Firefox chrome: URL Handling Directory Traversal.
Posted by: Gerry Eisenhaur in Content, tags: 0day, advisory, exploit, firefox, researchingI spent some time tonight with scripting access to chrome files and found that Firefox doesn’t properly handle escaped characters. Its possible to load any javascript file on a victims machine. This attack is similar to previously disclosed vulnerabilities but is not constrained to basic Firefox files.
To exploit this the victim needs to have an extension installed that does not store its contents in a jar archive (such as the Download Statusbar). I created a demo that will read the Mozilla Thunderbird preferences file all.js (C:\Program Files\Mozilla Thunderbird\greprefs\all.js).
This looks very interesting and may have bigger potential, but for now, its just another information disclosure.
UPDATE:
There seems to be some confusion about what exactly the severity of this vulnerability is. First, this is not a chrome privilege escalation but it worse than just leaking some variables. I created another demo to read the sessionstore.js file. This will display information regarding your current session (windows, tabs, cookies, etc).
The demo’s use Download Statusbar but any ‘flat’ extension (not contained in a JAR file) will work (including greasemonkey). If you want to track this bug, the mozilla bug id is 413250 .
If you are using Firefox you need to have NoScript, it has stopped this type of attack since August 2007!
UPDATE 2:
Mozilla has marked this as a high severity bug and released a partial list of affected plugins here: https://bugzilla.mozilla.org/attachment.cgi?id=300181
Entries (RSS)
January 21st, 2008 at 10:03 am
[…] This looks very interesting and may have bigger potential, but for now, its just another information disclosure. Quelle […]
January 22nd, 2008 at 2:04 pm
Very nice work, gotta love URI issues.
January 22nd, 2008 at 6:06 pm
[…] Eisenhaur first posted details of this issue along with proof of concept code at http://www.hiredhacker.com/2008/01/19/firefox-chrome-url-handling-directory-traversal/. Posted in Vulnerabilities, Security, Firefox | Trackback | del.icio.us | Top Of […]
January 22nd, 2008 at 8:04 pm
[…] Eisenhaur first posted details of this issue along with proof of concept code at http://www.hiredhacker.com/2008/01/19/firefox-chrome-url-handling-directory-traversal/. addthis_url = […]
January 23rd, 2008 at 5:12 am
[…] confirmed the issue in a blog post. The proof of concept vulnerability was highlighted by researcher Gerry Eisenhaur on Jan. 19. In a nutshell, Firefox leaks information that can allow an attacker to load any […]
January 23rd, 2008 at 7:08 am
Nice find dude! I owe you a beer when I come back to Boston :-)
January 23rd, 2008 at 10:36 am
[…] does not consider this to be a serious threat, yet and has opened a bug on it. HiredHacker has posted proof of concept code. var sc_project=2633782; var sc_invisible=0; var sc_partition=25; […]
January 23rd, 2008 at 12:59 pm
[…] found in the open-source browser, according to researcher Gerry Eisenhaur, who first reported the problem on […]
January 23rd, 2008 at 1:00 pm
Grave vulnerabilidad en Firefox 2.0.11
Importante vulnerabilidad en Firefox, explotable de momento si se tiene alguna extensión afectada instalada. Hasta ahora sólo permite visibilidad de información privada (por ejemplo, el chrome), pero no se descarta que pueda tener otras repercusione…
January 23rd, 2008 at 1:06 pm
[…] k
January 23rd, 2008 at 1:13 pm
[…] again: a new directory traversal vulnerability with potential for private data exposure has been publicly disclosed and confirmed by Mozilla, but NoScript users are protected since August […]
January 23rd, 2008 at 6:23 pm
[…] de dados descobertas no browser, segundo o pesquisador Gerry Eisenhaur, que foi o primeiro a alertar para sobre o problema no s
January 24th, 2008 at 2:35 am
[…] leakage flaws found in the open-source browser, according to researcher Gerry Eisenhaur, who first reported the problem on […]
January 24th, 2008 at 5:28 am
[…] de dados descobertas no browser, segundo o pesquisador Gerry Eisenhaur, que foi o primeiro a alertar para sobre o problema no sábado […]
January 24th, 2008 at 6:57 am
[…] The full technical details and a demo of the bug are available from Gerry Eisenhaur’s hiredhacker site. The demo seems to be for Windows only, so those of a Mac or Linux persuasion will have to […]
January 24th, 2008 at 8:17 am
Noticia en español:
http://foro.hackhispano.com/showthread.php?t=29179 (in Spanish)
January 24th, 2008 at 6:02 pm
[…] di questi giorni l’allarme sollevato da Gerry Eisehaur, un blogger esperto di sicurezza, che segnala una vulnerabilità che […]
January 24th, 2008 at 9:42 pm
[…] hiredhacker.com explica que para que a falha seja explorada a vítima precisa ter instalada ao menos uma extensão […]
January 25th, 2008 at 9:26 am
[…] di accedere e leggere a file importanti presenti nel vostro PC. Come esempio Gerry, nel suo blog, mostra la possibilità di aprire il file delle preferenze di Mozilla […]
January 25th, 2008 at 10:31 am
[…] con el manejo de las URIs y sus secuelas. Ahora es Gerry Eisenhaur quien avisa que el esquema chrome: URI permite saltar entre directorios, de modo que la visita a una web […]
January 26th, 2008 at 3:58 pm
[…] hiredhacker.com explica que para que a falha seja explorada a vítima precisa ter instalada ao menos uma […]
January 28th, 2008 at 12:09 am
[…] there is a flaw in Firefox’s chrome protocol where a ‘flat’ add-on is present that could lead to a directory traversal. Helpfully on the Firefox Security blog there is a response that indicates the NoScript extension […]
January 28th, 2008 at 8:57 am
[…] con el manejo de las URIs y sus secuelas. Ahora es Gerry Eisenhaur quien avisa que el esquema chrome: URI permite saltar entre directorios, de modo que la visita a una web […]
January 28th, 2008 at 1:12 pm
[…] de dados descobertas no browser, segundo o pesquisador Gerry Eisenhaur, que foi o primeiro a alertar para sobre o problema no sábado […]
January 30th, 2008 at 7:50 am
[…] Jan. 22, Snyder confirmed a proof of concept vulnerability discovered by researcher Gerry Eisenhaur on Jan. 19. Simply put, Firefox leaks information that can allow an attacker to load any javascript file on a […]
January 31st, 2008 at 8:34 am
[…] possibilità di eseguire un file javascript arbitrariamente su una macchina remota e a scoprirla e segnalarla è stato un utente, Gerry Eisehaur, blogger esperto di […]
February 1st, 2008 at 6:21 pm
[…] soll Anfang nächster Woche heraus kommen. Es wird wiederum ein Sicherheits Update sein, das ein Loch stopft, das durch die Benutzung bestimmter Erweiterungen entsteht. Bis dahin sollte die Erweiterung […]
February 4th, 2008 at 3:35 am
[…] ufficiale (presente a questa pagina) aveva segnalato sin dal principio che ci sarebbero stati problemi legati anche alla possibilità […]
February 8th, 2008 at 7:31 am
[…] The most notable of the bunch is MFSA 2008-05. This fix covered that vulnerability that allowed an attacker to run off with stored cookies and other data contained in flat files. The vulnerability was discovered by researcher Gerry Eisenhaur. On Jan. 29, Mozilla security chief Window Snyder upgraded the vulnerability and set plans for Firefox 2.0.0.12, which will be pushed out “shortly.” On Jan. 22, Snyder confirmed a proof of concept vulnerability discovered by Eisenhaur on Jan. 19. […]
February 8th, 2008 at 11:41 am
For Firefox users: Use NoScript and check all(!) settings twice. Then you should be fine against such JS hacks. :) For IE/Opera/Safari users: Keep your browser up-to-date or switch over to FF+NoScript.
February 8th, 2008 at 2:12 pm
[…] di casa Mozilla che finalmente corregge la vulnerabilità scoperta alla fine del mese di gennaio da Gerry Eisehaur che permetteva di sfruttare gli add-on flat (es. Greasemonkey o Download Statusbar) per eseguire […]
February 13th, 2008 at 9:40 am
[…] Si tratta di un aggiornamento molto importante, perché risolve innanzitutto una prima vulnerabilità (chrome protocol directory traversal), segnalata a fine Gennaio su HiredHacker. […]
April 10th, 2008 at 4:19 pm
[…] Per maggiori informazioni Clicca qui […]
April 17th, 2008 at 3:16 pm
Blog Hopper…
Hi There. I’m blog hopping….
May 7th, 2008 at 7:52 am
defd73f3f2c4…
defd73f3f2c478e9d1d4…