Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Firefox vulnerability


  • Please log in to reply
2 replies to this topic

#1 raw

raw

    Bleeping Hacker


  • Members
  • 2,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:12:53 AM

Posted 12 January 2005 - 12:25 AM

__Summary

Using javascript it is possible to spoof the content of security and
download dialogs by partly covering them with a popup window. This can fool
a user to download and automaticly execute a file (if a file extension
association exists) or to grant a script local data access (if codebase
principals are enabled).

__Expected Behavior

Modal dialogs should always be on top and it should not be possible to
obfuscate their appearance.

__Proof-of-Concept

http://www.mikx.de/firespoofing/

The PoC is designed for Firefox 1.0 running in a maximized window.

Part 1 - download dialog spoofing
Shows how to cover a download dialog and fool the user to execute a file
with a standard windows file association (in this case a .ht file). BTW,
remember the latest .ht buffer overflow...

Part 2 - security dialog spoofing
Shows how to cover a security dialog. Make sure codebase principals are
enabled (not default but encouraged by many XUL sites). Creates the file
c:\booom.txt to proof local system access.

__Status

The bug is confirmed but currently unfixed (open for more than 3 months). As
a partial workaround set dom.disable_window_flip to true in about:config.
The vendor failed to respond to multiple status requests which led to this
public disclosure.

2004-09-20 Vendor informed (bugzilla.mozilla.org #260560)
2004-09-20 Vendor confirmed bug
2004-10-20 Status request (open for 1 month - no reply)
2005-01-03 Status request (open for 3 months - no reply)
2005-01-07 Status request (disclosure warning - no reply)
2005-01-11 Public disclosure

__Affected Software

Tested with Firefox 1.0, Mozilla 1.7.5 and Netscape 7.1 on Windows XP SP2.

__Contact Informations

Michael Krax <mikx mikx de>
http://www.mikx.de/?p=7

mikx


rawsig.png

 rawcreations.net          @raw_creations


Current systems: WHAT OS, BackTrack-raw, PCLinuxOS, Peppermint OS 6, Kali Linux

and a custom Linux From Scratch server hosting a bunch of top secret stuff.


BC AdBot (Login to Remove)

 


#2 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:09:53 PM

Posted 12 January 2005 - 12:31 AM

Using javascript it is possible to spoof the content of security and
download dialogs by partly covering them with a popup window. This can fool
a user to download and automaticly execute a file (if a file extension
association exists) or to grant a script local data access (if codebase
principals are enabled).

Could you give us a colloquial example.

Sort of a "this might happen" few sentences that cover the main points of the IT language (and very accurate, no doubt) summary?

I block popups.
I am OK. (yes) (no) :thumbsup:

Edited by phawgg, 12 January 2005 - 12:32 AM.

patiently patrolling, plenty of persisant pests n' problems ...

#3 raw

raw

    Bleeping Hacker

  • Topic Starter

  • Members
  • 2,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:12:53 AM

Posted 12 January 2005 - 12:56 AM

Click on the Proof-of-Concept link to see how it works.
http://www.mikx.de/firespoofing/

Part 2 - security dialog spoofing
Shows how to cover a security dialog.
Creates the file  c:\booom.txt to proof local system access.


Blocking pop-ups will not suffice because this is a security dialog box.

Edited by raw, 12 January 2005 - 12:58 AM.

rawsig.png

 rawcreations.net          @raw_creations


Current systems: WHAT OS, BackTrack-raw, PCLinuxOS, Peppermint OS 6, Kali Linux

and a custom Linux From Scratch server hosting a bunch of top secret stuff.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users