Author Topic: Firefox 1.0.3 Exploit!  (Read 3311 times)

0 Members and 1 Guest are viewing this topic.

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Firefox 1.0.3 Exploit!
« on: May 08, 2005, 11:45:01 am »
http://www.frsirt.com/exploits/20050507.firefox0day.php or http://it.slashdot.org/it/05/05/08/135217.shtml?tid=154&tid=172

Wow. I think it's funny how my dad is never going to let up on the fact that Firefox "allowed users to get infected by clicking their mouse!"

Oh well, better than IE "allowing users to get infected by doing nothing but going to a webpage!" I guess. :)

Discuss.
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Firefox 1.0.3 Exploit!
« Reply #1 on: May 08, 2005, 12:39:27 pm »
Here was the original post about it:

Quote
Firefox Remote Compromise Technical Details

Before I start, I need to say that this thing has been patched on Mozilla's server. If you take a look at any of the extension install pages on their site, you will see that the install function has a bunch of random letters and numbers after it. Even though this would probably be an easy thing to bypass, I am not going to attempt it because of the uselessness of such a bypass. A patch is already in development and so any more work going into fine-tuning this exploit would be a waist of time.

There are three core vulnerabilities being used in my example. A friend of mine (Michael Krax, http://www.mikx.de) helped me with the research.

To understand why the example works, one must understand the basics of how Firefox works. Everything you see in firefox is essentially a webpage being rendered by a compiler. This is what the gui is made of, and this is why firefox is so easy to customize. However, it also allows for some security bugs. If one could get one of the chrome pages to request a javascript:[script] url, that individual would be given complete access to the system because chrome urls are given full rights in firefox. My example works by tricking the addon install function into displaying an icon with a javascript url.

However, this would not be enough to compromise the system. By default, the install feature only works when called from a page within update.mozilla.org or addon.mozilla.org. Therefore, another (cross site scripting) vulnerability had to be found to call the install feature from mozilla.org. This vulnerability navigates to a javascript page and displays a link (pointing to a mozilla.org page) within a frame that follows the user's cursor. After the user clicks, the link is navigated to, which fires the onload event. This is a buggy event in Firefox because with it we can now access certain parts of the window object that we shouldnt, such as the history object. After the page loads, we use the history object to navigate backwards to the javascript page. The javascript is executed again, now from update.mozilla.org because when we navigated backwards, we essentially navigated to a javascript:[script] page. Now we call the install addon feature, which displays a dialog with det
 ails of the requested addon, including an image with a specified image. This image points to a javascript:[script] url, which gets executed in the context of chrome. Now we have compromised the system  :)

Whew, that was quite a mouthful.

I am still trying to gather all the details as to how my research was leaked, but recent conversations are leading me to believe that it was a misplacement of trust, not a server compromise. However, I do not want to jump to conclusions too quickly, as this will only lead to more problems. That's all I will say about that subject, as I don't want to offend anybody.

Also, I would like to let everyone know that this is not the only vulnerability that Mikx and I have found. We still have a couple of tricks up our sleeves, and you can be sure that we will not make the same mistake twice.

If you want to see the original PoC, here is the url:
http://greyhatsecurity.org/vulntests/ffrc.htm

Paul
Greyhats Security
http://greyhatsecurity.org

I like mailing lists because they tend to get stuff first :)

Here's a post by the guy who invented it:
Quote
Well, apparently one of my Firefox vulnerabilities has been leaked. Mikx and I have been working on Firefox security for some time and we are trying to put together something spectacular, but unfortunatly there are always those people out there that feel they need to ruin it for people. About a week ago, Mikx and I put together a nice remote compromise for Firefox, submitted it to bugzilla, and got a bug number for it. This is the message that I just got from Bugzilla:
 
bugzilla-daemon@mozilla.org to me 12:14 am (1 hour ago)
https://bugzilla.mozilla.org/show_bug.cgi?id=292691

brendan@mozilla.org changed:

          What    |Removed                     |Added
----------------------------------------------------------------------------
                CC|                            |bugs@bengoodger.com,
                  |                            |vladimir@pobox.com,
     &nbs p;            |                            |shaver@mozilla.org,
                  |                            |brendan@mozilla.org,
                  |                            |chofmann@gmail.com

------- Additional Comments From brendan@mozilla.org  2005-05-07 21:14 PDT -------
So now someone is claiming a 0day that looks a lot like this.  See bug 293302.

So apparently, the secret is out. I wish that this could have been used for good purposes but I guess that just isn't possible these days...

Here is the original PoC:
http://greyhatsecurity.org/vulntests/ffrc.htm

I suspect that my server was compromised, and I am currently using my contacts to find the culprit and bring him to justice.

Sorry to Mozilla, Mikx, and everyone else that was harmed by the inconsiderate, irresponsible actions of an individual.

Regards,
Paul

Offline Quik

  • Webmaster Guy
  • x86
  • Hero Member
  • *****
  • Posts: 3262
  • \x51 \x75 \x69 \x6B \x5B \x78 \x38 \x36 \x5D
    • View Profile
Re: Firefox 1.0.3 Exploit!
« Reply #2 on: May 08, 2005, 01:42:55 pm »
Ah, think I saw something about this.

Bring up Googkle.com if he asks, newby.
Quote
[20:21:13] xar: i was just thinking about the time iago came over here and we made this huge bomb and light up the sky for 6 min
[20:21:15] xar: that was funny

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Firefox 1.0.3 Exploit!
« Reply #4 on: May 10, 2005, 09:25:18 am »
Quote
According to secunia.com:

IE 6.x has had 80 advisories, of which 42% (34 advisories) were rated
highly or extremely critical, and 3 critical advisories are still
unpatched after several months.

Firefox 1.x has had 16 advisories, of which 19% (3 advisories) were rated
highly or extremely critical, and only 1 critical advisory is still
unpatched, but it's only been in that state for a few days, and a patch is
on its way.

Soon, we will once again have no unpatched critical vulnerabilities with
Firefox, and we will still have three or more with IE.

I still like my odds with Firefox.

-Eric

--
arctic bears - email and dns services
http://www.arcticbears.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Take THAT Microsoft!