Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:17136
HistoryMay 31, 2007 - 12:00 a.m.

Firefox 0day local file reading

2007-05-3100:00:00
vulners.com
22
JSON

Firefox 0day local file reading
By Thor Larholm

RSnake mentioned a potential way to read security sensitive configuration settings from Firefox on ha.ckers.org, with an example PoC from Sergey Vzloman that used the resource:// URL protocol handler in Firefox. Unfortunately, the settings that were read were the default settings inside the Firefox install directory.

An example resource URL would be resource://gre/greprefs/security-prefs.js which reads the security-prefs.js file from your Firefox install directory, which on Windows could be C:\Program Files\Mozilla Firefox\greprefs\security-prefs.js. Mozilla must have acknowledged the potential for directory traversal here, as they have blocked any attempts at including the string …\ or …/ inside resource: requests.

BK demonstrated in the thread that Mozilla does not properly sanitize the input properly, and that you can circumvent this restriction by using …%5C instead of …\ which means that you can read arbitrary files from the local system by exposing the file contents as readable properties on SCRIPT or CSS tags.

For the sake of a demonstration, let’s assume that you have a file called C:\resource.txt that contains

secretinfo = “steal me”

In this case you could expose the local file content to your website with the following script include.

<script src=”resource://gre/..%5C..%5Cresource.txt”></script>

This would expose the secretinfo as a Javascript variable. If you are uncertain of the Firefox installation directory you can always append additional directory traversal separators, but see below for more on that.

Daniel Veditz opened up the ongoing Bugzilla report #367428, given that this is now being discussed in public, and from that report we can see that Mozilla has been struggling to fix this vulnerability since January 18 2007. We can also see that the currently proposed patches are only sanitizing input for the Windows platform and that Linux and Mac directory traversals have not been addressed.

It is good to see that Mozilla has picked up the pace now that this is public knowledge. However, even after they fix the directory traversal vulnerability we can still use the resource protocol to query and read any file inside the Firefox installation directory. This includes reading the update.xml, install.log or even browserconfig.properties which contains your homepage settings. It also allows us to query for the status of any installed plugin.

I don’t want to help out scrupulous advertisers with a ready-to-use script that hands them my homepage setting, so instead I have put up a simple PoC that demonstrates how to read your local Firefox install directory and the status of a few plugins. You can find that at http://larholm.com/misc/ffresourcefile.html :)

Regardless of how we look at this you can expect to see a Firefox 2.0.0.4 release very soon. My hope is, regardless of what patch makes into the source tree, that access to the entire resource:// URL protocol handler is blocked for Internet sites.

JSON