[38134] in bugtraq
Firespoofing [Firefox 1.0]
daemon@ATHENA.MIT.EDU (mikx)
Tue Jan 11 14:50:56 2005
Message-ID: <00c801c4f76b$36346020$280207d5@netvision.ads>
Reply-To: "mikx" <mikx@mikx.de>
From: "mikx" <mikx@mikx.de>
To: <full-disclosure@lists.netsys.com>, <bugtraq@securityfocus.com>,
<NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>
Date: Tue, 11 Jan 2005 00:22:09 +0100
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="iso-8859-1";
reply-type=original
Content-Transfer-Encoding: 7bit
__Summary
Using javascript it is possible to spoof the content of security and
download dialogs by partly covering them with a popup window. This can fool
a user to download and automaticly execute a file (if a file extension
association exists) or to grant a script local data access (if codebase
principals are enabled).
__Expected Behavior
Modal dialogs should always be on top and it should not be possible to
obfuscate their appearance.
__Proof-of-Concept
http://www.mikx.de/firespoofing/
The PoC is designed for Firefox 1.0 running in a maximized window.
Part 1 - download dialog spoofing
Shows how to cover a download dialog and fool the user to execute a file
with a standard windows file association (in this case a .ht file). BTW,
remember the latest .ht buffer overflow...
Part 2 - security dialog spoofing
Shows how to cover a security dialog. Make sure codebase principals are
enabled (not default but encouraged by many XUL sites). Creates the file
c:\booom.txt to proof local system access.
__Status
The bug is confirmed but currently unfixed (open for more than 3 months). As
a partial workaround set dom.disable_window_flip to true in about:config.
The vendor failed to respond to multiple status requests which led to this
public disclosure.
2004-09-20 Vendor informed (bugzilla.mozilla.org #260560)
2004-09-20 Vendor confirmed bug
2004-10-20 Status request (open for 1 month - no reply)
2005-01-03 Status request (open for 3 months - no reply)
2005-01-07 Status request (disclosure warning - no reply)
2005-01-11 Public disclosure
__Affected Software
Tested with Firefox 1.0, Mozilla 1.7.5 and Netscape 7.1 on Windows XP SP2.
__Contact Informations
Michael Krax <mikx@mikx.de>
http://www.mikx.de/?p=7
mikx
