lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <bc7e11f20709060124t5afadb5du6305c4559dfaa33e@mail.gmail.com>
Date: Thu, 6 Sep 2007 10:24:25 +0200
From: "carl hardwick" <hardwick.carl@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Firefox 2.0.0.6 still vulnerable to URI flaw

http://xs-sniper.com/blog/2007/09/01/firefox-file-handling-woes/

, Nate and I have discovered a way to "…exploit a common handler with
a single unexpected URI…"  Once again, these URI payloads can be
passed by the mailto, nntp, news, and snews URIs, allowing us to pass
the payload without any user interaction.  So, it seems that although
the conditions which allowed for remote command execution in Firefox
2.0.0.5 have been addressed with a security patch, the underlying file
type handling issues which are truly the heart of the issue have NOT
been addressed.

    We contacted Mozilla a while ago about the issue and they are
working on it.  We're going to refrain from giving out the exact
details of how this particular issue is executed (based mainly on the
efforts and conversations we've had with Jesse Ruderman), but we'll
include a screenshot of a payload in action.  In the screenshot below,
we use the mailto URI, which passes the URI to the Windows File
Handler, which calls the appropriate program (in this case Windows
Scripting Host), which in turn calls our attacker controlled file.
We've purposely pointed the Windows Scripting Host to a file that
doesn't exist as the error message allows the user to see that WSH is
using the URI passed from Firefox.

PoC here: http://xs-sniper.com/blog/wp-content/uploads/2007/09/file-handling.jpg

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ