Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Firescrolling 2 [Firefox 1.0.1]

from [mikx] Network Security [Permanent Link]
Subject: Firescrolling 2 [Firefox 1.0.1]
Date: Thu, 24 Mar 2005 11:34:04 +0100 
__Summary

Even though Firefox 1.0.1 patched one of the key bugs behind my firescrolling exploit (the ability of plugins to load chrome files in a hidden frame) the ability to hijack a drag and drop operation and open a privileged xul file is still available.

The demo opens "chrome://global/content/alerts/alert.xul" when dragging the scrollbar the first time. This XUL file automaticly runs an inline script to turn the window into a tray notification alert. This demo is just an example of an annoying usage, but if the browser or an extension contains an inline script that uses an eval/setTimeout with a parameter an attacker can influence it turns into an arbitrary code execution bug. Also update or uninstall scripts could be a valuable target. I doubt most extension developers think about problems that could occure if a XUL file in their extensions is opened directly.

__Proof-of-Concept

http://www.mikx.de/firescrolling2/

__Status

The bug is fixed in Firefox 1.0.2.

2005-03-09 Vendor informed (bugzilla.mozilla.org #285438)
2005-03-11 Vendor confirmed bug
2005-03-23 Vendor published fixed version and advisory
2005-03-24 Public disclosure

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0401 to this issue.

__Affected Software

Tested with Firefox 1.0.1

__Contact Informations

Michael Krax <mikx@mikx.de>
http://www.mikx.de/?p=12

mikx


[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  SecurityForest Exploitation Framework Beta has been released!, Alon Swartz
Next by Date:  Re: Firescrolling 2 [Firefox 1.0.1], John Madden
Previous by Thread:  SecurityForest Exploitation Framework Beta has been released!, Alon Swartz
Next by Thread:  Re: Firescrolling 2 [Firefox 1.0.1], John Madden
Indexes:  [Date] [Thread] [Top] [All Lists]