Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security NTBugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Full-Disclosure] Firespoofing [Firefox 1.0]

from [Soderland, Craig] Network Security [Permanent Link]
Subject: RE: [Full-Disclosure] Firespoofing [Firefox 1.0]
Date: Tue, 11 Jan 2005 15:37:20 +0100 
This does not work if you are using the FireFox 1.0 tabbed browsing
feature, as your pop up window simply opens a new tab, and it then
becomes immediately obvious what you are trying to pull off here. 




-----Original Message-----
From: full-disclosure-bounces@lists.netsys.com

[mailto:full-disclosure-

bounces@lists.netsys.com]
Sent: Monday, January 10, 2005 6:22 PM
To: full-disclosure@lists.netsys.com; bugtraq@securityfocus.com;
NTBUGTRAQ@listserv.ntbugtraq.com
Subject: [Full-Disclosure] Firespoofing [Firefox 1.0]

__Summary

Using javascript it is possible to spoof the content of security and
download dialogs by partly covering them with a popup window. This can
fool
a user to download and automaticly execute a file (if a file extension
association exists) or to grant a script local data access (if

codebase

principals are enabled).

__Expected Behavior

Modal dialogs should always be on top and it should not be possible to
obfuscate their appearance.

__Proof-of-Concept

http://www.mikx.de/firespoofing/

The PoC is designed for Firefox 1.0 running in a maximized window.

Part 1 - download dialog spoofing
Shows how to cover a download dialog and fool the user to execute a

file

with a standard windows file association (in this case a .ht file).

BTW,

remember the latest .ht buffer overflow...

Part 2 - security dialog spoofing
Shows how to cover a security dialog. Make sure codebase principals

are

enabled (not default but encouraged by many XUL sites). Creates the

file

c:\booom.txt to proof local system access.

__Status

The bug is confirmed but currently unfixed (open for more than 3

months).

As
a partial workaround set dom.disable_window_flip to true in

about:config.

The vendor failed to respond to multiple status requests which led to

this

public disclosure.

2004-09-20 Vendor informed (bugzilla.mozilla.org #260560)
2004-09-20 Vendor confirmed bug
2004-10-20 Status request (open for 1 month - no reply)
2005-01-03 Status request (open for 3 months - no reply)
2005-01-07 Status request (disclosure warning - no reply)
2005-01-11 Public disclosure

__Affected Software

Tested with Firefox 1.0, Mozilla 1.7.5 and Netscape 7.1 on Windows XP

SP2.


__Contact Informations

Michael Krax <mikx@mikx.de>
http://www.mikx.de/?p=7

mikx


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [Full-Disclosure] UPDATED: the insider exploit( = the latest ie0day which involves SHOWMODALDIALOG), Ferruh Mavituna
Next by Date:  Alert: Microsoft Security Bulletin MS05-001 - Vulnerability in HTML Help Could Allow Code Execution (890175), Russ Cooper
Previous by Thread:  Re: Firespoofing [Firefox 1.0], Matthias Fichtner
Next by Thread:  RE: [Full-Disclosure] UPDATED: the insider exploit( = the latest ie 0day which involves SHOWMODALDIALOG), Rafel Ivgi, The-Insider
Indexes:  [Date] [Thread] [Top] [All Lists]