Posted on 02/06/2007 6:04:30 PM PST by zeugma
There is an interesting vulnerability in the default behavior of Firefox built-in popup blocker. This vulnerability, coupled with an additional trick, allows the attacker to read arbitrary user-accessible files on the system, and thus steal some fairly sensitive information
Vulnerable Systems:
* Firefox version 1.5.0.9
For security reasons, Firefox does not allow Internet-originating websites to access the file:// namespace. When the user chooses to manually allow a blocked popup however, normal URL permission checks are bypassed. The attacker may fool the browser to parse a chosen HTML document stored on the local filesystem, and because Firefox security manager treats all file:/// URLs as having "same origin", such a document could read other local files at its discretion with the use of XMLHttpRequest, and relay that information to a remote server.
Now, to make the attack effective, the attacker would need to plant a predictably named file with exploit code on the target system. This sounds hard, but isn't: Firefox sometimes creates outright deterministic temporary filenames in system-wide temporary directory when opening files with external applications; even if we ignore this possibility (since it requires the user to take an additional step that may be difficult to justify), "random" temporary files are created using a flawed algorithm in nsExternalAppHandler::SetUpTempFile and other locations.
The problem here is that stdlib linear congruential PRNG (srand/rand) is seeded immediately prior to file creation with current time in seconds (actually, microseconds, but divided by 1e6); rand() is then used in direct succession to produce an "unpredictable" file name. Normally, were the PRNG seeded once on program start and then subsequently invoked, results would be deterministic, but difficult to blindly predict in the real world; but here, the job is much easier: we know when the download start, we know what the seed would be, and how many subsequent calls to it are made - we know the output.
In a different setting, there would be a level of uncertainty caused by the fact that system clocks tend to drift or have imprecise settings (although today, most Windows systems either synchronize with Windows Time, or domain time services, so this is less of a factor). Still, there's a yet another nail to the coffin: on first call, Javascript Math.random() is seeded using the same call in the same manner, PR_Now() * 1e-6. The seed, and hence a time very close to the moment of file creation, can be trivially computed by analyzing Math.random() output. But wait, why bother at all - Javascript can be used to directly read system clock with a 1-second resolution.
One of several attack scenarios Michal could think of might look as follows:
1) Have user click on a link on a malicious page. The link would point to "evil.cgi", and have onClick handler set to function foo(). This function would acquire current system time, and use setTimeout to invoke window.open("p2.html?" + curtime,"new",""); in 100 ms. The aforementioned cgi script would return:
Content-type: text/html
Content-disposition: attachment; filename="foo.html"
<html><body><script>
x = new XMLHttpRequest;
x.open("GET", "file:///c:/BOOT.ini", false);
x.send(null);
alert("The script attempted to read your C:/BOOT.ini:\n\n"
+ x.responseText);
</script>
2) After user clicks the link, a download prompt will appear, and a copy of evil.cgi output would be saved in - for example - C:\WINDOWS\TEMP\c3o89nr7.htm. The download prompt will be immediately hidden under the newly created p2.html window (this, by default, bypasses popup blocker. because the window is created in response to user action).
3) The page currently displayed on top, p2.html, instructs the user to accept the popup to open a movie player or whatnot; since unsolicited popups are an annoyance, not a security risk, even an educated user is likely to comply.
To create a popup warning, a script embedded on the page calls: window.open('file:///c:/windows/temp/xxxxxxx.htm','new2',''),
with a name calculated by repeating a procedure implemented in SetUpTempFile() with a seed calculated by the server based on reported system time (p2.html?time).
4) When the user opens that particular popup, attacker-supplied HTML file is loaded and executed with local file read privileges (in the aforementioned example, the contents of BOOT.ini file would be reported back to the victim).
This vulnerability will only work for files that you have read access to, as there is no priviledge escalation involved. The malicious site would also need to know the name of the file they are looking for. (which is yet another reason to put your SSH and other crypto keys in a non-standard directory.)
I'll look around for more info and post if I find anything useful.
If y'all could forward to the apropos ping lists please...
I've about had it with Firefox anyway. On my two computers (laptop and desktop win XP pro) it ALWAYS crashes when clicking on ANY link on foxnews.com. IE doesn't crash. I've been only Firefox for over a year now and am tired of the disappearing browser - poof - it's gone.
You've got issues with Flash, or something.
It's odd that it's both computers (scanned and virus/trojan/malware/spyware free). IE handles Flash just fine. Firefox is leaving me with no choice. I get tired of having to open IE to read Fox News.
Actually, I have the exact same problem. I've been using FireFox for a long time now but I'm almost fed up. I have problems with all kinds of websites that when I try to view anything with Flash, the program says "an error has occured" or it freezes.
This is especially notorious with YouTube. It's like I can't watch any kind of on-line video with FireFox anymore. However, if I try this with another program like IE it works just fine.
I'm thinking of switching to Opera but I don't know whether or not it would be better.
I use this. You right click and the option is open in IE tab. Don't have to leave firefox or wait for IE to open up.
https://addons.mozilla.org/firefox/1419/
I have Opera on my laptop along with IE and Firefox. I got it when it was free for a day on one of their anniversaries (announced here on FR). I don't know if it's free now or not. Anyway, I like it a lot but it also crashes on Fox News. IE works just fine.
Of course the preferred thing would be to not need another program due to this one crashing...
VISTA.
FTW
YOU WILL BE ASSIMILATED/YES
I regularly visit sites I have to use Firefox for full capabilities, and others where Firefox is useless.
I use Firefox in both XP and [right now] on my Linux drive. They both work perfectly at YouTube. Fox News is less perfect, but I swear that it's something peculiar to FOX that's related to Flash--but I'm no geek.
Have you tried deleting Firefox and doing a completely fresh install? I believe I'd rather eat liver than use IE. But ya gotta do what ya gotta do.
I'd forgotten about IE tabs. Good idea.
Try Mozilla. You get the same protection. I use Mozilla Suite and have no problems at all.
I have had some problemws with Firefox and have maintained an IE copy that I use on rare occasions but every time I have to use IE I am reminded of why I don't like to use IE.
Same here. I come across the occasional site that needs IE for some reason, which causes me foreswear ever using it again. Yet, I know people who love it.
I am especially unfond of the MSFT popups that flood in when IE goes up or when I click on anything in IE and that my popup blockers don't block.
book
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.