Shows how to cover a security dialog. Make sure codebase principals are
enabled (not default but encouraged by many XUL sites). Creates the file
c:\booom.txt to proof local system access.
The bug is confirmed but currently unfixed (open for more than 3 months). As
a partial workaround set dom.disable_window_flip to true in about:config.
The vendor failed to respond to multiple status requests which led to this
2004-09-20 Vendor informed (bugzilla.mozilla.org #260560)
2004-09-20 Vendor confirmed bug
2004-10-20 Status request (open for 1 month - no reply)
2005-01-03 Status request (open for 3 months - no reply)
2005-01-07 Status request (disclosure warning - no reply)
2005-01-11 Public disclosure
Tested with Firefox 1.0, Mozilla 1.7.5 and Netscape 7.1 on Windows XP SP2.
Michael Krax <mikx mikx de>