Firefox onload() History Access Bug and Install Function Scripting Execution Flaw Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID: 1013913|
SecurityTracker URL: http://securitytracker.com/id/1013913
(Links to External Site)
Updated: May 11 2005|
Original Entry Date: May 8 2005
Execution of arbitrary code via network, User access via network|
Exploit Included: Yes |
Several vulnerabilities were reported in Firefox. A remote user can execute arbitrary code on the target user's system.|
A remote user can create specially crafted HTML that, when loaded by the target user, will execute arbitrary code on the target user's system.
A demonstration exploit is available at:
Paul from Greyhats Security reported this vulnerability. Michael Krax assisted in researching this vulnerability.
A remote user can execute arbitrary code on the target user's system.|
No solution was available at the time of this entry.|
Vendor URL: www.mozilla.org/products/firefox/ (Links to External Site)
Access control error|
|Underlying OS: Linux (Any), UNIX (Any), Windows (Any)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Subject: [Full-disclosure] Firefox Remote Compromise Technical Details|
Firefox Remote Compromise Technical Details
Before I start, I need to say that this thing has been patched on Mozilla's server. If you take a look at any of the extension install
pages on their site, you will see that the install function has a bunch of random letters and numbers after it. Even though this
would probably be an easy thing to bypass, I am not going to attempt it because of the uselessness of such a bypass. A patch is already
in development and so any more work going into fine-tuning this exploit would be a waist of time.
There are three core vulnerabilities being used in my example. A friend of mine (Michael Krax, http://www.mikx.de) helped me with
To understand why the example works, one must understand the basics of how Firefox works. Everything you see in firefox is essentially
a webpage being rendered by a compiler. This is what the gui is made of, and this is why firefox is so easy to customize. However,
would be given complete access to the system because chrome urls are given full rights in firefox. My example works by tricking the
However, this would not be enough to compromise the system. By default, the install feature only works when called from a page within
update.mozilla.org or addon.mozilla.org. Therefore, another (cross site scripting) vulnerability had to be found to call the install
within a frame that follows the user's cursor. After the user clicks, the link is navigated to, which fires the onload event. This
is a buggy event in Firefox because with it we can now access certain parts of the window object that we shouldnt, such as the history
we call the install addon feature, which displays a dialog with det
executed in the context of chrome. Now we have compromised the system :)
Whew, that was quite a mouthful.
I am still trying to gather all the details as to how my research was leaked, but recent conversations are leading me to believe that
it was a misplacement of trust, not a server compromise. However, I do not want to jump to conclusions too quickly, as this will
only lead to more problems. That's all I will say about that subject, as I don't want to offend anybody.
Also, I would like to let everyone know that this is not the only vulnerability that Mikx and I have found. We still have a couple
of tricks up our sleeves, and you can be sure that we will not make the same mistake twice.
If you want to see the original PoC, here is the url:
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/