<<< Date Index >>>     <<< Thread Index >>>

Re: [Full-disclosure] Firefox focus stealing vulnerability (possibly other browsers)



Well, :) I cannot see how you can force someone to type / at least
twice. Even if the targeted user writes a blog entry it is very
unlikely that he/she will use / . I guess this vector works well on
wikies and other systems that allow you to specify the text format
through meta-characters.

The cool think about stealing the address bar focus is that a confused
user will try to repeat typing the url again and that may give you
enough slashes and other characters to steal /etc/shadow or
/etc/passwd for example, which means that this attack vector can work
virtually every where. For example:

Joe visits eveil.com. He is not interested in the site but evil.com is
interested in his files. Joe types http://[what ever]. evil.com
hijacks the address bar focus. This is how they get the first /. Joe
will probably repeat to type stuff in the address bar again. The rest
of the characters are not obtained.

Now of course Joe will realise that he is not typing in the address
bar but he will probably think that either the browser is screwed up
or that he forgot to select the address bar first (it happens all the
time).

So, this is why I think that combination of both issues can create one
hell of a good attack.

Here is another idea.

Joe visits Betty's MySpace private page. The page contains XSS. On the
page there is an input box and a captcha. The user is asked to enter
the text in the captcha in order to access the page. The captcha is:

pde/t/aswsc

Joe enters the text but the he receives a complain that his input is
incorrect. The attacker repeats the process until all required
characters are entered into the FILE INPUT box.

simple.

On 2/11/07, Michal Zalewski <lcamtuf@xxxxxxxxxxxx> wrote:
On Sun, 11 Feb 2007, pdp (architect) wrote:

> here is an idea... we can combine both techniques into a single
> attack... the hardest part of your hack is to force the user to type
> :// plus several other /

Actually, MSIE doesn't require drive specification in the filename, and
will probably accept relative paths as well (so you might not need \
either when picking files from the desktop or 'my documents' or whatnot).

Firefox won't settle for a path without drive specification (but it will
accept SMB requests ;-). On *nix systems, of course, aiming /etc/passwd is
easier than C:\whatever.

The problem with intercepting address bar input is that you can't echo the
entered text back there without unloading the current document and its
scripts; in my examples, I tried to make sure that it's hard for the user
to notice that his input is not going where it should (in MSIE example,
this includes simulation of a blinking cursor).

/mz



--
pdp (architect) | petko d. petkov
http://www.gnucitizen.org