lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <bc7e11f20802090621q5df95a6cvf658551078e9a848@mail.gmail.com>
Date: Sat, 9 Feb 2008 15:21:23 +0100
From: "carl hardwick" <hardwick.carl@...il.com>
To: Full-Disclosure@...ts.grok.org.uk
Subject: Firefox 2.0.0.12 information leak vulnerability

Don't blame the extension developers this time :)

You probably thought otherwise after they just released version
2.0.0.12. a couple of hours ago, that had a fix for numerous other
vulnerabilities. But guess what? we are going to see 2.0.0.13 pretty
soon I guess. I snared at Mozilla before: don't patch vulnerabilities
for fifty percent, take the time and fix the cause. Because directory
traversal through plugins is all nice and such, we don't need it. We
can trick Firefox itself in traversing directories back. I found
another information leak that is very serious because we are able to
read out all preferences set in Firefox, or just open or include about
every file stored in the Mozilla program files directory, and this
without any mandatory settings or plugins.

In the vulnerability we make use of the 'view-source:' scheme that
allows us to source out the 'resource:' scheme. With it, we can view
the source of any file located in the 'resource:///' directory, which
translates back to: file:///C:/Program Files/Mozilla Firefox/. Then we
only include the file inside it and it becomes available to a new
page's DOM, and so we are able to read all settings.

Other issues can emerge also, this is only a short-hand proof of
concept. Like always, more is possible. While chatting with Gareth
Heyes, I came up with the vector in a couple of minutes. We talked
about more issues which we probably are going to discuss very soon.

<script>

/*
 @name: Firefox <= 2.0.0.12 information leak pOc
 @date: Feb. 07 2008
 @author: Ronald van den Heetkamp
 @url: http://www.0x000000.com
*/

pref = function(a,b) {

   document.write( a + ' -> ' + b + '<br />');

};

</script>

<script src="view-source:resource:///greprefs/all.js"></script>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ