Bugtraq mailing list archives
RE: Two Vulnerabilities in Mozilla may lead to remote compromise
From: "Darren Pilgrim" <dmp () bitfreak org>
Date: Tue, 13 Jul 2004 12:33:28 -0700
From: Mind Warper [mailto:mindwarper () linuxmail org] Since the known cache file names have no extention by default on windows, if the attacker uses the NULL byte bug, he/she can cause mozilla to show the contents of one of the cache files as an html file, and therefore cause mozilla to execute whatever scripts that exist in the cache files.
Within the limitations of the security settings for the browser. If you have Java/JS disabled, the attack won't work.
The first vulnerability does not require an exploit. On windows 2000, there are 3 cache files with known names. They are: 1. C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.nop\Cache\_CACHE_001_ [ This cache file stores the http headers ] 2. C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.nop\Cache\_CACHE_002_ 3. C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.nop\Cache\_CACHE_003_ [ These 2 cache files store the html data ]
The profile folder isn't consistent. The default folder created during the install has an extension that changes. On my machine, for example, the folder created was default.cuo. If you set up additional profiles, the default folder name is "Default User" and you can change it from within the profile creation wizard. You also have to know the Windows username to create the path. While the above does work if you change the path to match your configuration, the _CACHE_002_ and _CACHE_003_ files don't contain complete copies of the HTML files, so it's not guaranteed that a malicious script would be there. The actual cache files are named with non-sequential, 32-bit numbers.
Current thread:
- Two Vulnerabilities in Mozilla may lead to remote compromise Mind Warper (Jul 13)
- Re: Two Vulnerabilities in Mozilla may lead to remote compromise Daniel Veditz (Jul 13)
- RE: Two Vulnerabilities in Mozilla may lead to remote compromise Jelmer (Jul 13)
- RE: Two Vulnerabilities in Mozilla may lead to remote compromise Pavel Kankovsky (Jul 15)
- RE: Two Vulnerabilities in Mozilla may lead to remote compromise Darren Pilgrim (Jul 13)
- <Possible follow-ups>
- Re: Two Vulnerabilities in Mozilla may lead to remote compromise Philliph (Jul 13)
- Re: Two Vulnerabilities in Mozilla may lead to remote compromise Mind Warper (Jul 13)