[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] Firespoofing [Firefox 1.0]

To: "mikx" <mikx@xxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>, <NTBUGTRAQ@xxxxxxxxxxxxxxxxxxxxxx>
Subject: RE: [Full-Disclosure] Firespoofing [Firefox 1.0]
From: "Soderland, Craig" <craig.soderland@xxxxxxx>
Date: Tue, 11 Jan 2005 15:37:20 +0100

This does not work if you are using the FireFox 1.0 tabbed browsing
feature, as your pop up window simply opens a new tab, and it then
becomes immediately obvious what you are trying to pull off here. 



> -----Original Message-----
> From: full-disclosure-bounces@xxxxxxxxxxxxxxxx
[mailto:full-disclosure-
> bounces@xxxxxxxxxxxxxxxx]
> Sent: Monday, January 10, 2005 6:22 PM
> To: full-disclosure@xxxxxxxxxxxxxxxx; bugtraq@xxxxxxxxxxxxxxxxx;
> NTBUGTRAQ@xxxxxxxxxxxxxxxxxxxxxx
> Subject: [Full-Disclosure] Firespoofing [Firefox 1.0]
> 
> __Summary
> 
> Using javascript it is possible to spoof the content of security and
> download dialogs by partly covering them with a popup window. This can
> fool
> a user to download and automaticly execute a file (if a file extension
> association exists) or to grant a script local data access (if
codebase
> principals are enabled).
> 
> __Expected Behavior
> 
> Modal dialogs should always be on top and it should not be possible to
> obfuscate their appearance.
> 
> __Proof-of-Concept
> 
> http://www.mikx.de/firespoofing/
> 
> The PoC is designed for Firefox 1.0 running in a maximized window.
> 
> Part 1 - download dialog spoofing
> Shows how to cover a download dialog and fool the user to execute a
file
> with a standard windows file association (in this case a .ht file).
BTW,
> remember the latest .ht buffer overflow...
> 
> Part 2 - security dialog spoofing
> Shows how to cover a security dialog. Make sure codebase principals
are
> enabled (not default but encouraged by many XUL sites). Creates the
file
> c:\booom.txt to proof local system access.
> 
> __Status
> 
> The bug is confirmed but currently unfixed (open for more than 3
months).
> As
> a partial workaround set dom.disable_window_flip to true in
about:config.
> The vendor failed to respond to multiple status requests which led to
this
> public disclosure.
> 
> 2004-09-20 Vendor informed (bugzilla.mozilla.org #260560)
> 2004-09-20 Vendor confirmed bug
> 2004-10-20 Status request (open for 1 month - no reply)
> 2005-01-03 Status request (open for 3 months - no reply)
> 2005-01-07 Status request (disclosure warning - no reply)
> 2005-01-11 Public disclosure
> 
> __Affected Software
> 
> Tested with Firefox 1.0, Mozilla 1.7.5 and Netscape 7.1 on Windows XP
SP2.
> 
> __Contact Informations
> 
> Michael Krax <mikx@xxxxxxx>
> http://www.mikx.de/?p=7
> 
> mikx
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] Firespoofing [Firefox 1.0]
  - From: James Greenhalgh

Prev by Date: Re: [Full-Disclosure] VERITAS Backup Exec 8.x/9.x Remote UniversalExploit
Next by Date: [Full-Disclosure] [OpenPKG-SA-2005.001] OpenPKG Security Advisory (perl)
Previous by thread: [Full-Disclosure] Re: Firespoofing [Firefox 1.0]
Next by thread: Re: [Full-Disclosure] Firespoofing [Firefox 1.0]
Index(es):
- Date
- Thread