lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 7 Feb 2005 18:48:08 +0100
From: "mikx" <mikx@...x.de>
To: <full-disclosure@...ts.netsys.com>, <bugtraq@...urityfocus.com>,
        <NTBUGTRAQ@...TSERV.NTBUGTRAQ.COM>
Subject: Firedragging [Firefox 1.0]


__Summary

Usually Firefox does not allow that an executable, non-image file gets 
directly dragged to the desktop (e.g. by supplying malware.exe as the src of 
an image tag). Instead Firefox creates a link to the file on the desktop.

If you create a hybrid of a gif image and a batch file you can trick 
Firefox. Since the hybrid renders as a valid image, Firefox tries to copy 
the image to the desktop when dropped. By creating the image dynamicly and 
forcing the content type image/gif, the file can be of any extension (e.g. 
image.bat or image.exe).

The windows batch file parser is pretty forgiving. It just ignores the first 
line of "gif trash" and executes whatever you append to the end of the 
hybrid file.

Since windows hides known file extensions by default, a user can only tell 
that something went wrong by looking at the file icon, which is different of 
course. If the user does not care or know what this different icon means, a 
double click to view or edit the "image" he just dropped executes the batch 
file instead.

__Proof-of-Concept

http://www.mikx.de/firedragging/

__Status

The bug is marked as fixed in bugzilla. Get a nightly build, compile on your 
own or wait for Firefox 1.0.1.

2005-01-26 Vendor informed (bugzilla.mozilla.org #279945)
2005-01-31 Vendor confirmed bug
2005-02-03 Vendor fixed bug
2005-02-07 Public disclosure

The Common Vulnerabilities and Exposures project (cve.mitre.org) has 
assigned the name CAN-2005-0230 to this issue.

__Affected Software

Tested with Firefox 1.0 and Mozilla 1.7.5

__Contact Informations

Michael Krax <mikx@...x.de>
http://www.mikx.de/?p=8

mikx


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ