Firesearching 1 + 2 [Firefox 1.0.2]

To: <full-disclosure@xxxxxxxxxxxxxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>, <NTBUGTRAQ@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Firesearching 1 + 2 [Firefox 1.0.2]
From: "mikx" <mikx@xxxxxxx>
Date: Mon, 18 Apr 2005 12:58:33 +0200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Reply-to: "mikx" <mikx@xxxxxxx>

__Notice

I really wonder why the Mozilla Foundation decided to release a serioussecurity update on a friday night and to disclose the link to myproof-of-concept code so quickly. It wasn't intendet from my side to releasethis as a 0day exploit. Please complain to security@xxxxxxxxxxx if youdisagree with their release policy.


__Summary

The search plugin technology in Firefox is based on Apple's sherlock files,a simple text format to syndicate a search engine interface. The installerand parser of those files contain design bugs that allow to create a searcheninge that works as a spyware tool and/or execution vehicle for arbitrarycode.


Firesearching 1

By creating a special sherlock file it is possible to run javascript code inthe security context of the currently active tab. This allows to createsearch engines that silently monitor all website displayed while searching(e.g. to steal sessions cookies) and/or that wait for a privileged page(e.g. chrome or about:config) to run arbitrary code.

The demo adds a new search engine (called Firesearching) by callingsidebar.addSearchEngine() that behaves like a normal Google search. Whensearching with that engine an alert shows that the engine has javascriptaccess to the currently active tab. An attacker could silently send theinformation to another host instead.


Firesearching 2

By creating a special sherlock file it is possible to overwrite an existingsearch engine without a chance for the user to see what is going on. Thedisplayed name in the confirmation dialog is given as the third parameter ofsidebar.addSearchEngine(), but the displayed name in the search dropdown istaken from the sherlock file. This way it is possible to overwrite thedefault Google search with a modified version that monitors the data and/orwaits for a chance to run code. The string "google.src" in the source URLgot also be moved out of the dialog by supplying a really long URL to thesherlock file (the dialog just cuts the source URL when it's getting toolong).

The user will probably think the search engine installation just failed,because after confirming the installation dialog Firefox never displays anerror messages if the installation failed because e.g. the sherlock file isbroken or not found. Since there is no UI to see details about the installedsearches a common user will probably never find out that the default Googlesearch got modified. Using the built in sherlock update feature an attackeralso gets a decent update mechanism to modifiy the scripts beyond theinitial infection.


__Proof-of-Concept

http://www.mikx.de/firesearching/

__Status

The bugs are fixed in Firefox 1.0.3. Don't install search plugins as aworkaround.


2005-04-12 Vendor informed (bugzilla.mozilla.org #290037 and #290038)
2005-04-12 Vendor confirmed bug
2005-04-15 Vendor published fix, advisory and link to PoC (mfsa2005-38)
2005-04-18 This advisory

__Affected Software

Tested with Firefox 1.0.2

__Contact Informations

Michael Krax <mikx@xxxxxxx>
http://www.mikx.de/?p=14

mikx

Prev by Date: [ECL] Windows IP Options DoS POC [ECL]
Next by Date: Re: Http Response Splitting Vulnerability In PHP-NUKE 7.6 and below
Previous by thread: [ECL] Windows IP Options DoS POC [ECL]
Next by thread: phpBB - Knowledge Base MOD - SQL-Injection and Full Path Disclosure
Index(es):
- Date
- Thread