Bugtraq mailing list archives
Re: Two Vulnerabilities in Mozilla may lead to remote compromise
From: Philliph <bugtraq () regedit sk>
Date: 13 Jul 2004 16:56:14 -0000
In-Reply-To: <20040713101632.21299.qmail () www securityfocus com> Re: Vulnerability No. 1: Mozilla stores cache data in directory with random name, so it definitely isnĀ“t vulnerable (the directory is %appdata%\Mozilla\Profiles\_name_of_profile_\_random_name_\Cache ) Re: Vulnerability No. 2: Both Mozilla and Firefox are vulnerable. Tested versions: 1.7.1 (Mozilla), 0.9 (Firefox) running on Windows 2000/XP. BTW, the file can be without any extension, but also with arbitrary extension, so for example file:///C:/blah.txt%.mp3 also works. Phil
Received: (qmail 13607 invoked from network); 13 Jul 2004 15:28:02 -0000 Received: from outgoing.securityfocus.com (HELO outgoing3.securityfocus.com) (205.206.231.27) by mail.securityfocus.com with SMTP; 13 Jul 2004 15:28:02 -0000 Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20]) by outgoing3.securityfocus.com (Postfix) with QMQP id 38653236F94; Tue, 13 Jul 2004 09:27:45 -0600 (MDT) Mailing-List: contact bugtraq-help () securityfocus com; run by ezmlm Precedence: bulk List-Id: <bugtraq.list-id.securityfocus.com> List-Post: <mailto:bugtraq () securityfocus com> List-Help: <mailto:bugtraq-help () securityfocus com> List-Unsubscribe: <mailto:bugtraq-unsubscribe () securityfocus com> List-Subscribe: <mailto:bugtraq-subscribe () securityfocus com> Delivered-To: mailing list bugtraq () securityfocus com Delivered-To: moderator for bugtraq () securityfocus com Received: (qmail 21210 invoked from network); 13 Jul 2004 04:13:43 -0000 Date: 13 Jul 2004 10:16:32 -0000 Message-ID: <20040713101632.21299.qmail () www securityfocus com> Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.411 (Entity 5.404) From: Mind Warper <mindwarper () linuxmail org> To: bugtraq () securityfocus com Subject: Two Vulnerabilities in Mozilla may lead to remote compromise Two Vulnerabilities in Mozilla may lead to remote compromise. =--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--= ---------------------- Vendor Information: ---------------------- Homepage : http://www.mozilla.org Vendor : informed on 11/06/04 Mailed advisory: 13/06/04 Vender Response : None yet ---------------------- Affected Versions: ---------------------- All version of Mozilla and Firefox ---------------------- Description: ---------------------- There are two vulnerabilities in Mozilla that may lead to remote code execution under local zone. The first vulnerability affects firefox, and may affect mozilla as well. I have only tested firefox under windows 2000 and windows XP so I'm not sure if this issue exists on other OS's. The problem is that firefox stores its cache in a known directory, and some of the cached html is stored in known files. If a victim visits the attackers website which includes malicious javascript and then views the content of one of the cache files in local zone, the script will get executed and the attacker will be able to compromise the victim's system. This vulnerability in mozilla can't be abused as it is, but combined with a few other vulnerabilities the attacker could execute malicious code on the victim's computer without having the victim do anything except visit his website (very similar to the exploits in Internet Explorer). The second vulnerability allows the attacker to modify the mime type by using the infamous NULL byte. Mozilla by default uses the file extention name to decide how to show a local file. For example, if a user requests file:///C:/blah.txt, Mozilla will show the contents of blah.txt, but if the user requests file:///C:/blah then Mozilla will pop up a window asking the user if he/she wants to download the file. By adding a NULL byte at the end of the filename, and the extention that you want Mozilla to handle right after the filename, you can make Mozilla open file:///C:/blah as an html file. Just like the vulnerability above, this can't be used alone to execute malicious code, the attacker needs to combine the above vulnerability with this one to succeed. Since the known cache file names have no extention by default on windows, if the attacker uses the NULL byte bug, he/she can cause mozilla to show the contents of one of the cache files as an html file, and therefore cause mozilla to execute whatever scripts that exist in the cache files. ---------------------- Exploit: ---------------------- The first vulnerability does not require an exploit. On windows 2000, there are 3 cache files with known names. They are: 1. C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.nop\Cache\_CACHE_001_ [ This cache file stores the http headers ] 2. C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.nop\Cache\_CACHE_002_ 3. C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.nop\Cache\_CACHE_003_ [ These 2 cache files store the html data ] If we combine both vulnerabilities shown above we get something like this: file://C:\\Documents and Settings\\Administrator\\Application Data\\Mozilla\\Firefox\\Profiles\\default.nop\\Cache\\_CACHE_002_%00.html Mozilla will open this file without the %00.html, but it will treat it as an html file and won't pop up a download window. ---------------------- Solution: ---------------------- Visit mozilla.org to check for updates. ---------------------- Contact: ---------------------- - Mindwarper - mindwarper () mlsecurity com - http://mlsecurity.com
Current thread:
- Two Vulnerabilities in Mozilla may lead to remote compromise Mind Warper (Jul 13)
- Re: Two Vulnerabilities in Mozilla may lead to remote compromise Daniel Veditz (Jul 13)
- RE: Two Vulnerabilities in Mozilla may lead to remote compromise Jelmer (Jul 13)
- RE: Two Vulnerabilities in Mozilla may lead to remote compromise Pavel Kankovsky (Jul 15)
- RE: Two Vulnerabilities in Mozilla may lead to remote compromise Darren Pilgrim (Jul 13)
- <Possible follow-ups>
- Re: Two Vulnerabilities in Mozilla may lead to remote compromise Philliph (Jul 13)
- Re: Two Vulnerabilities in Mozilla may lead to remote compromise Mind Warper (Jul 13)