[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040713165614.17157.qmail@www.securityfocus.com>
Date: 13 Jul 2004 16:56:14 -0000
From: Philliph <bugtraq@...edit.sk>
To: bugtraq@...urityfocus.com
Subject: Re: Two Vulnerabilities in Mozilla may lead to remote compromise
In-Reply-To: <20040713101632.21299.qmail@....securityfocus.com>
Re: Vulnerability No. 1: Mozilla stores cache data in directory with random name, so it definitely isnīt vulnerable
(the directory is %appdata%\Mozilla\Profiles\_name_of_profile_\_random_name_\Cache )
Re: Vulnerability No. 2:
Both Mozilla and Firefox are vulnerable. Tested versions: 1.7.1 (Mozilla), 0.9 (Firefox) running on Windows 2000/XP.
BTW, the file can be without any extension, but also with arbitrary extension, so for example file:///C:/blah.txt%.mp3 also works.
Phil
>Received: (qmail 13607 invoked from network); 13 Jul 2004 15:28:02 -0000
>Received: from outgoing.securityfocus.com (HELO outgoing3.securityfocus.com) (205.206.231.27)
> by mail.securityfocus.com with SMTP; 13 Jul 2004 15:28:02 -0000
>Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
> by outgoing3.securityfocus.com (Postfix) with QMQP
> id 38653236F94; Tue, 13 Jul 2004 09:27:45 -0600 (MDT)
>Mailing-List: contact bugtraq-help@...urityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq@...urityfocus.com>
>List-Help: <mailto:bugtraq-help@...urityfocus.com>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe@...urityfocus.com>
>List-Subscribe: <mailto:bugtraq-subscribe@...urityfocus.com>
>Delivered-To: mailing list bugtraq@...urityfocus.com
>Delivered-To: moderator for bugtraq@...urityfocus.com
>Received: (qmail 21210 invoked from network); 13 Jul 2004 04:13:43 -0000
>Date: 13 Jul 2004 10:16:32 -0000
>Message-ID: <20040713101632.21299.qmail@....securityfocus.com>
>Content-Type: text/plain
>Content-Disposition: inline
>Content-Transfer-Encoding: binary
>MIME-Version: 1.0
>X-Mailer: MIME-tools 5.411 (Entity 5.404)
>From: Mind Warper <mindwarper@...uxmail.org>
>To: bugtraq@...urityfocus.com
>Subject: Two Vulnerabilities in Mozilla may lead to remote compromise
>
>
>
>Two Vulnerabilities in Mozilla may lead to remote compromise.
>=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=
>
>----------------------
>Vendor Information:
>----------------------
>
>Homepage : http://www.mozilla.org
>Vendor : informed on 11/06/04
>Mailed advisory: 13/06/04
>Vender Response : None yet
>
>
>----------------------
>Affected Versions:
>----------------------
>
>All version of Mozilla and Firefox
>
>----------------------
>Description:
>----------------------
>
>There are two vulnerabilities in Mozilla that may lead to remote code execution under local zone.
>The first vulnerability affects firefox, and may affect mozilla as well. I have only tested
>firefox under windows 2000 and windows XP so I'm not sure if this issue exists on other OS's.
>The problem is that firefox stores its cache in a known directory, and some of the cached html
>is stored in known files. If a victim visits the attackers website which includes malicious javascript
>and then views the content of one of the cache files in local zone, the script will get executed and
>the attacker will be able to compromise the victim's system. This vulnerability in mozilla can't be
>abused as it is, but combined with a few other vulnerabilities the attacker could execute malicious
>code on the victim's computer without having the victim do anything except visit his website (very
>similar to the exploits in Internet Explorer).
>
>The second vulnerability allows the attacker to modify the mime type by using the infamous NULL byte.
>Mozilla by default uses the file extention name to decide how to show a local file. For example,
>if a user requests file:///C:/blah.txt, Mozilla will show the contents of blah.txt, but if the user
>requests file:///C:/blah then Mozilla will pop up a window asking the user if he/she wants to download
>the file. By adding a NULL byte at the end of the filename, and the extention that you want Mozilla
>to handle right after the filename, you can make Mozilla open file:///C:/blah as an html file.
>Just like the vulnerability above, this can't be used alone to execute malicious code, the attacker
>needs to combine the above vulnerability with this one to succeed.
>
>Since the known cache file names have no extention by default on windows, if the attacker uses the NULL
>byte bug, he/she can cause mozilla to show the contents of one of the cache files as an html file,
>and therefore cause mozilla to execute whatever scripts that exist in the cache files.
>
>
>----------------------
>Exploit:
>----------------------
>
>The first vulnerability does not require an exploit.
>On windows 2000, there are 3 cache files with known names. They are:
>
>1. C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.nop\Cache\_CACHE_001_
> [ This cache file stores the http headers ]
>
>2. C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.nop\Cache\_CACHE_002_
>3. C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.nop\Cache\_CACHE_003_
> [ These 2 cache files store the html data ]
>
>If we combine both vulnerabilities shown above we get something like this:
>
>file://C:\\Documents and Settings\\Administrator\\Application Data\\Mozilla\\Firefox\\Profiles\\default.nop\\Cache\\_CACHE_002_%00.html
>
>Mozilla will open this file without the %00.html, but it will treat it as an html file and won't pop up a download window.
>
>
>----------------------
>Solution:
>----------------------
>
>Visit mozilla.org to check for updates.
>
>----------------------
>Contact:
>----------------------
>
>- Mindwarper
>- mindwarper@...ecurity.com
>- http://mlsecurity.com
>
Powered by blists - more mailing lists