Firescrolling 2 [Firefox 1.0.1)

__Summary

Even though Firefox 1.0.1 patched one of the key bugs behind my
firescrolling exploit (the ability of plugins to load chrome files in a
hidden frame) the ability to hijack a drag and drop operation and open a
privileged xul file is still available.

The demo opens "chrome://global/content/alerts/alert.xul" when dragging the
scrollbar the first time. This XUL file automaticly runs an inline script to
turn the window into a tray notification alert. This demo is just an example
of an annoying usage, but if the browser or an extension contains an inline
script that uses an eval/setTimeout with a parameter an attacker can
influence it turns into an arbitrary code execution bug. Also update or
uninstall scripts could be a valuable target. I doubt most extension
developers think about problems that could occure if a XUL file in their
extensions is opened directly.

__Proof-of-Concept

http://www.mikx.de/firescrolling2/

__Status

The bug is fixed in Firefox 1.0.2.

2005-03-09 Vendor informed (bugzilla.mozilla.org #285438)
2005-03-11 Vendor confirmed bug
2005-03-23 Vendor published fixed version and advisory
2005-03-24 Public disclosure

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2005-0401 to this issue.

__Affected Software

Tested with Firefox 1.0.1

__Contact Informations

Michael Krax <[email protected]>
http://www.mikx.de/?p=12

mikx

–
NTBugtraq Editor's Note:

Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which
automatically notifies the perceived sender of a message it believes is infected may well cause more harm
than good. Someone who did not actually send you a virus may receive the notification and scramble their
support staff to find an infection which never existed in the first place. Suggest such notifications be
disabled by whomever is responsible for your AV, or at least that the idea is considered.