SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Mozilla Firefox Vendors:   Mozilla.org
Firefox onload() History Access Bug and Install Function Scripting Execution Flaw Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1013913
SecurityTracker URL:  http://securitytracker.com/id/1013913
CVE Reference:   CVE-2005-1476, CVE-2005-1477   (Links to External Site)
Updated:  May 11 2005
Original Entry Date:  May 8 2005
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 1.0.3
Description:   Several vulnerabilities were reported in Firefox. A remote user can execute arbitrary code on the target user's system.

A remote user can create specially crafted HTML that, when loaded by the target user, will execute arbitrary code on the target user's system.

A remote user can cause a Firefox chrome page to load a 'javascript:' URL with privileges. The addon install function can be made to display an icon containing a 'javascript:' URL to achieve this.

Because the vulnerable install function can only be loaded via 'update.mozilla.org' or 'addon.mozilla.org', the remote user must exploit a separate vulnerability to trigger the flaw. The onload() event can be exploited via a frame within a javascript page to access ostensibly restricted elements of the window object, such as the history. The history object can be accessed to navigate back to the calling javascript page and execute the page within the context of a window (displaying 'mozilla.org' web page content).

A demonstration exploit is available at:

http://greyhatsecurity.org/vulntests/ffrc.htm

Paul from Greyhats Security reported this vulnerability. Michael Krax assisted in researching this vulnerability.

Impact:   A remote user can execute arbitrary code on the target user's system.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.mozilla.org/products/firefox/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
May 8 2005 (Additional Exploit Code is Available) Firefox onload() History Access Bug and Install Function Scripting Execution Flaw Lets Remote Users Execute Arbitrary Code
Some exploit code is available.
May 9 2005 (Vendor Describes Workaround) Firefox onload() History Access Bug and Install Function Scripting Execution Flaw Lets Remote Users Execute Arbitrary Code
The vendor has described a workaround.
May 12 2005 (Vendor Issues Fix) Firefox onload() History Access Bug and Install Function Scripting Execution Flaw Lets Remote Users Execute Arbitrary Code
The vendor has issued a fixed version.
May 21 2005 (Netscape Issues Fix) Firefox onload() History Access Bug and Install Function Scripting Execution Flaw Lets Remote Users Execute Arbitrary Code
Netscape has issued a fix.
May 23 2005 (Red Hat Issues Fix) Firefox onload() History Access Bug and Install Function Scripting Execution Flaw Lets Remote Users Execute Arbitrary Code
Red Hat has released a fix.
May 23 2005 (Red Hat Issues Fix for Mozilla Suite) Firefox onload() History Access Bug and Install Function Scripting Execution Flaw Lets Remote Users Execute Arbitrary Code
Red Hat has released a fix.
Jun 29 2005 (HP Issues Fix for Secure Web Browser for OpenVMS) Firefox onload() History Access Bug and Install Function Scripting Execution Flaw Lets Remote Users Execute Arbitrary Code
HP has issued a fix for Secure Web Browser for HP OpenVMS Alpha.



 Source Message Contents

Subject:  [Full-disclosure] Firefox Remote Compromise Technical Details


Firefox Remote Compromise Technical Details

Before I start, I need to say that this thing has been patched on Mozilla's server. If you take a look at any of the extension install
 pages on their site, you will see that the install function has a bunch of random letters and numbers after it. Even though this
 would probably be an easy thing to bypass, I am not going to attempt it because of the uselessness of such a bypass. A patch is already
 in development and so any more work going into fine-tuning this exploit would be a waist of time.

There are three core vulnerabilities being used in my example. A friend of mine (Michael Krax, http://www.mikx.de) helped me with
 the research. 

To understand why the example works, one must understand the basics of how Firefox works. Everything you see in firefox is essentially
 a webpage being rendered by a compiler. This is what the gui is made of, and this is why firefox is so easy to customize. However,
 it also allows for some security bugs. If one could get one of the chrome pages to request a javascript:[script] url, that individual
 would be given complete access to the system because chrome urls are given full rights in firefox. My example works by tricking the
 addon install function into displaying an icon with a javascript url.

However, this would not be enough to compromise the system. By default, the install feature only works when called from a page within
 update.mozilla.org or addon.mozilla.org. Therefore, another (cross site scripting) vulnerability had to be found to call the install
 feature from mozilla.org. This vulnerability navigates to a javascript page and displays a link (pointing to a mozilla.org page)
 within a frame that follows the user's cursor. After the user clicks, the link is navigated to, which fires the onload event. This
 is a buggy event in Firefox because with it we can now access certain parts of the window object that we shouldnt, such as the history
 object. After the page loads, we use the history object to navigate backwards to the javascript page. The javascript is executed
 again, now from update.mozilla.org because when we navigated backwards, we essentially navigated to a javascript:[script] page. Now
 we call the install addon feature, which displays a dialog with det
 ails of the requested addon, including an image with a specified image. This image points to a javascript:[script] url, which gets
 executed in the context of chrome. Now we have compromised the system :)

Whew, that was quite a mouthful.

I am still trying to gather all the details as to how my research was leaked, but recent conversations are leading me to believe that
 it was a misplacement of trust, not a server compromise. However, I do not want to jump to conclusions too quickly, as this will
 only lead to more problems. That's all I will say about that subject, as I don't want to offend anybody.

Also, I would like to let everyone know that this is not the only vulnerability that Mikx and I have found. We still have a couple
 of tricks up our sleeves, and you can be sure that we will not make the same mistake twice. 

If you want to see the original PoC, here is the url:
http://greyhatsecurity.org/vulntests/ffrc.htm

Paul
Greyhats Security
http://greyhatsecurity.org
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC