Technical |
Although Firefox does not allow Internet-originating websites to access the file:// namespace, a user choosing to manually allow a blocked popup causes the normal URL permission checks to be bypassed. If the attacker fools the browser to parse a chosen HTML document stored on the local filesystem, this document could read other local files with the use of XMLHttpRequest() and relay this information to a remote server. This issue is due to Firefox treating all file:/// URLs as having the same origin.
This exploit can be used in conjunction with other weaknesses in Firefox to make it possible for an attacker to execute arbitrary script code with elevated privileges. An attacker could plant a predictably named file with exploit code on the target system. A weaknesses that allows for this is present in Firefox's nsExternalAppHandler::SetUpTempFile that is used to generate "unpredictable" file names. It uses the stdlib linear congruential srand/rand weak pseudorandom number generator, that makes use of the current time to generate "random" numbers.
=====================================================
Possible Attack Scenario (Michał Zalewski)
=====================================================
1) Have user click on a link on a malicious page. The link would point to "evil.cgi", and have onClick handler set to function foo(). This function would acquire current system time, and use setTimeout to invoke window.open("p2.html?" + curtime,"new",""); in 100 ms. The aforementioned cgi script would return:
Content-type: text/html
Content-disposition: attachment; filename="foo.html"
<html><body><script>
x = new XMLHttpRequest;
x.open("GET", "file:///c:/BOOT.ini", false);
x.send(null);
alert("The script attempted to read your C:/BOOT.ini:\n\n" + x.responseText);
</script>
2) After user clicks the link, a download prompt will appear, and a copy of evil.cgi output would be saved in - for example - C:\WINDOWS\TEMP\c3o89nr7.htm. The download prompt will be immediately hidden under the newly created p2.html window (this, by default, bypasses popup blocker. because the window is created in response to user action).
3) The page currently displayed on top, p2.html, instructs the user to accept the popup to open a movie player or whatnot; since unsolicited popups are an annoyance, not a security risk, even an educated user is likely to comply. To create a popup warning, a script embedded on the page calls: window.open('file:///c:/windows/temp/xxxxxxx.htm','new2',''), with a name calculated by repeating a procedure implemented in SetUpTempFile() with a seed calculated by the server based on reported system time (p2.html?time).
4) When the user opens that particular popup, attacker-supplied HTML file is loaded and executed with local file read privileges (in the aforementioned example, the contents of BOOT.ini file would be reported back to the victim).
|
|
coredump.cx - http://lcamtuf.coredump.cx/