|
Brought to you by:
Suppliers of:
|
|
|
| |
| Mozilla's web browsers contains multiple vulnerabilities of "Firescrolling", "Fireflashing", "Firetabbing" and "Firedragging". These vulnerabilities allow web sites to steal information from the user sessions and cookies to execute arbitrary code, install malicious XUL plugins and change configuration of Firefox. |
| |
Credit:
The information has been provided by mikx.
|
| |
Vulnerable Systems:
* Mozilla Firefox version 1.0
* Mozilla Suite version 1.7.5
Immune Systems:
* Mozilla Firefox version 1.0.2
* Mozilla Suite version 1.7.6
Fireflashing
By making the user double-click at a specific screen position (e.g. using a DHTML game) you can silently toggle the status of boolean config parameters.
As long as the number of about:config parameters is unchanged (unlikely a casual user will change them) you can move the parameter you want to the specified screen position by using CSS.
You can also load about:config using the real player plugin and merged URL events.
Proof of Concept
http://www.mikx.de/fireflashing/
Firetabbing
The JavaScript security manager usually prevents that a javascript: URL from one host is opened in a window displaying content from another host. But when the link is dropped to a tab, the security manager does not kick in. This can lead to several security problems scaling from stealing session cookies to the ability to run arbitrary code on the client system (depending on the displayed site or security settings).
Tabbed browsing is a great feature to organize multiple website, but after a while also tabs become too much. Now you have two options: Close tabs and open new ones (CTRL+W to close a tab, followed by a CTRL+click on a link to open a new one), or just recycle already open tabs by dragging links to them - the solution i prefer.
Proof of Concept
http://www.mikx.de/firetabbing/
Firedragging
Usually Firefox does not allow that an executable, non-image file gets directly dragged to the desktop (e.g. by supplying malware.exe as the src of an image tag). Instead Firefox creates a link to the file on the desktop. If you create a hybrid of a gif image and a batch file you can trick Firefox. Since the hybrid renders as a valid image, Firefox tries to copy the image to the desktop when dropped. By creating the image dynamically and forcing the content type image/gif, the file can be of any extension (e.g. image.bat or image.exe).
The windows batch file parser is pretty forgiving. It just ignores the first line of "gif trash" and executes whatever you append to the end of the hybrid file.
Since windows hides known file extensions by default, a user can only tell that something went wrong by looking at the file icon, which is different of course. If the user does not care or know what this different icon means, a double click to view or edit the "image" he just dropped executes the batch file instead.
Proof of Concept
http://www.mikx.de/firedragging/
Firescrolling
Using XPCOM, the "firescrolling" allow an arbitrary code execution by convincing the user to scroll twice.
Proof of Concept
http://www.mikx.de/firescrolling/
http://www.mikx.de/firescrolling2/
CVE Information:
CAN-2005-0527
CAN-2005-0401
CAN-2005-0230
CAN-2005-0231
Bug Reports:
https://bugzilla.mozilla.org/show_bug.cgi?id=280056.
https://bugzilla.mozilla.org/show_bug.cgi?id=279945.
https://bugzilla.mozilla.org/show_bug.cgi?id=281807.
https://bugzilla.mozilla.org/show_bug.cgi?id=285438
|
|
|
|
|
