Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Cross Application Scripting 3 (All your browsers are belong to us)
Posted by: nmcfeters
Date: July 24, 2007 03:39PM

Rios, Raghav, and I are back with more. Of course, everyone's been wondering, pointing fingers, who's fault is all this Cross Application/Browser Scripting stuff? We've been saying it's everyone's fault... the proof is in your browser.

The following page (http://xs-sniper.com/blog/remote-command-exec-firefox-2005/) outline's a number of command injection flaws within FireFox 2.0.5 (and up to the new 3.0 alpha), Netscape Navigator 9, and Mozilla. These command injections are leverageable from a Cross Site Scripting attack.

Commend Mozilla for the quick response to the original issue that was posted, which has been blamed on IE/Mozilla/My Mom/Billy's Sister and everyone in between. They certainly handled it quickly. Hopefully these will be handled quickly as well, but I think the point is that the blame goes across the board. The browsers that recognized the URIs and allow special characters to be passed, the developers who created and registered the URIs. We should also commend Trillian (Cerulean Studios) for the quick response and patch.

The cat is out of the bag, it's time to stop pointing fingers. The fix is to remove these URIs, not just sanitize the input. There will be more coming.

Options: ReplyQuote
Re: Cross Application Scripting 3 (All your browsers are belong to us)
Posted by: Anonymous User
Date: July 24, 2007 09:01PM

This is terrible, really.

Options: ReplyQuote
Re: Cross Application Scripting 3 (All your browsers are belong to us)
Posted by: hackathology
Date: July 25, 2007 12:39AM

Thumbs up to you. Cool shit!! Blog about it in my blog, do check it out.

http://hackathology.blogspot.com



Edited 1 time(s). Last edit at 07/25/2007 01:16AM by hackathology.

Options: ReplyQuote
Re: Cross Application Scripting 3 (All your browsers are belong to us)
Posted by: ma1
Date: July 25, 2007 02:05AM

You may want to add that the relevant Mozilla bug has been fixed 2 days ago.
This means that already available Minefield builds and Firefox 2.0.0.6 release candidates are immune.

Furthermore, NoScript 1.1.6.06 (released yesterday) gives early protection against this exploit for those stuck with stable 2.0.0.5.

Nevertheless, URI handlers (in their Windows implementation, at least) are definitely evil...

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Options: ReplyQuote
Re: Cross Application Scripting 3 (All your browsers are belong to us)
Posted by: hackathology
Date: July 25, 2007 03:10AM

thanks ma1

http://hackathology.blogspot.com



Edited 1 time(s). Last edit at 07/25/2007 03:10AM by hackathology.

Options: ReplyQuote
Re: Cross Application Scripting 3 (All your browsers are belong to us)
Posted by: Anonymous User
Date: July 25, 2007 03:23AM

Plus - you can of course wrap any of those URIs in base64 and trigger the execution via dataURL.

PoC
------ removed ------

Again it's possible to obfuscate with spaces, use arbitrary charsets (UTF16, UTF7...)

Greetings,
.mario



Edited 1 time(s). Last edit at 07/26/2007 02:38PM by .mario.

Options: ReplyQuote


Sorry, only registered users may post in this forum.