Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Mozilla The Internet IT

Vulnerability In Firefox Popup Blocker 100

cj writes in with news of a vulnerability in Firefox's stock popup blocker discovered by Michal Zalewski. The vulnerability can allow a malicious user to read files from an affected system. The attacker would "need to plant a predictably named file with exploit code on the target system. This sounds hard, but isn't," according to the article.
This discussion has been archived. No new comments can be posted.

Vulnerability In Firefox Popup Blocker

Comments Filter:
  • by A beautiful mind ( 821714 ) on Tuesday February 06, 2007 @05:03PM (#17911916)
    From TFA:

    Vulnerable Systems:
    * Firefox version 1.5.0.9
    Can anyone test?
    • Re: (Score:3, Interesting)

      by Tony Hoyle ( 11698 )
      Is anyone still running 1.5.0? I thought the auto upgrade had handled that months ago.
      • Re: (Score:3, Informative)

        Im using 1.5.0.9 at the moment, no 2.0 upgrade was ever pushed out to me, and checking now manually shows no updates waiting.
      • I use Ubuntu Dapper, and it hasn't updated to 2.0 yet, I type this running 1.5.0.9. I do not really understand the exploit, but it seems quite elaborate. There is no concept of proof that I can test over there, sorry. It doesn't say whether only Windows versions are susceptible either.
        • Re: (Score:2, Funny)

          "proof of concept" that is; I should go to bed
        • by porl ( 932021 )
          i don't think dapper will ever roll over to 2.x. from memory the firefox 1.5 code was buried too deeply in their customised gnome packages or something, so it was a major undertaking to pull it out. when i ran dapper though i found it easy to download and install firefox 2 off the official site and either run it from my home dir or install system wide, just install to /usr/local/bin etc and do something like ln -sf /usr/local/bin/firefox /usr/bin/firefox if you want to make it completely override the system
          • by starnix ( 636547 )
            Bullshit.... I have Dapper running FF 2.0.0.1 and it was very EASY to install it.
            • by HUADPE ( 903765 )

              Bullshit.... I have Dapper running FF 2.0.0.1 and it was very EASY to install it.

              From grandparent when i ran dapper though i found it easy to download and install firefox 2 off the official site

              Bullshit apparently now means "I agree with you."

              • Re: (Score:3, Funny)

                by Anonymous Coward
                Bullshit.
        • by aymanh ( 892834 )
          I used this script [psychocats.net] to install Firefox 2 on Dapper. It automatically downloads the latest version, installs it, integrates it with plugins installed through apt-get, and updates symbolic links. Works like a charm.
      • by rainman_bc ( 735332 ) on Tuesday February 06, 2007 @05:35PM (#17912586)
        Is anyone still running 1.5.0? I thought the auto upgrade had handled that months ago.

        Fedora has no plans to officially release a 2.0 for FC6:

        http://fedoraproject.org/wiki/Firefox2 [fedoraproject.org]

        "Fedora users will be to stay with Firefox 1.5 and wait for the Firefox 3.0 update"

        That's left me a bit annoyed personally... I like the changes to FF2...
        • Re: (Score:3, Informative)

          by donaldm ( 919619 )
          When I put FC6 on my 64 bit dual core AMD laptop it came standard with Firefox 1.5 while OpenSUSE (put this on my son's PC) came with Firefox 2. To upgrade to version 2 was fairly easy since all I had to do was download the rpm then remove version 1.5 then install the rpm. Firefox 2 seems to work well and I can even install global or personal plug-ins. I have a 64 bit processor and most of my apps are 64 bits (including Firefox) have to use nspluginwrapper to add 32 bit plug-ins because some vendors (cough
        • by smoker2 ( 750216 )

          Fedora has no plans to officially release a 2.0 for FC6

          Back when FC4 was current, I got fed up with waiting for updates for FF from fedora, and even more fed up with broken updates for FF. So I uninstalled the FC release of Firefox, and downloaded a copy direct from the FF homepage. It has worked well, and been auto-updating without incident ever since.
          Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.1) Gecko/20061208 Firefox/2.0.0.1

          On a tangent, why does the headline not say "Vulnerability in Win32 Fir

      • by hal9000(jr) ( 316943 ) on Tuesday February 06, 2007 @05:40PM (#17912666)
        Yep, on windows. I moved to FF2.0 when it came out, got hosed by java handling and other stuff, and jumped back to 1.5. I will wait a bit longer before I make the leap again.
      • by HeroreV ( 869368 )
        I don't believe Firefox can be upgraded from 1.5 to 2.0. So far only security patches have been released as updates.
      • by DrSkwid ( 118965 )
        not all operating systems are the same

        the upgrade pusher will not work for some, and neither should it
      • I'm still using 1.5.0.9, giving 2.0 a little bit of time for all or most of my favorite extensions to catch up, and some bugs to be resolved. (I'm also telling myself "I have to organize my bookmarks so I can switch," as if that's ever happening anyway.)
    • by Tony Hoyle ( 11698 ) <tmh@nodomain.org> on Tuesday February 06, 2007 @05:13PM (#17912112) Homepage
      Can anyone test?

      Nope, because no example exploit is given and the means of exploitation looks rather unlikely:

      "To create a popup warning, a script embedded on the page calls: window.open('file:///c:/windows/temp/xxxxxxx.htm', 'new2',''),

      with a name calculated by repeating a procedure implemented in SetUpTempFile() with a seed calculated by the server based on reported system time (p2.html?time)."

      1. It assumes that the temp file is c:/windows/temp. It isn't, unless you're running Windows 95, and only then if you've not changed it from default. That's the *system* default temp file. The *user* temp directory is inside local settings in the user specific area (much harder to find out remotely. Maybe not impossible, but you'd have to get lucky (it's not just the username as the directory name.. it has things like .000 after it).
      2. Calculating the seed to that accuracy is damned hard.
      • Re: (Score:2, Interesting)

        by iago-vL ( 760581 )
        For what it's worth, from Zalewski's original post,

        Firefox sometimes creates outright deterministic temporary filenames in system-wide temporary directory when opening files with external applications

        And according to him, calculating the seed isn't terribly difficult. srand() is called directly before the random file creation and is seeded with the current time, in milliseconds. That time is possible to obtain within a narrow margin using JavaScript.

        • Re: (Score:3, Interesting)

          by Tony Hoyle ( 11698 )
          I strongly doubt it does, because you'd fall foul of vista UAC protection - no user app should go near the systemwide temp directory (that's even if you can find it... %TEMP%, GetTempFileName, etc. will always give you the user one. AFAIK you have to dig into the registry to find the system one, or be running as a system service).

          Although a bug exists (file:// bypasses some of the security checks.. fixed already apparently) the theoretical exploit as written isn't usable - probably why there's no working e
          • I strongly doubt it does, because you'd fall foul of vista UAC protection

            How does that matter? It's not as if anybody is using Vista yet... :)

            On a serious note, is the system temp directory really not world-writeable in Vista?

            <rant>Also, what's with Windows never deleting anything in the user temp directories? What part of temporary does it not understand? Every now and then I'll see an app crap itself because it can't create a temporary file... because the directory is full!. What the **** is up with that?! I've still got files in my user temp folder from when the m

            • by Carnildo ( 712617 ) on Tuesday February 06, 2007 @06:54PM (#17914036) Homepage Journal
              Thanks for the tip. I just checked my temp directory, and I've got stuff dating back to early 2001 in there.
            • by ESqVIP ( 782999 )

              Windows does clean it... well, sort of.

              When you're running low of disk space a warning appears, offering to run the Disk Cleanup tool [microsoft.com], which tries to remove unused temporary files (among other things).

              But I wonder why it doesn't erase those pesky thumbs.db files (by checking their last access date).

            • by evilviper ( 135110 ) on Tuesday February 06, 2007 @08:05PM (#17914908) Journal

              Also, what's with Windows never deleting anything in the user temp directories? What part of temporary does it not understand?
              As opposed to Linux, which also doesn't clear /tmp?

              Windows is slightly worse, but not by a lot.
              • man tmpwatch
              • by mashade ( 912744 )
                Many linux distros keep /tmp as a ramdisk which means they're cleared the moment the machine is shut off. I believe Slackware clears /tmp at least partially on every boot, so... Go do some research ;)
                • by anagama ( 611277 )
                  What the heck? Are you trying to ruin my uptime???
                • Many linux distros keep /tmp as a ramdisk

                  By "many" do you perhaps mean "none"?

                  There's always the odd floppy or CD-based mini distro, but that's really not relevant.

                  I believe Slackware clears /tmp at least partially on every boot, so...

                  I just checked my Slackware machine's init scripts. It clears /tmp/.X11 lock files, but that's it.

                  Go do some research ;)

                  *Ahem*

            • by Zonnald ( 182951 )
              I think the idea is that the application that writes to the temp directory is supposed to remove it when it doesn't need it any more. This has mostly been my experience with software written by Microsoft. Especially annoying when such software crashes before the file is release/deleted and then can't recreate the file next time you run it. (VB6).
      • You kind of right. It is hard but not impossible or in fact very easy for skilled cracker.

        I've always liked MZ way of thinking. I've read his book. Usually his discoverings do not cover the mass side of a thing. He usually focuses on targeted attacks which are hard but possible - I mean attacks when you target some individual or organisation to get data, not when you want to have biggest coverage of zombies on casual-home-user-machines.

        Same as in here. If you are a security professional (I can guess - I am
        • Paranoia is good - I don't disagree that there's an issue that needs fixing, but the way it's presented is as if there's a general exploit, but it just isn't that easy.

          Clearly targeting a specific user where you knew information like the username and system setup beforehand would make this possible (independent of OS).

          • > Paranoia is good - I don't disagree that there's an issue that
            > needs fixing, but the way it's presented is as if there's a
            > general exploit, but it just isn't that easy.

            You mean how it is presented here (on Slashdot). Well you must be new here. ;))) They always present it like that - this is like lowest grade journalism. But I like the fact that users that read this kind of information are geek enough to understand that this is overhyped. It is some kind of local (global in fact) folklor that is
      • Yes, one can test the primary vulnerability quite easily and yes, it works in Firefox 2.0. The popup blocker allows users to retroactively open file: URLs which are called from webpages (http://...) even though Firefox normally blocks all such accesses. If you can place a file with a known pathname on the user's system, you can read every file. The PRN bug is only one way by which an attacker could place his helper file, the article mentions one more.
      • The exploit code does not work on my own computer (Ubuntu edgy, firefox 2.0.0.1)

        I just checked whether I could get the provided code to run at all, file:/// or http:/// [http] popup or not, nothing worked XMLHttpRequest.open() is not allowed in any scenario (including directed at external sites). That being said, I did manage to get the popup to display a file:/// url, so maybe there is some vulnerability there. But for my setup the exploit code doesn't do anything.
  • Windows only? (Score:5, Informative)

    by jimbobborg ( 128330 ) on Tuesday February 06, 2007 @05:10PM (#17912052)
    From the fine article:

    "When the user chooses to manually allow a blocked popup however, normal URL permission checks are bypassed. "

    So you have to MANUALLY disable the popup blocker on a site you don't know in order to make this work. Also, the article keeps talking about c:\whatever. It does not indicate if this is a vulnerability in a non-Windows system.
    • Re:Windows only? (Score:5, Informative)

      by Tony Hoyle ( 11698 ) <tmh@nodomain.org> on Tuesday February 06, 2007 @05:16PM (#17912184) Homepage
      From the text it's hardcoded to a specific installation of Windows (not even the default config). It wouldn't work on most systems.

      • The file:-opening bug is universal, only the URLs that are used would have to be adapted to different operating systems (easy, just look at the user-agent string). Even if you can't guess or calculate the temporary filename, there may be other vulnerabilities which allow an attacker to place a custom file with a known pathname on the victim's computer, which can then be called from a webpage and relay every file that is readable by the webbrowser.
    • by codepunk ( 167897 ) on Tuesday February 06, 2007 @05:21PM (#17912284)
      You have to chmod 777 every file in the root and home file systems, log in as root, open a port for ssh, disable ip tables and or ipchains and post the user name (root of course), password and ip to a irc channel, turn off pop up blocking...yep see it effects linux also.

      That is the lamest vulnerability post I have seen in a long time...really stretching here are we not?
      • Re: (Score:3, Funny)

        by bl8n8r ( 649187 )
        Crap... where's the undo button for Xchat?
      • That is the lamest vulnerability post I have seen in a long time...
        You sure about that? [slashdot.org]
      • If you have SE Linux running with a strict policy, it just doesn't matter if they do log in as root. They'd have to get into the correct role and level as well, which would be blocked.

        Even before levels were added, there used to be SE Linux systems on the net with public root passwords. (one Gentoo, and one either Debian or Red Hat) You could log in as root, look around a tad, append a message to a file, run a few processes... and that was about it. You couldn't load drivers, reboot, read log files, install
        • In other words, they had a regular user account with the name 'root' :)
          • The UID really was zero, which is NOT a regular user account. It's a normal root account.

            I couldn't even write to files that were world-writable, owned by root or not.

            Do an "ls -Z" on a default Fedora install to see what is going on. Fedora can be nearly like the system described if you install the "strict" policy.

            To admin the system, you need to change roles. No single role can do everything, and many role-to-role transitions are prohibited.
        • Even before levels were added, there used to be SE Linux systems on the net with public root passwords. (one Gentoo, and one either Debian or Red Hat) You could log in as root, look around a tad, append a message to a file, run a few processes... and that was about it. You couldn't load drivers, reboot, read log files, install software, etc. SE Linux locked the system down good and hard.
          so how exactly were theese boxes administered?

          unless there is an admin there with physical access who doesn't mind doing a
          • by r00t ( 33219 )
            To admin the system, you need to change roles. No single role can do everything, and many role-to-role transitions are prohibited.

            So there is NOT an administrative login that lets you do everything. There are numerous limited-capability administrative logins, sort of. They are not related to UID.

            First you'd log in as root, since the old UID-based system is still being enforced. You'd need to do this from the console to get put into a role which is able to transition to something interesting. Then you run th
            • First you'd log in as root, since the old UID-based system is still being enforced. You'd need to do this from the console to get put into a role which is able to transition to something interesting.
              so what you are saying is that while the people have the root password the box has been configured in such a way that a root login from remote isn't really root.

              which is ok if the admin has local acess to the machine but renders the system pretty useless otherwise.

    • Well, all it takes is a bit of social engineering to convince most users to disable the pop-up blocker for their site (after all, it's only like two clicks with the mouse). And really, do hackers care if they can infect Linux?
    • by mrgavins ( 49262 )
      Your explanation is slightly misleading. You don't need to "manually disable the popup blocker" to reproduce the popup opening part of the theoretical exploit. All you need to do is click "show popup [once]" option in the popup blocker UI for a blocked file:// popup.
  • No result back with either FF1.5.0.9 and FF 2.0.0.1 using remote page. Local works obviously.
  • Fixed (Score:5, Informative)

    by Anonymous Coward on Tuesday February 06, 2007 @05:31PM (#17912494)
  • bullshit (Score:2, Troll)

    by tomstdenis ( 446163 )
    Firefox/mozilla/etc run as your user. At most this would be able to infect my user, not the system. Even in windows, if you don't run as root it should be the same deal.

    This exploit requires you to download the exploit code then, click on a link with file:/// with CTRL down (to turn off popup blocking). Sounds less like an exploit of firefox and more of the stupid user who runs things.

    Tom
    • by Goaway ( 82658 )
      What exactly do you think a malicious app wants to do that it can't do when running under your user account?
    • Firefox/mozilla/etc run as your user. At most this would be able to infect my user, not the system.

      Oh good! So the most it can do is wipe out all your data!

      I sure do hope you're not a security consultant...

      • How does my comment show a lack of security concern? You want user apps to only run as the user. That's the point of privilege separation. If I had 30 users on a box, and one of them decides to run a virus, it should at most destroy their data.

        Also, this is why we backup data.

        Tom
    • Re: (Score:3, Insightful)

      by jesser ( 77961 )
      Firefox doesn't have a "Hold Ctrl to disable pop-up blocking" feature. Maybe you're thinking of another browser or a Firefox extension?

      This vulnerability involves the "Show blocked popup" feature, which you can activate from the status bar icon indicating that a popup was blocked. If the popup is allowed in the first place, the security check works correctly.
  • you mean the *other* browser has holes too?
  • Only 6% of my users so far this year are using Firefox 1.5x compared to 68% using Firefox 2.0. There are still about 4% of users who are using IE 6 without service pack 2 on XP (or are using IE6 on older versions of Windows). Point: it's a vulnerability that hackers won't bother to exploit and Mozilla will probably patch quickly anyway.
  • Good thing I'm using the Internet Explorer.

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...