Mozilla browser "about:" exploit
|
Dec. 08, 2004, 08:08 AM
Post: #1
|
|||
|
|||
Here is a crash exploit which works on Mozilla browsers:
http://maas-online.nl/security/poc-mozilla-crash.html The crash actually occurs when the browser tries to print an iframe, but I think that allowing the use of about: <string> is inadvisable when it comes from web pages. I wrote a filter to stop it. If anybody has any suggestion for improvement, I'd welcome it. For example, can other tags be used for such a thing, and is "src=" the only way in which something like that could be set up? Code: Name = "About: * Exploit (Mozilla)" |
|||
Dec. 08, 2004, 05:17 PM
Post: #2
|
|||
|
|||
I don't know which tags would be exploitable, but a common practice to create popups - including requested ones - is opening them as "about:blank" and then writing content to them via a script.
A fairly speedy way to cover all tags that can have a "src" attribute is: Code: [Patterns] sidki |
|||
Dec. 09, 2004, 06:30 AM
Post: #3
|
|||
|
|||
Quote:A fairly speedy way to cover all tags that can have a "src" attribute is:I was not trying to catch "src=", but "about:<whatever>" exploits. I read somewhere that many of the "about:*" codes can be exploited by malicious code, but had not thought much about it until this demo came along. Could a web page query my browser with, for instance, "about:plugins" to find out what plugins I had installed? |
|||
Dec. 09, 2004, 12:09 PM
Post: #4
|
|||
|
|||
Siamesecat Wrote:I was not trying to catch "src=", but "about:<whatever>" exploits. I read somewhere that many of the "about:*" codes can be exploited by malicious code, but had not thought much about it until this demo came along.Where? As you said, the exploit you referred to deals with printing an iframe source. "about:blank" was just an example, it works with "/nicepath/nicename.html" as well (and has been fixed in the nightly builds). See here for a "non-about" crash. Quote:Could a web page query my browser with, for instance, "about:plugins" to find out what plugins I had installed?Pages like "about:mozilla" work only locally, like that "I can see your hard disk!" followed by a "file:///c:/" iframe joke. The security relevant pages are disabled for remote webpages in Mozilla anyway - see here. sidki |
|||
Dec. 09, 2004, 08:55 PM
Post: #5
|
|||
|
|||
Here's mine:
Code: [Patterns] It does the job, but it's pretty crude |
|||
Dec. 10, 2004, 07:39 AM
Post: #6
|
|||
|
|||
Quote:The security relevant pages are disabled for remote webpages in Mozilla anyway - see here.That's nice to know. The about: link still shows my browser's user-agent, however (as opposed to the fake one which I usually send). |
|||
Dec. 10, 2004, 08:13 AM
Post: #7
|
|||
|
|||
I have revised my filter. I am not sure how to capture the iframe part of the code into it. This does stop the crash, though.
Code: Name = "Mozilla: Prevent Print Iframe Crash" |
|||
Dec. 10, 2004, 12:32 PM
Post: #8
|
|||
|
|||
Not that i want to get nasty, just for the fun of it, try again.
|
|||
Dec. 12, 2004, 07:21 AM
Post: #9
|
|||
|
|||
OK, Sidki3003,
Here is my revision to the filter. How would I go about capturing the preceding Iframe code as well? Code: Name = "Mozilla: Prevent Print Iframe Crash" |
|||
Dec. 12, 2004, 05:16 PM
Post: #10
|
|||
|
|||
I don't think you can specifically target this vulnerabilty with Prox language only, unless you block all printing from within a document, which is what you're doing in your last filter. In the latter case there is no need to do anything with the preceding iframe.
I tried to intercept the print method with a script, inserting a confirm dialog. It actually works with the usual print call "window.print()" but i didn't get it to work with "window.frames.ID.print()". There used to be some people around that where good in such things, like Paul Rupe and JarC/TEgghead, but now i don't know. sidki |
|||
Dec. 12, 2004, 05:56 PM
Post: #11
|
|||
|
|||
sidki;
Quote:I tried to intercept the print method with a script, inserting a confirm dialog. It actually works with the usual print call "window.print()" but i didn't get it to work with "window.frames.ID.print()". According to what I can find from my references, the print method is not truly a DOM method. Rather, it is dependent on the definitions found in the DTD. You might check that resource for further clues in solving your interception problem. If that turns out to be true, I should think that Prox(o|i) could easily come to the rescue. Oddysey I'm no longer in the rat race - the rats won't have me! |
|||
Dec. 12, 2004, 07:17 PM
Post: #12
|
|||
|
|||
Well... here is what i used, it works the same way as the interception of "window.open()" in Scott's WindowOpen.js :
Code: var PrxRealPrint = window.print; Feel free to fiddle with it if you like! sidki |
|||
Dec. 12, 2004, 08:21 PM
Post: #13
|
|||
|
|||
Siamesecat Wrote:Here is my revision to the filter. How would I go about capturing the preceding Iframe code as well? [...]Rethinking, you could restrict blocking of "print" to only match if there was an iframe with an "id" or "name" attribute before. That would go like: Code: [Patterns] But that would still be much of a big gun imo... sidki |
|||
Dec. 12, 2004, 11:09 PM
Post: #14
|
|||
|
|||
sidki;
Hehehe - it took me about three seconds to realize that you can't be some young punk "programmer wanna-be" - not too many coders these days think of assigning a function call to a variable name!! [lol] That's a trick from way, way back, lemme tell you. Been awhile since I've seen that one, thanks for the rush of memories. Now..... Why not set up a filter to capture the portions of a text-string between 'window' and 'print, assigning them to variables on the stack'? Modifying your function above to use these stack vars, it becomes generic in that once Proxo has expanded those variables back into string form, javascript can then properly decipher said string, and will equate it with the proper DOM object - in this case, the print method. Seems to me it outta work, but as usual, it will require more than one filter to do the job. Sigh. Gotta go for the rest of the day, I'll check back in tomorrow, Monday. Ciao! Oddysey I'm no longer in the rat race - the rats won't have me! |
|||
Dec. 13, 2004, 02:32 AM
Post: #15
|
|||
|
|||
GA Oddysey, post some code.
|
|||
« Next Oldest | Next Newest »
|