IE, Firefox Share Vulnerability

Submitted by flanque 2007-02-27 Privacy, Security 21 Comments

Internet Explorer 7 and Firefox 2.0 share a logic flaw. The issue is actually more severe, as the two versions of the Microsoft and Mozilla browsers are not the only ones affected. In this regard, the vulnerability impacts Internet Explorer 5.01, Internet Explorer 6 and Internet Explorer 7 but also Firefox 1.5.0.9. Microsoft has stressed the fact that IE7 on Windows Vista is not affected in any manner.

About The Author

Thom Holwerda

Follow me on Mastodon @[email protected]

21 Comments

2007-02-27 6:03 pm

Almafeta
A piece of software has a bug in it. Software reverse-engineered from the main piece of sofware has the same bug in it. Film at 11.

2007-02-27 6:37 pm

Tanner
Is this FUD?

So for you Firefox is a reverse engineered version of IE…

Don’t you know that HTML is a markup language universally known, so you can make yourself your personal rendering engine for html pages.. Would it be a reverse-engineered version of MS Internet Explorer? ….

….

-__- my god.

2007-02-27 9:15 pm

Nico57
Don’t think that’s the way he meant it.

Try it again changing IE for Firefox and vice versa.

2007-02-27 6:05 pm

NxStY
I tried the demonstration at:

http://lcamtuf.coredump.cx/focusbug/ffversion.html

And nothing happened. This is Firefox 2.0.0.2 on XP. Perhaps the demonstration is buggy.

2007-02-27 6:54 pm

pandronic
It worked here.

Firefox 2.0.0.2, WinXP SP2, running with admin user.

2007-02-27 10:49 pm

cg0def
hey dude, I am running XP SP2 with all the latest patches applied and Firefox 2.0.2 and this exploit NO LONGER WORKS. So next time get your story straight and then post.

2007-02-28 12:35 am

umccullough
I am running XP SP2 with all the latest patches applied and Firefox 2.0.2 and this exploit NO LONGER WORKS

Same here, and it works fine. Damn, must suck when you can’t even get a perfectly working exploit to work

2007-02-28 1:05 am

smitty
Just to reiterate, yes it does work with Firefox 2.0.0.2 and XP SP2.

2007-02-28 8:01 pm

Snifflez
Are you logged as an admin or a user with ‘read’ rights to C:oot.ini ?

2007-02-27 6:50 pm

umccullough
So, it appears that using Javascript, the page is redirecting select input from the user to the file input box – and then uploading the file to the server once complete.

This doesn’t really surprise me – but I wouldn’t have thought of it

So, mitigating factors appear to be: Have an exploitable browser, have a C:boot.ini (although any file could be used for this), have administrative priveleges (so that accessing boot.ini is possible for the browser in the first place) and have Javascript enabled.

For the record, it does work on my system… but I have to type very slowly as it’s shifting focus around and has a hard time keeping up.

Edited 2007-02-27 18:51
2007-02-27 8:36 pm

Dekkard
how does the test work in linux? my boot drive is hdb1, incidentally i like penguins?
2007-02-27 9:18 pm

deathshadow
The example won’t work on my machine, since my boot.ini is on F:

Worth noting it doesn’t work in Opera either.

It’s an interesting example – the javascript engines in both IE and FF only allow the most recent keypresses to be added to a file input… I think the example is a bit more complex than it needs to be – I’m gonna have to play with this. It should be possible to simply use the return state and CSS layering to do this a LOT simpler than how this example is working.
2007-02-27 9:18 pm

Nico57
Yeah, sure, since Vista doesn’t have a boot.ini it’s not affected.

2007-02-27 9:21 pm

umccullough
Good point – in fact I believe I read that this problem exists on Firefox on Linux as well – allowing the upload of a file that the user has access to (i.e. /etc/passwd if the user is root) – would be interesting to see the same exploit written for that scenario

update: oh, someone did

http://www.thanhngan.org/fflinuxversion.html

Edited 2007-02-27 21:30

2007-02-28 1:07 pm

dylansmrjones
Doesn’t work too well. One has to write very very slowly for the example to work. But it does illustrate it, though.

2007-02-28 1:48 am

deathshadow
>> Yeah, sure, since Vista doesn’t have a boot.ini

>> it’s not affected.

The example doesn’t work – the technique itself DOES. Theoretically you could pull any file, so long as you were able to get the user to type in ALL the characters in the filename in the order you want them... Which is why embedding this into a blog, forums or any other large text entry box could be a easy way to gather information…

The above paragraph for example, could (in theory) be used to pull info.txt from the current default browser upload directory (notice the bits in italic)

Would be interesting to see if it could be exploited by making it look like some kind of captcha.

Edited 2007-02-28 01:49

2007-02-28 3:51 am

Nico57
😀 <- This is a smiley, Mr. “I know better” Deathshadow. It’s supposed to express a humorous meaning. Since Vista not having a boot.ini is no fun at all, there must be a catch…

2007-02-28 2:50 am

lawina
Running Ubuntu Edgy with Firefox 2.0.0.2 and it does not work.
2007-02-28 11:10 pm

moltonel
By default, Konqueror asks the user for confirmation when sending a local file. Simple and effective, whatever tricks the webpage may use to set the input to a malicious value.

2007-03-01 3:22 am

umccullough
Konqueror asks the user for confirmation when sending a local file

And I would hope this is exactly what will be done with Firefox. That feature along with whitelisting support should be sufficient, and I mean jeez – how often do people upload to a website. Usually one uses just a few such sites regularly (email, photo sharing…)

Not sure about IE, Microsoft has a habit of doing stupid things to “fix” exploits.

2007-02-28 11:33 pm

Wintermute
Everyone should just use NoScript on Firefox. Makes things so much easier, vast majority of the new exploits don’t work without javascript.

NoScript is pretty good at managing javascript permissions.