[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Firefox/MSIE focus stealing vulnerability - clarification

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Firefox/MSIE focus stealing vulnerability - clarification
From: Marcello Barnaba <marcello@xxxxxxxxxxxxxx>
Date: Mon, 12 Feb 2007 23:59:13 +0100

Hi Michal,

On Monday 12 February 2007 00:01, Michal Zalewski wrote:
> After some research, I can offer this clarification:
>
>   1) The MSIE 7 attack vector I described is a distinctive, new
>      vulnerability that differs from the attack reported by Charles
>      McAuley and Bart van Arnhem. Attacks described by them were
>      fixed in MSIE7 (although MSIE6 is still exposed to the original
>      flaw).
>
>      My vulnerability attacks the same form control, but in a different
>      manner. Again, the demo for this vulnerability is here:
>      http://lcamtuf.coredump.cx/focusbug/ieversion.html
>
>   2) The Firefox attack vector is related to the Charles' CVE-2006-2894,
>      which in turn was a rediscovery of a problem known to Mozilla since
>      2000 (!); attempts to fix it in official releases failed because the
>      problem was repeatedly marked as a duplicate of a too narrowly
>      defined issue with control hiding. A broader redesign probably
>      eliminated the issue in development branches, but it still affects
>      Firefox 1.5 and 2.0.
>
>      This can be considered an independent rediscovery and a more
>      practical demonstration of a previously reported vulnerability.
>      The exploit is here: http://lcamtuf.coredump.cx/focusbug/index.html

I tested both the ff and ie version on both Safari 2.0.4 (419.3) and Konqueror 
3.5.5.

On the FF version, konqueror does not exhibit any behavior, lets you input 
text and no redirection is made. To my surprise, the IE version instead dumps 
all the keystrokes typed but does not copy them again into the textarea.
Hitting return causes a dialog "The following files will not be uploaded 
because they could be not be found", and the reason is because the file name 
is the whole input phrase.

On Safari the FF version does not dump anything either, just the first C 
keystroke is took and taken directly into oblivion :). OTOH the IE version 
exhibits the same behavior as konqueror, but the "select file" open dialog 
pops up whenever hitting space.

Regards
-- 
pub 1024D/8D2787EF  723C 7CA3 3C19 2ACE  6E20 9CC1 9956 EB3C 8D27 87EF

Attachment: pgp5RS7KqVClG.pgp
Description: PGP signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] Firefox focus stealing vulnerability (possibly other browsers)
  - From: Michal Zalewski
- [Full-disclosure] Firefox/MSIE focus stealing vulnerability - clarification
  - From: Michal Zalewski

Prev by Date: [Full-disclosure] SecurityVulns.com: Microsoft Visual C++ 8.0 standard library time functions invalid assertion DoS (Problem 3000).
Next by Date: Re: [Full-disclosure] [WEB SECURITY] Plain Old Webserver - The coolest firefox extension
Previous by thread: [Full-disclosure] Firefox/MSIE focus stealing vulnerability - clarification
Next by thread: Re: [Full-disclosure] Firefox/MSIE focus stealing vulnerability - clarification
Index(es):
- Date
- Thread