__Summary
Even though Firefox 1.0.1 patched one of the key bugs behind my
firescrolling exploit (the ability of plugins to load chrome files in a
hidden frame) the ability to hijack a drag and drop operation and open a
privileged xul file is still available.
The demo opens "chrome://global/content/alerts/alert.xul" when dragging the
scrollbar the first time. This XUL file automaticly runs an inline script to
turn the window into a tray notification alert. This demo is just an example
of an annoying usage, but if the browser or an extension contains an inline
script that uses an eval/setTimeout with a parameter an attacker can
influence it turns into an arbitrary code execution bug. Also update or
uninstall scripts could be a valuable target. I doubt most extension
developers think about problems that could occure if a XUL file in their
extensions is opened directly.
__Proof-of-Concept
http://www.mikx.de/firescrolling2/
__Status
The bug is fixed in Firefox 1.0.2.
2005-03-09 Vendor informed (bugzilla.mozilla.org #285438)
2005-03-11 Vendor confirmed bug
2005-03-23 Vendor published fixed version and advisory
2005-03-24 Public disclosure
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2005-0401 to this issue.
__Affected Software
Tested with Firefox 1.0.1
__Contact Informations
Michael Krax <mikx@mikx.de>
http://www.mikx.de/?p=12
mikx
--
NTBugtraq Editor's Note:
Most viruses these days use spoofed email addresses. As such, using an
Anti-Virus product which automatically notifies the perceived sender of a
message it believes is infected may well cause more harm than good. Someone who
did not actually send you a virus may receive the notification and scramble
their support staff to find an infection which never existed in the first
place. Suggest such notifications be disabled by whomever is responsible for
your AV, or at least that the idea is considered.
--
