Full Disclosure mailing list archives
Firefox 2.0.0.6 still vulnerable to URI flaw
From: "carl hardwick" <hardwick.carl () gmail com>
Date: Thu, 6 Sep 2007 10:24:25 +0200
http://xs-sniper.com/blog/2007/09/01/firefox-file-handling-woes/ , Nate and I have discovered a way to "…exploit a common handler with a single unexpected URI…" Once again, these URI payloads can be passed by the mailto, nntp, news, and snews URIs, allowing us to pass the payload without any user interaction. So, it seems that although the conditions which allowed for remote command execution in Firefox 2.0.0.5 have been addressed with a security patch, the underlying file type handling issues which are truly the heart of the issue have NOT been addressed. We contacted Mozilla a while ago about the issue and they are working on it. We're going to refrain from giving out the exact details of how this particular issue is executed (based mainly on the efforts and conversations we've had with Jesse Ruderman), but we'll include a screenshot of a payload in action. In the screenshot below, we use the mailto URI, which passes the URI to the Windows File Handler, which calls the appropriate program (in this case Windows Scripting Host), which in turn calls our attacker controlled file. We've purposely pointed the Windows Scripting Host to a file that doesn't exist as the error message allows the user to see that WSH is using the URI passed from Firefox. PoC here: http://xs-sniper.com/blog/wp-content/uploads/2007/09/file-handling.jpg _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Firefox 2.0.0.6 still vulnerable to URI flaw carl hardwick (Sep 06)