SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Web Browser)  >  Mozilla Firefox Vendors:  Mozilla.org
Mozilla Firefox XPCOM Access Flaw Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1013301
SecurityTracker URL:  http://securitytracker.com/id?1013301
CVE Reference:  CAN-2005-0527   (Links to External Site)
Date:  Feb 25 2005
Impact:  Execution of arbitrary code via network, User access via network
Fix Available:  Yes   Exploit Included:  Yes   Vendor Confirmed:  Yes  
Version(s): 1.0
Description:  A vulnerability was reported in Mozilla Firefox in the XPCOM implementation. A remote user can execute arbitrary code on the target user's system.

A remote user can create specially crafted HTML that, when loaded by the target user, will execute arbitrary code with the privileges of the target user. The HTML can include Firefox XPCOM code to perform actions (such as writing to a local file) that are triggered by scrollbar actions.

The exploit can be automated in conjunction with other previously reported vulnerabilities in Firefox so that user interaction is not required.

A demonstration exploit is available at:

http://www.mikx.de/firescrolling/

Michael Krax discovered this vulnerability.
Impact:  A remote user can execute arbitrary code on the target user's system.
Solution:  A fixed version (1.0.1) is available at:

http://www.mozilla.org/products/firefox/all.html
Vendor URL:  www.mozilla.org/products/firefox/ (Links to External Site)
Cause:  Access control error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Reported By:  "mikx" <mikx@mikx.de>
Message History:   None.

 Source Message Contents
Date:  Fri, 25 Feb 2005 09:10:30 +0100
From:  "mikx" <mikx@mikx.de>
Subject:  [Full-Disclosure] Firescrolling [Firefox 1.0]

 

__Summary

Remember my Internet Explorer "scrollbar exploit" based on http-equiv's 
"What a Drag"? When will people ever learn that "unusual user interaction" 
can be hidden by common tasks...

Let's combine fireflashing, firetabbing, xul and javascript to run arbitrary 
code by dragging a scrollbar two times.

__Proof-of-Concept

http://www.mikx.de/firescrolling/

__Status

The exploit is based on multiple vulnerabilities:

bugzilla.mozilla.org #280664 (fireflashing)
bugzilla.mozilla.org #280056 (firetabbing)
bugzilla.mozilla.org #281807 (firescrolling)

Upgrade to Firefox 1.0.1 or disable javascript.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has 
assigned the name CAN-2005-0527 to this issue.

__Affected Software

Tested with Firefox 1.0 on Windows and Linux (Fedora Core)

__Contact Informations

Michael Krax <mikx@mikx.de>
http://www.mikx.de/?p=11

mikx

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2005, SecurityGlobal.net LLC