> From: Mind Warper [mailto:mindwarper (at) linuxmail (dot) org [email concealed]]
>
> Since the known cache file names have no extention by default
> on windows, if the attacker uses the NULL
> byte bug, he/she can cause mozilla to show the contents of
> one of the cache files as an html file,
> and therefore cause mozilla to execute whatever scripts that
> exist in the cache files.

Within the limitations of the security settings for the browser. If you
have Java/JS disabled, the attack won't work.

> The first vulnerability does not require an exploit.
> On windows 2000, there are 3 cache files with known names. They are:
>
> 1. C:\Documents and Settings\Administrator\Application
> Data\Mozilla\Firefox\Profiles\default.nop\Cache\_CACHE_001_
> [ This cache file stores the http headers ]
>
> 2. C:\Documents and Settings\Administrator\Application
> Data\Mozilla\Firefox\Profiles\default.nop\Cache\_CACHE_002_
> 3. C:\Documents and Settings\Administrator\Application
> Data\Mozilla\Firefox\Profiles\default.nop\Cache\_CACHE_003_
> [ These 2 cache files store the html data ]

The profile folder isn't consistent. The default folder created during the
install has an extension that changes. On my machine, for example, the
folder created was default.cuo. If you set up additional profiles, the
default folder name is "Default User" and you can change it from within the
profile creation wizard. You also have to know the Windows username to
create the path.

While the above does work if you change the path to match your
configuration, the _CACHE_002_ and _CACHE_003_ files don't contain complete
copies of the HTML files, so it's not guaranteed that a malicious script
would be there. The actual cache files are named with non-sequential,
32-bit numbers.

[ reply ]