Firefox chrome: URL Handling Directory Traversal.

January 19th, 2008  | Tags: , , , ,

I spent some time tonight with scripting access to chrome files and found that Firefox doesn’t properly handle escaped characters. Its possible to load any javascript file on a victims machine. This attack is similar to previously disclosed vulnerabilities but is not constrained to basic Firefox files.

To exploit this the victim needs to have an extension installed that does not store its contents in a jar archive (such as the Download Statusbar). I created a demo that will read the Mozilla Thunderbird preferences file all.js (C:\Program Files\Mozilla Thunderbird\greprefs\all.js).

This looks very interesting and may have bigger potential, but for now, its just another information disclosure.

UPDATE:
There seems to be some confusion about what exactly the severity of this vulnerability is. First, this is not a chrome privilege escalation but it worse than just leaking some variables. I created another demo to read the sessionstore.js file. This will display information regarding your current session (windows, tabs, cookies, etc).

The demo’s use Download Statusbar but any ‘flat’ extension (not contained in a JAR file) will work (including greasemonkey). If you want to track this bug, the mozilla bug id is 413250 .

If you are using Firefox you need to have NoScript, it has stopped this type of attack since August 2007!

UPDATE 2:
Mozilla has marked this as a high severity bug and released a partial list of affected plugins here: https://bugzilla.mozilla.org/attachment.cgi?id=300181

Be Sociable, Share!
  1. January 22nd, 2008 at 14:04
    Reply | Quote | #1

    Very nice work, gotta love URI issues.

  2. January 23rd, 2008 at 07:08
    Reply | Quote | #2

    Nice find dude! I owe you a beer when I come back to Boston :-)

  3. January 24th, 2008 at 08:17
    Reply | Quote | #3

    Noticia en español:
    http://foro.hackhispano.com/showthread.php?t=29179 (in Spanish)

  4. February 8th, 2008 at 11:41
    Reply | Quote | #4

    For Firefox users: Use NoScript and check all(!) settings twice. Then you should be fine against such JS hacks. :) For IE/Opera/Safari users: Keep your browser up-to-date or switch over to FF+NoScript.

  5. July 15th, 2008 at 20:41
    Reply | Quote | #5

    I enjoy your site very much! THANK YOU

  6. August 23rd, 2008 at 03:11
    Reply | Quote | #6

    or Firefox users: Use NoScript and check all(!) settings twice. Then you should be fine against such JS hacks. :) For IE/Opera/Safari users: Keep your browser up-to-date or switch over to FF+NoScript.

    Thnx for it!

  7. August 26th, 2008 at 01:47
    Reply | Quote | #7

    […] confirmed the issue in a blog post. The proof of concept vulnerability was highlighted by researcher Gerry Eisenhaur on Jan. 19. In a nutshell, Firefox leaks information that can allow an attacker to load any […]

  8. Jerry
    August 28th, 2008 at 11:22
    Reply | Quote | #8

    I am not sure what I have when it comes to security. Does Fire Fox take care of all my security problems or do I need to have a program like Norton Systematic for virus and web protection or McAfee?

  9. October 21st, 2008 at 17:11
    Reply | Quote | #9

    Hi I am a very new user and wish to know thefollowing.previously iwas useing sympatico and also norton anti-viru.will i be still protected against attacks? i am not very conversant re: use of computers and am cautiously feeling my way.
    Gerald Campbell ,gm.campbell.seaside@ns .ca

  10. November 8th, 2008 at 05:52

    my fire fox have 2 errors : 1. cannot download using IDA(Internet Download Accelator)
    2. cannot use avast script blocking for firefox
    somebody help me please???
    Thank’s for anyone who can help me

    :)) :)) Sory my english bad, but i must try my english,sory

  11. December 11th, 2008 at 14:28

    I have never used Firefox and don’t recommend anyone :) Internet explorer forever…

  12. February 5th, 2009 at 11:27

    Very informative article, which I found quite useful. Cheers ,Jay

  13. February 13th, 2009 at 22:59

    Nice work and thanks for pointing out NoScript- I was not aware of it before and now I guess I will be using it!!

  14. March 6th, 2009 at 22:17

    @vilneap: Then you *should* give it a try. IE has wholes like our Milkeyway has suns. :)

  15. March 6th, 2009 at 22:18

    Holes, I mean.

31 trackbacks/pingbacks

TOP