[Full-disclosure] Firefox 2.0.0.12 information leak vulnerability

2008-02-11T00:00:00
ID SECURITYVULNS:DOC:19064
Type securityvulns
Reporter Securityvulns
Modified 2008-02-11T00:00:00

Description

Don't blame the extension developers this time :)

You probably thought otherwise after they just released version 2.0.0.12. a couple of hours ago, that had a fix for numerous other vulnerabilities. But guess what? we are going to see 2.0.0.13 pretty soon I guess. I snared at Mozilla before: don't patch vulnerabilities for fifty percent, take the time and fix the cause. Because directory traversal through plugins is all nice and such, we don't need it. We can trick Firefox itself in traversing directories back. I found another information leak that is very serious because we are able to read out all preferences set in Firefox, or just open or include about every file stored in the Mozilla program files directory, and this without any mandatory settings or plugins.

In the vulnerability we make use of the 'view-source:' scheme that allows us to source out the 'resource:' scheme. With it, we can view the source of any file located in the 'resource:///' directory, which translates back to: file:///C:/Program Files/Mozilla Firefox/. Then we only include the file inside it and it becomes available to a new page's DOM, and so we are able to read all settings.

Other issues can emerge also, this is only a short-hand proof of concept. Like always, more is possible. While chatting with Gareth Heyes, I came up with the vector in a couple of minutes. We talked about more issues which we probably are going to discuss very soon.

<script>

/ @name: Firefox <= 2.0.0.12 information leak pOc @date: Feb. 07 2008 @author: Ronald van den Heetkamp @url: http://www.0x000000.com /

pref = function(a,b) {

document.write( a + ' -> ' + b + '<br />');

};

</script>

<script src="view-source:resource:///greprefs/all.js"></script>


Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/