Full Disclosure mailing list archives
Re: Firefox focus stealing vulnerability (possibly other browsers)
From: "pdp (architect)" <pdp.gnucitizen () googlemail com>
Date: Sun, 11 Feb 2007 21:47:31 +0000
Well, :) I cannot see how you can force someone to type / at least twice. Even if the targeted user writes a blog entry it is very unlikely that he/she will use / . I guess this vector works well on wikies and other systems that allow you to specify the text format through meta-characters. The cool think about stealing the address bar focus is that a confused user will try to repeat typing the url again and that may give you enough slashes and other characters to steal /etc/shadow or /etc/passwd for example, which means that this attack vector can work virtually every where. For example: Joe visits eveil.com. He is not interested in the site but evil.com is interested in his files. Joe types http://[what ever]. evil.com hijacks the address bar focus. This is how they get the first /. Joe will probably repeat to type stuff in the address bar again. The rest of the characters are not obtained. Now of course Joe will realise that he is not typing in the address bar but he will probably think that either the browser is screwed up or that he forgot to select the address bar first (it happens all the time). So, this is why I think that combination of both issues can create one hell of a good attack. Here is another idea. Joe visits Betty's MySpace private page. The page contains XSS. On the page there is an input box and a captcha. The user is asked to enter the text in the captcha in order to access the page. The captcha is: pde/t/aswsc Joe enters the text but the he receives a complain that his input is incorrect. The attacker repeats the process until all required characters are entered into the FILE INPUT box. simple. On 2/11/07, Michal Zalewski <lcamtuf () dione ids pl> wrote:
On Sun, 11 Feb 2007, pdp (architect) wrote:here is an idea... we can combine both techniques into a single attack... the hardest part of your hack is to force the user to type :// plus several other /Actually, MSIE doesn't require drive specification in the filename, and will probably accept relative paths as well (so you might not need \ either when picking files from the desktop or 'my documents' or whatnot). Firefox won't settle for a path without drive specification (but it will accept SMB requests ;-). On *nix systems, of course, aiming /etc/passwd is easier than C:\whatever. The problem with intercepting address bar input is that you can't echo the entered text back there without unloading the current document and its scripts; in my examples, I tried to make sure that it's hard for the user to notice that his input is not going where it should (in MSIE example, this includes simulation of a blinking cursor). /mz
-- pdp (architect) | petko d. petkov http://www.gnucitizen.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Firefox focus stealing vulnerability (possibly other browsers), (continued)
- Re: Firefox focus stealing vulnerability (possibly other browsers) Michal Zalewski (Feb 11)
- Re: Firefox focus stealing vulnerability (possibly other browsers) pdp (architect) (Feb 11)
- Re: Firefox focus stealing vulnerability (possibly other browsers) Michal Zalewski (Feb 11)
- Re: Firefox focus stealing vulnerability (possibly other browsers) Ben Bucksch (Feb 11)
- Re: Firefox focus stealing vulnerability (possibly other browsers) Michal Zalewski (Feb 11)
- Re: Firefox focus stealing vulnerability (possibly other browsers) pdp (architect) (Feb 11)
- Re: Firefox focus stealing vulnerability (possibly other browsers) pdp (architect) (Feb 11)
- Re: Firefox focus stealing vulnerability (possibly other browsers) pdp (architect) (Feb 11)
- Re: Firefox focus stealing vulnerability (possibly other browsers) Michal Zalewski (Feb 11)
- Re: Firefox focus stealing vulnerability (possibly other browsers) pdp (architect) (Feb 11)
- Re: Firefox focus stealing vulnerability (possibly other browsers) Paul Szabo (Feb 11)
- Re: Firefox focus stealing vulnerability (possibly other browsers) Michal Zalewski (Feb 11)
- Message not available
- Re: Firefox focus stealing vulnerability (possibly other browsers) Michal Zalewski (Feb 12)
- Re: Firefox focus stealing vulnerability (possibly other browsers) pdp (architect) (Feb 12)
- Re: Firefox/MSIE focus stealing vulnerability - clarification Marcello Barnaba (Feb 12)
- Re: Firefox/MSIE focus stealing vulnerability - clarification Ruud H.G. van Tol (Feb 12)