From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 28 Mar 2005 10:18:59 +0200
Subject: [NEWS] Mozilla Browsers OnFire (Firescrolling, Fireflashing, Firetabbing, Firedragging)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20050328085146.6AFF05817@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Mozilla Browsers OnFire (Firescrolling, Fireflashing, Firetabbing,
Firedragging)
------------------------------------------------------------------------
SUMMARY
Mozilla's web browsers contains multiple vulnerabilities of
"Firescrolling", "Fireflashing", "Firetabbing" and "Firedragging". These
vulnerabilities allow web sites to steal information from the user
sessions and cookies to execute arbitrary code, install malicious XUL
plugins and change configuration of Firefox.
DETAILS
Vulnerable Systems:
* Mozilla Firefox version 1.0
* Mozilla Suite version 1.7.5
Immune Systems:
* Mozilla Firefox version 1.0.2
* Mozilla Suite version 1.7.6
Fireflashing
By making the user double-click at a specific screen position (e.g. using
a DHTML game) you can silently toggle the status of boolean config
parameters.
As long as the number of about:config parameters is unchanged (unlikely a
casual user will change them) you can move the parameter you want to the
specified screen position by using CSS.
You can also load about:config using the real player plugin and merged URL
events.
Proof of Concept
<http://www.mikx.de/fireflashing/>; http://www.mikx.de/fireflashing/
Firetabbing
The JavaScript security manager usually prevents that a javascript: URL
from one host is opened in a window displaying content from another host.
But when the link is dropped to a tab, the security manager does not kick
in. This can lead to several security problems scaling from stealing
session cookies to the ability to run arbitrary code on the client system
(depending on the displayed site or security settings).
Tabbed browsing is a great feature to organize multiple website, but after
a while also tabs become too much. Now you have two options: Close tabs
and open new ones (CTRL+W to close a tab, followed by a CTRL+click on a
link to open a new one), or just recycle already open tabs by dragging
links to them - the solution i prefer.
Proof of Concept
<http://www.mikx.de/firetabbing/>; http://www.mikx.de/firetabbing/
Firedragging
Usually Firefox does not allow that an executable, non-image file gets
directly dragged to the desktop (e.g. by supplying malware.exe as the src
of an image tag). Instead Firefox creates a link to the file on the
desktop. If you create a hybrid of a gif image and a batch file you can
trick Firefox. Since the hybrid renders as a valid image, Firefox tries to
copy the image to the desktop when dropped. By creating the image
dynamically and forcing the content type image/gif, the file can be of any
extension (e.g. image.bat or image.exe).
The windows batch file parser is pretty forgiving. It just ignores the
first line of "gif trash" and executes whatever you append to the end of
the hybrid file.
Since windows hides known file extensions by default, a user can only tell
that something went wrong by looking at the file icon, which is different
of course. If the user does not care or know what this different icon
means, a double click to view or edit the "image" he just dropped executes
the batch file instead.
Proof of Concept
<http://www.mikx.de/firedragging/>; http://www.mikx.de/firedragging/
Firescrolling
Using XPCOM, the "firescrolling" allow an arbitrary code execution by
convincing the user to scroll twice.
Proof of Concept
<http://www.mikx.de/firescrolling/>; http://www.mikx.de/firescrolling/
<http://www.mikx.de/firescrolling2/>; http://www.mikx.de/firescrolling2/
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0527>;
CAN-2005-0527
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0401>;
CAN-2005-0401
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0230>;
CAN-2005-0230
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0231>;
CAN-2005-0231
Bug Reports:
<https://bugzilla.mozilla.org/show_bug.cgi?id=280056>
https://bugzilla.mozilla.org/show_bug.cgi?id=280056.
<https://bugzilla.mozilla.org/show_bug.cgi?id=279945>
https://bugzilla.mozilla.org/show_bug.cgi?id=279945.
<https://bugzilla.mozilla.org/show_bug.cgi?id=281807>
https://bugzilla.mozilla.org/show_bug.cgi?id=281807.
<https://bugzilla.mozilla.org/show_bug.cgi?id=285438>
https://bugzilla.mozilla.org/show_bug.cgi?id=285438
ADDITIONAL INFORMATION
The information has been provided by <mailto:mikx@mikx.de.> mikx.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
