Mozilla Firefox Install Method Remote Arbitrary Code Execution Vulnerability
BID:13544
Info
Mozilla Firefox Install Method Remote Arbitrary Code Execution Vulnerability
| Bugtraq ID: | 13544 |
| Class: | Input Validation Error |
| CVE: |
CVE-2005-1476 CVE-2005-1477 |
| Remote: | Yes |
| Local: | No |
| Published: | May 07 2005 12:00AM |
| Updated: | Feb 28 2007 10:25PM |
| Credit: | The original discovery of this issue is credited to Paul <[email protected]>. |
| Vulnerable: |
Ubuntu Ubuntu Linux 5.0 4 powerpc Ubuntu Ubuntu Linux 5.0 4 i386 Ubuntu Ubuntu Linux 5.0 4 amd64 SuSE Linux Enterprise Server 9 SGI ProPack 3.0 SGI Advanced Linux Environment 3.0 SCO Unixware 7.1.4 S.u.S.E. Novell Linux Desktop 9.0 S.u.S.E. Linux Personal 9.2 x86_64 S.u.S.E. Linux Personal 9.2 S.u.S.E. Linux Personal 9.1 x86_64 S.u.S.E. Linux Personal 9.1 S.u.S.E. Linux Personal 9.0 x86_64 S.u.S.E. Linux Personal 9.0 Redhat Enterprise Linux WS 4 Redhat Enterprise Linux WS 3 Redhat Enterprise Linux WS 2.1 IA64 Redhat Enterprise Linux WS 2.1 Redhat Enterprise Linux ES 4 Redhat Enterprise Linux ES 3 Redhat Enterprise Linux ES 2.1 IA64 Redhat Enterprise Linux ES 2.1 Redhat Enterprise Linux AS 4 Redhat Enterprise Linux AS 3 Redhat Enterprise Linux AS 2.1 IA64 Redhat Enterprise Linux AS 2.1 Redhat Enterprise Linux Desktop version 4 Redhat Desktop 4.0 Redhat Desktop 3.0 Redhat Advanced Workstation for the Itanium Processor 2.1 IA64 Redhat Advanced Workstation for the Itanium Processor 2.1 Netscape Netscape 8.0 Netscape Netscape 7.2 Netscape Netscape 7.1 Netscape Netscape 7.0 Mozilla Firefox 1.0.3 Mozilla Firefox 1.0.2 Mozilla Firefox 1.0.1 Mozilla Firefox 1.0 Mozilla Firefox 0.10.1 Mozilla Firefox 0.10 Mozilla Firefox 0.9.3 Mozilla Firefox 0.9.2 Mozilla Firefox 0.9.1 Mozilla Firefox 0.9 rc Mozilla Firefox 0.9 Mozilla Firefox 0.8 Mozilla Firefox Preview Release Mozilla Browser 1.7.7 Mozilla Browser 1.7.6 Mozilla Browser 1.7.5 Mozilla Browser 1.7.4 Mozilla Browser 1.7.3 Mozilla Browser 1.7.2 Mozilla Browser 1.7.1 Mozilla Browser 1.7 rc3 Mozilla Browser 1.7 rc2 Mozilla Browser 1.7 rc1 Mozilla Browser 1.7 beta Mozilla Browser 1.7 alpha Mozilla Browser 1.7 Mozilla Browser 1.6 Mozilla Browser 1.5.1 Mozilla Browser 1.5 Mozilla Browser 1.4.4 Mozilla Browser 1.4.2 Mozilla Browser 1.4.1 Mozilla Browser 1.4 b Mozilla Browser 1.4 a Mozilla Browser 1.4 Mozilla Browser 1.3.1 Mozilla Browser 1.3 Mozilla Browser 1.2.1 Mozilla Browser 1.2 Beta Mozilla Browser 1.2 Alpha Mozilla Browser 1.2 Mozilla Browser 1.1 Beta Mozilla Browser 1.1 Alpha Mozilla Browser 1.1 Mozilla Browser 1.0.2 Mozilla Browser 1.0.1 Mozilla Browser 1.0 RC2 Mozilla Browser 1.0 RC1 Mozilla Browser 1.0 HP Secure Web Browser for OpenVMS Alpha 1.7 -7 |
| Not Vulnerable: |
Netscape Netscape 8.0.1 Mozilla Firefox 1.0.4 Mozilla Browser 1.7.8 HP Secure Web Browser for OpenVMS Alpha 1.7 -8 |
Discussion
Mozilla Firefox Install Method Remote Arbitrary Code Execution Vulnerability
Mozilla Firefox is prone to a security vulnerability that could result in the execution of arbitrary code without requiring user interaction.
Initial analysis of the vulnerability reveals that the it relies on a three-stage attack that may lead to an arbitrary script gaining 'UniversalXPConnect' privileges.
A remote atacker may be able to exploit this issue to take arbitrary actions on the vulnerable computer in the context of the user that is running the affcted browser.
This vulnerability is reported in all versions of Mozilla Firefox browsers up to 1.0.3.
To be exploitable, a site listed in a victim user's configuration to allow extension installation must be prone to a cross-site scripting vulnerability. By default, 'update.mozilla.org' and 'addon.mozilla.org' are both listed as trusted sites for extension installation.
*Update: The cross-site scripting vulnerability that the publicly available exploit relied on in the mozilla.org domain has been fixed. This issue is no longer exploitable through this public attack vector.
Mozilla Firefox is prone to a security vulnerability that could result in the execution of arbitrary code without requiring user interaction.
Initial analysis of the vulnerability reveals that the it relies on a three-stage attack that may lead to an arbitrary script gaining 'UniversalXPConnect' privileges.
A remote atacker may be able to exploit this issue to take arbitrary actions on the vulnerable computer in the context of the user that is running the affcted browser.
This vulnerability is reported in all versions of Mozilla Firefox browsers up to 1.0.3.
To be exploitable, a site listed in a victim user's configuration to allow extension installation must be prone to a cross-site scripting vulnerability. By default, 'update.mozilla.org' and 'addon.mozilla.org' are both listed as trusted sites for extension installation.
*Update: The cross-site scripting vulnerability that the publicly available exploit relied on in the mozilla.org domain has been fixed. This issue is no longer exploitable through this public attack vector.
Exploit / POC
Mozilla Firefox Install Method Remote Arbitrary Code Execution Vulnerability
Paul <[email protected]> released a proof-of-concept exploit (ffrc.txt).
The following exploit is available from john smith <edward11 postmaster co uk>; the exploit (yourinfo.zip) is modified from its original form to remove potentially harmful functionality. It is possibly a leaked and modified version of the proof-of-concept exploit released by Paul <[email protected]>.
Paul <[email protected]> released a proof-of-concept exploit (ffrc.txt).
The following exploit is available from john smith <edward11 postmaster co uk>; the exploit (yourinfo.zip) is modified from its original form to remove potentially harmful functionality. It is possibly a leaked and modified version of the proof-of-concept exploit released by Paul <[email protected]>.
Solution / Fix
Mozilla Firefox Install Method Remote Arbitrary Code Execution Vulnerability
Solution:
The vendor has released Firefox 1.0.4 to address this issue.
Please see the referenced advisories for more information.
Mozilla Firefox Preview Release
Mozilla Firefox 0.10
Mozilla Firefox 0.10.1
Mozilla Firefox 0.8
Mozilla Firefox 0.9
Mozilla Firefox 0.9 rc
Mozilla Firefox 0.9.1
Mozilla Firefox 0.9.2
Mozilla Firefox 0.9.3
Mozilla Firefox 1.0
Mozilla Firefox 1.0.1
Mozilla Firefox 1.0.2
Mozilla Firefox 1.0.3
HP Secure Web Browser for OpenVMS Alpha 1.7 -7
Netscape Netscape 7.0
Netscape Netscape 7.1
Netscape Netscape 7.2
Netscape Netscape 8.0
Solution:
The vendor has released Firefox 1.0.4 to address this issue.
Please see the referenced advisories for more information.
Mozilla Firefox Preview Release
-
Mozilla Firefox 1.0.4
http://www.mozilla.org/products/firefox/
Mozilla Firefox 0.10
-
Mozilla Firefox 1.0.4
http://www.mozilla.org/products/firefox/
Mozilla Firefox 0.10.1
-
Mozilla Firefox 1.0.4
http://www.mozilla.org/products/firefox/
Mozilla Firefox 0.8
-
Mozilla Firefox 1.0.4
http://www.mozilla.org/products/firefox/
Mozilla Firefox 0.9
-
Mozilla Firefox 1.0.4
http://www.mozilla.org/products/firefox/
Mozilla Firefox 0.9 rc
-
Mozilla Firefox 1.0.4
http://www.mozilla.org/products/firefox/
Mozilla Firefox 0.9.1
-
Mozilla Firefox 1.0.4
http://www.mozilla.org/products/firefox/
Mozilla Firefox 0.9.2
-
Mozilla Firefox 1.0.4
http://www.mozilla.org/products/firefox/
Mozilla Firefox 0.9.3
-
Mozilla Firefox 1.0.4
http://www.mozilla.org/products/firefox/
Mozilla Firefox 1.0
-
Mozilla Firefox 1.0.4
http://www.mozilla.org/products/firefox/
Mozilla Firefox 1.0.1
-
Mozilla Firefox 1.0.4
http://www.mozilla.org/products/firefox/
Mozilla Firefox 1.0.2
-
Mozilla Firefox 1.0.4
http://www.mozilla.org/products/firefox/
Mozilla Firefox 1.0.3
-
Mozilla Firefox 1.0.4
http://www.mozilla.org/products/firefox/
HP Secure Web Browser for OpenVMS Alpha 1.7 -7
-
HP CSWB-OPENVMS-ALPHA-V178.SFX_AXPEXE
http://h71000.www7.hp.com/openvms/products/ips/cswb/cswb_download.html
Netscape Netscape 7.0
-
Netscape Netscape 8.0.1
http://browser.netscape.com/ns8/download/
Netscape Netscape 7.1
-
Netscape Netscape 8.0.1
http://browser.netscape.com/ns8/download/
Netscape Netscape 7.2
-
Netscape Netscape 8.0.1
http://browser.netscape.com/ns8/download/
Netscape Netscape 8.0
-
Netscape Netscape 8.0.1
http://browser.netscape.com/ns8/download/
References
Mozilla Firefox Install Method Remote Arbitrary Code Execution Vulnerability
References:
References:
- Bug 293302 - Firefox 1.0.3 Critical Vulnerability (Mozilla)
- Known Vulnerabilities in Mozilla (Mozilla)
- Mozilla Foundation Security Advisory 2005-42 - Code execution via javascript: I (Mozilla)
- Mozilla Homepage (Mozilla Foundation)
- RHSA-2005:434-10 - Important: firefox security update (RedHat)
- RHSA-2005:435-06 - Important: mozilla security update (RedHat)
- Security Alerts (Netscape)
- Security Alerts & Announcements (Mozilla)
- firefox 1.0.3 spoof+auto dl (john smith
) - Firefox Remote Compromise Leaked (Paul
) - Firefox Remote Compromise Technical Details (Paul
) - Re: firefox 1.0.3 spoof+auto dl (Paul
)