lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 13 Jul 2004 12:33:28 -0700
From: "Darren Pilgrim" <dmp@...freak.org>
To: "'Mind Warper'" <mindwarper@...uxmail.org>,
	<bugtraq@...urityfocus.com>
Subject: RE: Two Vulnerabilities in Mozilla may lead to remote compromise


> From: Mind Warper [mailto:mindwarper@...uxmail.org] 
> 
> Since the known cache file names have no extention by default 
> on windows, if the attacker uses the NULL
> byte bug, he/she can cause mozilla to show the contents of 
> one of the cache files as an html file,
> and therefore cause mozilla to execute whatever scripts that 
> exist in the cache files.

Within the limitations of the security settings for the browser.  If you
have Java/JS disabled, the attack won't work.

> The first vulnerability does not require an exploit.
> On windows 2000, there are 3 cache files with known names. They are:
> 
> 1. C:\Documents and Settings\Administrator\Application 
> Data\Mozilla\Firefox\Profiles\default.nop\Cache\_CACHE_001_
> 	[ This cache file stores the http headers ]
> 
> 2. C:\Documents and Settings\Administrator\Application 
> Data\Mozilla\Firefox\Profiles\default.nop\Cache\_CACHE_002_
> 3. C:\Documents and Settings\Administrator\Application 
> Data\Mozilla\Firefox\Profiles\default.nop\Cache\_CACHE_003_
> 	[ These 2 cache files store the html data ]

The profile folder isn't consistent.  The default folder created during the
install has an extension that changes.  On my machine, for example, the
folder created was default.cuo.  If you set up additional profiles, the
default folder name is "Default User" and you can change it from within the
profile creation wizard.  You also have to know the Windows username to
create the path.

While the above does work if you change the path to match your
configuration, the _CACHE_002_ and _CACHE_003_ files don't contain complete
copies of the HTML files, so it's not guaranteed that a malicious script
would be there.  The actual cache files are named with non-sequential,
32-bit numbers.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ