« OllyDbg 2.0 - Pre-alpha 3 Released.
NotchUp.com »
19 Jan 2008

Firefox chrome: URL Handling Directory Traversal.

Posted by: Gerry Eisenhaur in Content, tags: , , , ,

I spent some time tonight with scripting access to chrome files and found that Firefox doesn’t properly handle escaped characters. Its possible to load any javascript file on a victims machine. This attack is similar to previously disclosed vulnerabilities but is not constrained to basic Firefox files.

To exploit this the victim needs to have an extension installed that does not store its contents in a jar archive (such as the Download Statusbar). I created a demo that will read the Mozilla Thunderbird preferences file all.js (C:\Program Files\Mozilla Thunderbird\greprefs\all.js).

This looks very interesting and may have bigger potential, but for now, its just another information disclosure.

UPDATE:
There seems to be some confusion about what exactly the severity of this vulnerability is. First, this is not a chrome privilege escalation but it worse than just leaking some variables. I created another demo to read the sessionstore.js file. This will display information regarding your current session (windows, tabs, cookies, etc).

The demo’s use Download Statusbar but any ‘flat’ extension (not contained in a JAR file) will work (including greasemonkey). If you want to track this bug, the mozilla bug id is 413250 .

If you are using Firefox you need to have NoScript, it has stopped this type of attack since August 2007!

UPDATE 2:
Mozilla has marked this as a high severity bug and released a partial list of affected plugins here: https://bugzilla.mozilla.org/attachment.cgi?id=300181

These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Slashdot
  • StumbleUpon
  • Fark
  • Furl
  • Reddit
  • Technorati
  • Facebook
  • co.mments
  • De.lirio.us
  • Spurl
  • Live
  • Google
  • blogmarks

This entry was posted on Saturday, January 19th, 2008 at 3:35 am and is filed under Content. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

35 Responses to “Firefox chrome: URL Handling Directory Traversal.”
  1. EL-Equipo » Blog Archive » Firefox chrome: URL Handling Directory Traversal. says:
    January 21st, 2008 at 10:03 am

    […] This looks very interesting and may have bigger potential, but for now, its just another information disclosure. Quelle […]

  2. Nathan McFeters says:
    January 22nd, 2008 at 2:04 pm

    Very nice work, gotta love URI issues.

  3. Mozilla Security Blog » Blog Archives » chrome protocol directory traversal says:
    January 22nd, 2008 at 6:06 pm

    […] Eisenhaur first posted details of this issue along with proof of concept code at http://www.hiredhacker.com/2008/01/19/firefox-chrome-url-handling-directory-traversal/. Posted in Vulnerabilities, Security, Firefox | Trackback | del.icio.us | Top Of […]

  4. chrome protocol directory traversal · Get Latest Mozilla Firefox Browsers says:
    January 22nd, 2008 at 8:04 pm

    […] Eisenhaur first posted details of this issue along with proof of concept code at http://www.hiredhacker.com/2008/01/19/firefox-chrome-url-handling-directory-traversal/. addthis_url = […]

  5. Zero Day mobile edition says:
    January 23rd, 2008 at 5:12 am

    […] confirmed the issue in a blog post. The proof of concept vulnerability was highlighted by researcher Gerry Eisenhaur on Jan. 19. In a nutshell, Firefox leaks information that can allow an attacker to load any […]

  6. Kristian Erik Hermansen says:
    January 23rd, 2008 at 7:08 am

    Nice find dude! I owe you a beer when I come back to Boston :-)

  7. Mozilla confirms new "proof-of-concept" exploit exists in Firefox - TECH.BLORGE.com says:
    January 23rd, 2008 at 10:36 am

    […] does not consider this to be a serious threat, yet and has opened a bug on it.  HiredHacker has posted proof of concept code. var sc_project=2633782; var sc_invisible=0; var sc_partition=25; […]

  8. Info World » Blog Archive » Mozilla says Firefox flaw could lead to data leak says:
    January 23rd, 2008 at 12:59 pm

    […] found in the open-source browser, according to researcher Gerry Eisenhaur, who first reported the problem on […]

  9. meneame.net says:
    January 23rd, 2008 at 1:00 pm

    Grave vulnerabilidad en Firefox 2.0.11

    Importante vulnerabilidad en Firefox, explotable de momento si se tiene alguna extensión afectada instalada. Hasta ahora sólo permite visibilidad de información privada (por ejemplo, el chrome), pero no se descarta que pueda tener otras repercusione…

  10. Firefox-Bug gew says:
    January 23rd, 2008 at 1:06 pm

    […] k

  11. hackademix.net » Old NoScript Tricks Blocking New Vulnerabilities says:
    January 23rd, 2008 at 1:13 pm

    […] again: a new directory traversal vulnerability with potential for private data exposure has been publicly disclosed and confirmed by Mozilla, but NoScript users are protected since August […]

  12. Nova falha no browser Firefox pode gerar vazamento de informa says:
    January 23rd, 2008 at 6:23 pm

    […] de dados descobertas no browser, segundo o pesquisador Gerry Eisenhaur, que foi o primeiro a alertar para sobre o problema no s

  13. Business News Research » Mozilla says Firefox flaw could lead to data leak says:
    January 24th, 2008 at 2:35 am

    […] leakage flaws found in the open-source browser, according to researcher Gerry Eisenhaur, who first reported the problem on […]

  14. » Nova falha no browser Firefox pode gerar vazamento de informações says:
    January 24th, 2008 at 5:28 am

    […] de dados descobertas no browser, segundo o pesquisador Gerry Eisenhaur, que foi o primeiro a alertar para sobre o problema no sábado […]

  15. whatithink » Data Leak Bug in Firefox says:
    January 24th, 2008 at 6:57 am

    […] The full technical details and a demo of the bug are available from Gerry Eisenhaur’s hiredhacker site. The demo seems to be for Windows only, so those of a Mac or Linux persuasion will have to […]

  16. Gean says:
    January 24th, 2008 at 8:17 am

    Noticia en español:
    http://foro.hackhispano.com/showthread.php?t=29179 (in Spanish)

  17. TuxJournal.net » Una falla in Firefox, Mozilla conferma says:
    January 24th, 2008 at 6:02 pm

    […] di questi giorni l’allarme sollevato da Gerry Eisehaur, un blogger esperto di sicurezza, che segnala una vulnerabilità che […]

  18. Google Search Brasil » Blog Archive » Falha no Firefox pode levar ao vazamento de dados confidenciais says:
    January 24th, 2008 at 9:42 pm

    […] hiredhacker.com explica que para que a falha seja explorada a vítima precisa ter instalada ao menos uma extensão […]

  19. Firefox bug nel protoccolo chrome :: News Orebla.it says:
    January 25th, 2008 at 9:26 am

    […] di accedere e leggere a file importanti presenti nel vostro PC. Come esempio Gerry, nel suo blog, mostra la possibilità di aprire il file delle preferenze di Mozilla […]

  20. Shadow Security Blog » Nueva vulnerabilidad en Firefox permite saltar directorios y acceder a información says:
    January 25th, 2008 at 10:31 am

    […] con el manejo de las URIs y sus secuelas. Ahora es Gerry Eisenhaur quien avisa que el esquema chrome: URI permite saltar entre directorios, de modo que la visita a una web […]

  21. KeroDicas.com - blog oficial do KeroDownload.com says:
    January 26th, 2008 at 3:58 pm

    […] hiredhacker.com  explica que para que a falha seja explorada a vítima precisa ter instalada ao menos uma […]

  22. crachaus.net » I Missed This One… says:
    January 28th, 2008 at 12:09 am

    […] there is a flaw in Firefox’s chrome protocol where a ‘flat’ add-on is present that could lead to a directory traversal. Helpfully on the Firefox Security blog there is a response that indicates the NoScript extension […]

  23. .::TERIS::. » Blog Archive » Nueva vulnerabilidad en Firefox permite saltar directorios y acceder a información. says:
    January 28th, 2008 at 8:57 am

    […] con el manejo de las URIs y sus secuelas. Ahora es Gerry Eisenhaur quien avisa que el esquema chrome: URI permite saltar entre directorios, de modo que la visita a una web […]

  24. Nova falha no browser Firefox pode gerar vazamento de informações says:
    January 28th, 2008 at 1:12 pm

    […] de dados descobertas no browser, segundo o pesquisador Gerry Eisenhaur, que foi o primeiro a alertar para sobre o problema no sábado […]

  25. Zero Day mobile edition says:
    January 30th, 2008 at 7:50 am

    […] Jan. 22, Snyder confirmed a proof of concept vulnerability discovered by researcher Gerry Eisenhaur on Jan. 19. Simply put, Firefox leaks information that can allow an attacker to load any javascript file on a […]

  26. Mozilla’s LiFe says:
    January 31st, 2008 at 8:34 am

    […] possibilità di eseguire un file javascript arbitrariamente su una macchina remota e a scoprirla e segnalarla è stato un utente, Gerry Eisehaur, blogger esperto di […]

  27. Firefox 2.0.0.12 schliesst Sicherheitslücke « Lothars Blog says:
    February 1st, 2008 at 6:21 pm

    […] soll Anfang nächster Woche heraus kommen. Es wird wiederum ein Sicherheits Update sein, das ein Loch stopft, das durch die Benutzung bestimmter Erweiterungen entsteht. Bis dahin sollte die Erweiterung […]

  28. Firefox il bug diventa ad alto rischio :: News Orebla.it says:
    February 4th, 2008 at 3:35 am

    […] ufficiale (presente a questa pagina) aveva segnalato sin dal principio che ci sarebbero stati problemi legati anche alla possibilità […]

  29. Zero Day mobile edition says:
    February 8th, 2008 at 7:31 am

    […] The most notable of the bunch is MFSA 2008-05. This fix covered that vulnerability that allowed an attacker to run off with stored cookies and other data contained in flat files. The vulnerability was discovered by researcher Gerry Eisenhaur. On Jan. 29, Mozilla security chief Window Snyder upgraded the vulnerability and set plans for Firefox 2.0.0.12, which will be pushed out “shortly.” On Jan. 22, Snyder confirmed a proof of concept vulnerability discovered by Eisenhaur on Jan. 19. […]

  30. Quix0r says:
    February 8th, 2008 at 11:41 am

    For Firefox users: Use NoScript and check all(!) settings twice. Then you should be fine against such JS hacks. :) For IE/Opera/Safari users: Keep your browser up-to-date or switch over to FF+NoScript.

  31. Andrea Giuliani » Rilasiato Firefox 2.0.0.12 says:
    February 8th, 2008 at 2:12 pm

    […] di casa Mozilla che finalmente corregge la vulnerabilità scoperta alla fine del mese di gennaio da Gerry Eisehaur che permetteva di sfruttare gli add-on flat (es. Greasemonkey o Download Statusbar) per eseguire […]

  32. MondoByte Blog » Blog Archive » Firefox 2.0.0.12 è già vulnerabile? says:
    February 13th, 2008 at 9:40 am

    […] Si tratta di un aggiornamento molto importante, perché risolve innanzitutto una prima vulnerabilità (chrome protocol directory traversal), segnalata a fine Gennaio su HiredHacker. […]

  33. SiciLinuX Group » Falla in Firefox says:
    April 10th, 2008 at 4:19 pm

    […] Per maggiori informazioni Clicca qui […]

  34. delicious mark hubery says:
    April 17th, 2008 at 3:16 pm

    Blog Hopper…

    Hi There. I’m blog hopping….

  35. bssairtools says:
    June 22nd, 2008 at 8:09 pm

    Wenling BSS air tools Co.,Ltd. was established in 1997, and located in Zhejiang Wenling which is a beautiful seashore city with convenient transportation.
    The company is specialized in manufacturing air tools including air spray gun, air cleanning gun, air duster gun ,air hoses,tire inflating gun,building paint gun,glue gun,air tools parts etc.
    To insure good quality, we have lead modern production equipment and inspection instruments including DIE-CASTING machine, CNC finish machine and polisher machine.
    Our product are sold well to local market and oversea market including Asia, USA, EU, AFRICA and so on due to the super quality and excellent service.
    Welcome to cooperate with us!

Leave a Reply