lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 13 Jul 2004 10:01:03 -0700
From: Daniel Veditz <dveditz@...zio.com>
To: Mind Warper <mindwarper@...uxmail.org>
Cc: bugtraq@...urityfocus.com,
	"'security@...illa.org'" <security@...illa.org>
Subject: Re: Two Vulnerabilities in Mozilla may lead to remote compromise


Mind Warper wrote:
> Vendor : informed on 11/06/04
> Mailed advisory: 13/06/04 

In the future please send notification to security at mozila.org. The only
thing we could find was a bug filed two days ago.

> There are two vulnerabilities in Mozilla that may lead to remote code execution under local zone.

Mozilla does not have a local zone.

> The problem is that firefox stores its cache in a known directory,

It does not, each user's profile directory is unique. Upon receiving this
we're reconsidering whether three bytes of randomness is sufficient, but in
any case it isn't trivial as you suggest. (Also the "Administrator" part of
the path will differ depending on the windows login name, but an attacker
could stick with "Owner" and get 99% of all WinXP Home users.)

> The second vulnerability allows the attacker to modify the mime type by using the infamous NULL byte.

This is clearly a bug, thank you. From our brief look this morning we're not
convinced it's exploitable, but it's troubling and we'll fix it.

> 2. C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.nop\Cache\_CACHE_002_
> 3. C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.nop\Cache\_CACHE_003_
> 	[ These 2 cache files store the html data ]

Those files will have pieces of different documents. If it contains just
your planted file that would be quite a coincidence.

-Dan Veditz
Mozilla Security Group

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ