Author Topic: Chrome directory traversal hole in Firefox has a lot of impact!  (Read 2105 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33892
  • malware fighter
Chrome directory traversal hole in Firefox has a lot of impact!
« on: January 27, 2008, 04:52:10 PM »
Hi malware fighters,

The chrome directory traversal hole in firefox is a hole with a lot of malicious potential.
The chrome protocol does not handle escape characters properly. So in this fashion
information can leak out and can get into the wrong hands.
This hole can be used to run arbitrairy code files on a computer.
All extensions without jar extensions are vulnerable. As known now the vulnerability in the
Download Statusbar has been patched by the developer of it.
Through the ongoing corporation inside the Open Source Coders world,
and quickly applied patching the impact of this hole was made smaller, but nevertheless
it is still there, and hanging over our heads

See:
https://bugzilla.mozilla.org/show_bug.cgi?id=413250

Well, yes, when you look at the source code, you immediately see why this is possible:
Code: [Select]
<script
src='chrome://downbar/content/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fProgram%20Files%2fMozilla%20Thunderbird%2fgreprefs%2fall.js'></script>

In case you do not know your ascii codes right away in hex this is :) translated somewhat like:

Code: [Select]
<script='chrome://downbar/content/../../../../../../../../../../../Program Files/Mozilla Thunderbird/greprefs/all.js'></script>

Now you see whenever you have a flat extension installed like a greasemonkey's etc., (that does not use .jar to load it's stuff), you can use whatever script file you like; and whenever that lands in DOM, you can read the results out. Not such a glorious situation we have there.

Your lucky to have no  Program Files :), or your  mozilla on a standard location.
Anyhow, a bug with a lot of "bite".

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33892
  • malware fighter
Re: Chrome directory traversal hole in Firefox has a lot of impact!
« Reply #1 on: January 30, 2008, 07:23:59 PM »
Hi malware fighters,

The mentioned bug is so critical because of the many extensions that could cause traversal of session info, that it will be patched in the next version of Firefox, coming out soon: http://blog.mozilla.com/security/2008/01/29/status-update-for-chrome-protocol-directory-traversal-issue/

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!