Re: Firefox focus stealing vulnerability (possibly other browsers)

["pdp (architect)" <pdp.gnucitizen () googlemail com>]

Well, :) I cannot see how you can force someone to type / at least
twice. Even if the targeted user writes a blog entry it is very
unlikely that he/she will use / . I guess this vector works well on
wikies and other systems that allow you to specify the text format
through meta-characters.

The cool think about stealing the address bar focus is that a confused
user will try to repeat typing the url again and that may give you
enough slashes and other characters to steal /etc/shadow or
/etc/passwd for example, which means that this attack vector can work
virtually every where. For example:

Joe visits eveil.com. He is not interested in the site but evil.com is
interested in his files. Joe types http://[what ever]. evil.com
hijacks the address bar focus. This is how they get the first /. Joe
will probably repeat to type stuff in the address bar again. The rest
of the characters are not obtained.

Now of course Joe will realise that he is not typing in the address
bar but he will probably think that either the browser is screwed up
or that he forgot to select the address bar first (it happens all the
time).

So, this is why I think that combination of both issues can create one
hell of a good attack.

Here is another idea.

Joe visits Betty's MySpace private page. The page contains XSS. On the
page there is an input box and a captcha. The user is asked to enter
the text in the captcha in order to access the page. The captcha is:

pde/t/aswsc

Joe enters the text but the he receives a complain that his input is
incorrect. The attacker repeats the process until all required
characters are entered into the FILE INPUT box.

simple.

On 2/11/07, Michal Zalewski <lcamtuf () dione ids pl> wrote:
> On Sun, 11 Feb 2007, pdp (architect) wrote:
>
> > here is an idea... we can combine both techniques into a single
> > attack... the hardest part of your hack is to force the user to type
> > :// plus several other /
>
> Actually, MSIE doesn't require drive specification in the filename, and
> will probably accept relative paths as well (so you might not need \
> either when picking files from the desktop or 'my documents' or whatnot).
>
> Firefox won't settle for a path without drive specification (but it will
> accept SMB requests ;-). On *nix systems, of course, aiming /etc/passwd is
> easier than C:\whatever.
>
> The problem with intercepting address bar input is that you can't echo the
> entered text back there without unloading the current document and its
> scripts; in my examples, I tried to make sure that it's hard for the user
> to notice that his input is not going where it should (in MSIE example,
> this includes simulation of a blinking cursor).
>
> /mz


-- 
pdp (architect) | petko d. petkov
http://www.gnucitizen.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/