Mozilla may execute JavaScript with elevated privileges when defined in site icon tag

Overview

Mozilla may execute JavaScript contained within a site icon tag with elevated privileges. This may allow an attacker to execute arbitrary commands on a vulnerable system.

Description

XPCOM

XPCOM is a cross-platform component object model similar to Microsoft COM or CORBA. XPCOM provides the following features to software developers:

* Component management
* File abstraction
* Object message passing
* Memory Management

XPConnect

XPConnect enables simple interoperation between XPCOM and JavaScript. XPConnect allows JavaScript to access and manipulate XPCOM objects. It also allows JavaScript objects to present XPCOM compliant interfaces to be called by XPCOM objects.

Chrome

The Mozilla user interface components outside of the content area are created using chrome. This includes toolbars, menu bars, progress bars, and window title bars. Chrome provides content, locale, and skin information for the user interface.

Chrome script

Chrome scripts have elevated privileges. Because of the extra privileges, they can perform actions that web scripts cannot. Chrome scripts also do not prompt for permission before executing potentially dangerous commands, such as creating or calling XPCOM components.

Site icons

A site icon is an icon associated with a particular web site or page. This icon may appear in the address bar or bookmarks of the web browser. A web page can specify a site icon by using the <LINK REL="icon"> or <LINK REL="shortcut icon"> HTML tags.

The problem

Mozilla executes script within a LINK tag that specifies a site icon. This script is treated as a chrome script and is therefore granted extra privileges. By granting UniversalXPConnect privileges to itself, a chrome script can gain unrestricted access to browser APIs using XPConnect. A script with these privileges may create and execute arbitrary files on the local filesystem.

Impact

By convincing a user to view an HTML document (e.g., a web page), an attacker could execute arbitrary commands or code with the privileges of the user. The attacker could take any action as the user. If the user has administrative privileges, the attacker could take complete control of the user’s system.
We have received reports of active exploitation of this vulnerability.

---

Solution

Install an update
This issue is resolved in Firefox 1.0.4 and Mozilla Suite 1.7.8 according to the Mozilla Security Advisory 2005-43. The fix described in the Mozilla Security Advisory 2005-37 prevented an attack vector but did not fully address the vulnerability.

---

Disable site icons

By performing the following steps, it is possible to prevent Mozilla from retrieving and displaying site icons.

1. Enter “about:config” in Mozilla’s address bar. This will display Mozilla’s configuration values.
2. Set the following value to false:

browser.chrome.site_iconsDisable JavaScript

Disabling JavaScript appears to prevent exploitation of this vulnerability. Instructions for disabling JavaScript can be found in the Malicious Web Scripts FAQ.

Vendor Information

973309

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Mozilla __ Affected

Notified: April 20, 2005 Updated: May 06, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see Mozilla Foundation Security Advisory 2005-37 for more details.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23973309 Feedback>).

Red Hat Software, Inc. __ Affected

Updated: August 01, 2005

Status

Affected

Vendor Statement

Updated Mozilla packages (for Red Hat Enterprise Linux 4, 3, and 2.1) and
updated Firefox packages (for Red Hat Enterprise Linux 4) to correct this issue
are available at the URL below and by using the Red Hat Network ‘up2date’ tool.

<http://rhn.redhat.com/errata/CAN-2005-1155.html&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.mozilla.org/security/announce/mfsa2005-37.html&gt;
• <http://www.mozilla.org/security/announce/mfsa2005-43.html&gt;
• <http://www.mikx.de/firelinking/&gt;
• <https://bugzilla.mozilla.org/show_bug.cgi?id=290036&gt;
• <https://bugzilla.mozilla.org/show_bug.cgi?id=204779&gt;
• <http://secunia.com/advisories/14938/&gt;
• <http://secunia.com/advisories/14992/&gt;
• <http://www.osvdb.org/displayvuln.php?osvdb_id=15686&gt;
• <http://xforce.iss.net/xforce/xfdb/20134&gt;
• <http://www.securityfocus.net/bid/13216/&gt;

Acknowledgements

This vulnerability was disclosed by the Mozilla Foundation, who in turn credits Michael Krax for reporting the information.

This document was written by Will Dormann.

Other Information

CVE IDs:	CVE-2005-1155
Severity Metric:	34.43 Date Public: