Re: Mozilla protocol abuse

To: bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: Mozilla protocol abuse
From: Thor Larholm <seclists@xxxxxxxxxxx>
Date: Thu, 26 Jul 2007 03:32:15 +0200
In-reply-to: <46A79AF7.8070104@xxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <46A79AF7.8070104@xxxxxxxxxxx>
Reply-to: seclists@xxxxxxxxxxx
User-agent: Thunderbird 2.0.0.5 (Windows/20070716)

Since I published this report it has come to my attention thatThunderbird 1.5, unlike Thunderbird 2.0, has not been patched with the"osint" security flag. As such all Thunderbird 1.5 users are vulnerableagainst this attack and those exploits. Now would be a good time toupgrade to Thunderbird 2.0.


http://larholm.com/2007/07/26/thunderbird-15-has-not-been-patched-with-osint/

Regards
Thor Larholm


Thor Larholm wrote:

The Mozilla application platform currently has an unpatched inputvalidation flaw which allows you to specify arbitrary command linearguments to any registered URL protocol handler process. JesperJohansson already detailed parts of this on his blog on July 20,http://msinfluentials.com/blogs/jesper/. I wrote a vulnerabilityreport on July 18 together with a proof-of-concept exploit thattargeted Thunderbird 2.0.0.4.
Thunderbird 2.0.0.5 was released on July 19 and incidentally fixedthis specific attack vector through its "osint" command line flag. Itis now 6 days later and people should have had time to update theirThunderbird installations, so I have decided to publish myvulnerability report together with the exploits as they detail how tohandle XPI exploitation.
The HTML version can be found at

http://larholm.com/2007/07/25/mozilla-protocol-abuse/

A ZIP file with the report and the XPI exploits can be found at

http://larholm.com/media/2007/7/mozillaprotocolabuse.zip

Cheers
Thor Larholm

References:
- Mozilla protocol abuse
  - From: Thor Larholm

Prev by Date: RE: [CAID 35525, 35526]: CA Products Arclib Library Denial of Service Vulnerabilities
Next by Date: Dependet Forums (Username Field) Remote SQL Injection
Previous by thread: Re: [Full-disclosure] Mozilla protocol abuse
Next by thread: [ GLSA 200707-09 ] GIMP: Multiple integer overflows
Index(es):
- Date
- Thread