lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <bc7e11f20801221016l19739e11q4db468f62159518e@mail.gmail.com>
Date: Tue, 22 Jan 2008 19:16:37 +0100
From: "carl hardwick" <hardwick.carl@...il.com>
To: Full-Disclosure@...ts.grok.org.uk
Subject: Firefox 2.0.0.11 Chrome Privilege Escalation PoC

Gerry Eisenhaur came with a surprising post
http://www.hiredhacker.com/2008/01/19/firefox-chrome-url-handling-directory-traversal/
. Gerry found a issue in Firefox that allows chrome privilege
escalation. This is due to weak normalization between URI's that are
handled and passed through Firefox with various path encoding methods.
It's a common mistake in browser software not to translate encoded
values back to their correct values and meaning. I wrote about the
same kind of issue before, that only involved a non-malicious example
of traversing directories through the resource:// pointer. This one by
Gerry is far worse, and I really hope browser vendors take a little
more care in handling any resource identifier internally, because this
can lead to serious issues.

Gerry released a pOc that requires the downbar plugin:
<script>pref = function(x, y){document.write(x + ' -> ' + y +
'<br>');};</script>
<script src='chrome://downbar/content/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e
%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fProgram%20Files
%2fMozilla%20Thunderbird%2fgreprefs%2fall.js'></script>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ