BugTraq
Firefox: serious cookie stealing / same-domain bypass vulnerability Feb 14 2007 10:23PM
Michal Zalewski (lcamtuf dione ids pl) (2 replies)
Re: [Full-disclosure] Firefox: serious cookie stealing / same-domain bypass vulnerability Feb 15 2007 02:31PM
pdp (architect) (pdp gnucitizen googlemail com) (1 replies)
very good work

I wander whether we can execute code on about:config or about:cache.
Right now we can only modify cookies and bypass the same origin
policy. If we can get JavaScript running on about:cache or
about:config or some chrome URL, we might be able to completely hijack
the browser.

If that is possible, the severity level of this issue is more then HIGH.

On 2/14/07, Michal Zalewski <lcamtuf (at) dione.ids (dot) pl [email concealed]> wrote:
> There is a serious vulnerability in Mozilla Firefox, tested with 2.0.0.1,
> but quite certainly affecting all recent versions.
>
> The problem lies in how Firefox handles writes to the 'location.hostname'
> DOM property. It is possible for a script to set it to values that would
> not otherwise be accepted as a hostname when parsing a regular URL -
> including a string containing \x00.
>
> Doing this prompts a peculiar behavior: internally, DOM string variables
> are not NUL-terminated, and as such, most of checks will consider
> 'evil.com\x00foo.example.com' to be a part of *.example.com domain. The
> DNS resolver, however, and much of the remaining browser code, operates on
> ASCIZ strings native to C/C++ instead, treating the aforementioned example
> as 'evil.com'.
>
> This makes it possible for evil.com to modify location.hostname as
> described above, and have the resulting HTTP request still sent to
> evil.com. Once the new page is loaded, the attacker will be able to set
> cookies for *.example.com; he'll be also able to alter document.domain
> accordingly, in order to bypass the same-origin policy for XMLHttpRequest
> and cross-frame / cross-window data access.
>
> A quick demonstration is available here:
>
> http://lcamtuf.dione.cc/ffhostname.html
>
> If you want to confirm a successful exploitation, check Tools -> Options
> -> Privacy -> Show Cookies... for coredump.cx after the test; for the demo
> to succeed, the browser needs to have Javascript enabled, and must accept
> session cookies.
>
> The impact is quite severe: malicious sites can manipulate authentication
> cookies for third-party webpages, and, by the virtue of bypassing
> same-origin policy, can possibly tamper with the way these sites are
> displayed or how they work.
>
> Regards,
> /mz
> http://lcamtuf.coredump.cx/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

--
pdp (architect) | petko d. petkov
http://www.gnucitizen.org

[ reply ]
Re: [Full-disclosure] Firefox: serious cookie stealing / same-domain bypass vulnerability Feb 15 2007 02:58PM
Michal Zalewski (lcamtuf dione ids pl) (1 replies)
Re: [Full-disclosure] Firefox: serious cookie stealing / same-domain bypass vulnerability Feb 15 2007 03:17PM
pdp (architect) (pdp gnucitizen googlemail com) (1 replies)
Re: [Full-disclosure] Firefox: serious cookie stealing / same-domain bypass vulnerability Feb 15 2007 03:25PM
pdp (architect) (pdp gnucitizen googlemail com) (1 replies)
Re: [Full-disclosure] Firefox: serious cookie stealing / same-domain bypass vulnerability Feb 16 2007 07:31AM
Base64 (base640 gmail com) (1 replies)
Re: [Full-disclosure] Firefox: serious cookie stealing / same-domain bypass vulnerability Feb 22 2007 01:08AM
Michal Zalewski (lcamtuf dione ids pl)
Re: [Full-disclosure] Firefox: serious cookie stealing / same-domain bypass vulnerability Feb 14 2007 11:27PM
Ben Bucksch (news bucksch org) (1 replies)
Re: [Full-disclosure] Firefox: serious cookie stealing / same-domain bypass vulnerability Feb 14 2007 11:33PM
Peter Besenbruch (prb lava net) (1 replies)


 

Privacy Statement
Copyright 2010, SecurityFocus