Mozilla Suite and Firefox Multiple Code Execution Vulnerabilities

Saturday, April 16 2005 @ 11:06 AM EDT

Nine vulnerabilities were identified in Mozilla Suite and Firefox, which may be exploited by malicious Websites to execute arbitrary commands or conduct Cross Site Scripting attacks.

1) moz_bug_r_a4 reported several exploits giving an attacker the ability to install malicious code or steal data, requiring only that the user do commonplace actions like click on a link or open the context menu. The common cause in each case was privileged UI code ("chrome") being overly trusting of DOM nodes from the content window.

2) The native implementations of InstallTrigger and other XPInstall-related javascript objects did not properly validate that they were called on instances of the correct type. By passing other objects, even raw numbers, the javascript interpreter would jump to the wrong place in memory.

3) Sites can use the _search target to open links in the Firefox sidebar. Two missing security checks allow malicious scripts to first open a privileged page (such as about:config) and then inject script using a javascript: url. This could be used to install malicious code or steal data without user interaction.

4) A malicious search plugin could run javascript in the context of the displayed page each time a search is run. This could be used to conduct Cross Site Scripting attacks.

5) Firefox and the Mozilla Suite support custom "favicons" through the tag. If a link tag is added to the page programmatically and a javascript: url is used, then script will run with elevated privileges and could run or install malicious software.

6) A malicious script could define a setter function for a variable known to be used by a popular site, and if the user does browse to that site the malicious script will run in that page. This would allows the setter script to steal cookies or the contents of the page, or potentially perform actions on the user's behalf (such as make purchases or delete webmail) depending heavily on how the site was designed.

7) When a popup is blocked the user is given the ability to open that one popup through the popup-blocking status bar icon and, in Firefox, through the infobar. If the popup URL were javascript: selecting "Show javascript:..." from the infobar or popup blocking status bar icon menus would run the javascript with elevated privileges which could be used to install malicious software.

8) When a webpage requires a plugin that is not installed the user can click to launch the Plugin Finder Service (PFS) to find an appropriate plugin. If the service does not have an appropriate plugin the EMBED tag is checked for a PLUGINSPAGE attribute, and if one is found the PFS dialog will contain a "manual install" button that will load the PLUGINSPAGE url. If the PLUGINSPAGE attribute contains a javascript: url then pressing the button could launch arbitrary code capable of stealing local data or installing malicious code.

9) A bug in javascript's regular expression string replacement when using an anonymous function as the replacement argument allows a malicious script to capture blocks of memory allocated to the browser. A web site could capture data and transmit it to a server without user interaction or knowledge.

SOFTWARE:
Mozilla 0.x
Mozilla 1.x
Mozilla 1.7.x
Mozilla Firefox 0.x
Mozilla Firefox 1.x

SOLUTION:
Disable JavaScript support.

PROVIDED AND/OR DISCOVERED BY:
moz_bug_r_a4, Georgi Guninski, Kohei Yoshino, Michael Krax, Doron Rosenberg, Omar Khan, Azafran Vladimir V. Perepelitsa

VERIFY ADVISORY:
http://www.frsirt.com/english/advisories/2005/0361
http://www.frsirt.com/english/advisories/2005/0312

0 comments

http://community.securityteam.us/article.php/20050416110646104