lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 13 Jul 2004 18:49:11 +0200
From: Jelmer <jkuperus@...net.nl>
To: 'Mind Warper' <mindwarper@...uxmail.org>,
	bugtraq@...urityfocus.com
Subject: RE: Two Vulnerabilities in Mozilla may lead to remote compromise


>All version of Mozilla and Firefox

I was under the impression that mozilla firefox disallowed access to local
files (not sure about mozilla but I assume it's the same)

When I link to a local file from the internet, I get a

Security Error: Content at http:///.... May not load or link to 
File:/// ...

Message in the javascript console. Have you got a demo you can show us?


-----Original Message-----
From: Mind Warper [mailto:mindwarper@...uxmail.org] 
Sent: dinsdag 13 juli 2004 12:17
To: bugtraq@...urityfocus.com
Subject: Two Vulnerabilities in Mozilla may lead to remote compromise



Two Vulnerabilities in Mozilla may lead to remote compromise. 

=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--= 



---------------------- 

Vendor Information: 

---------------------- 



Homepage : http://www.mozilla.org 

Vendor : informed on 11/06/04

Mailed advisory: 13/06/04 

Vender Response : None yet 





---------------------- 

Affected Versions: 

---------------------- 



All version of Mozilla and Firefox



---------------------- 

Description: 

---------------------- 



There are two vulnerabilities in Mozilla that may lead to remote code
execution under local zone.

The first vulnerability affects firefox, and may affect mozilla as well. I
have only tested

firefox under windows 2000 and windows XP so I'm not sure if this issue
exists on other OS's.

The problem is that firefox stores its cache in a known directory, and some
of the cached html

is stored in known files. If a victim visits the attackers website which
includes malicious javascript

and then views the content of one of the cache files in local zone, the
script will get executed and

the attacker will be able to compromise the victim's system. This
vulnerability in mozilla can't be

abused as it is, but combined with a few other vulnerabilities the attacker
could execute malicious

code on the victim's computer without having the victim do anything except
visit his website (very

similar to the exploits in Internet Explorer).



The second vulnerability allows the attacker to modify the mime type by
using the infamous NULL byte.

Mozilla by default uses the file extention name to decide how to show a
local file. For example,

if a user requests file:///C:/blah.txt, Mozilla will show the contents of
blah.txt, but if the user

requests file:///C:/blah then Mozilla will pop up a window asking the user
if he/she wants to download

the file. By adding a NULL byte at the end of the filename, and the
extention that you want Mozilla

to handle right after the filename, you can make Mozilla open
file:///C:/blah as an html file.

Just like the vulnerability above, this can't be used alone to execute
malicious code, the attacker

needs to combine the above vulnerability with this one to succeed.



Since the known cache file names have no extention by default on windows, if
the attacker uses the NULL

byte bug, he/she can cause mozilla to show the contents of one of the cache
files as an html file,

and therefore cause mozilla to execute whatever scripts that exist in the
cache files.





---------------------- 

Exploit: 

---------------------- 



The first vulnerability does not require an exploit.

On windows 2000, there are 3 cache files with known names. They are:



1. C:\Documents and Settings\Administrator\Application
Data\Mozilla\Firefox\Profiles\default.nop\Cache\_CACHE_001_

	[ This cache file stores the http headers ]



2. C:\Documents and Settings\Administrator\Application
Data\Mozilla\Firefox\Profiles\default.nop\Cache\_CACHE_002_

3. C:\Documents and Settings\Administrator\Application
Data\Mozilla\Firefox\Profiles\default.nop\Cache\_CACHE_003_

	[ These 2 cache files store the html data ]



If we combine both vulnerabilities shown above we get something like this:



file://C:\\Documents and Settings\\Administrator\\Application
Data\\Mozilla\\Firefox\\Profiles\\default.nop\\Cache\\_CACHE_002_%00.html



Mozilla will open this file without the %00.html, but it will treat it as an
html file and won't pop up a download window.





---------------------- 

Solution: 

---------------------- 



Visit mozilla.org to check for updates.



---------------------- 

Contact: 

---------------------- 



- Mindwarper 

- mindwarper@...ecurity.com 

- http://mlsecurity.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ