Larholm.com

Me, myself and I

June 4th, 2007

Unpatched input validation flaw in Firefox 2.0.0.4

(For my german Heise visitors: Bleibt doch mal ein bischen und abonniert mein Feed, ich werde zusätzliche Schwachstellen veröffentlichen).

The patch from Bugzilla report 367428 that was introduced in Firefox 2.0.0.4 accidentally opens up the resource protocol to a separate input validation flaw. But first, a recap.

There were a number of interesting comments on my previous post, Firefox 0day local file reading. Checking the current Windows patch status was suggested by Sergey Vzloman and H D Moore highlighted what has now become general knowledge – that the directory traversal vulnerability in Firefox 2.0.0.3 is still present in the updated Firefox 2.0.0.4 under Linux/Unix and OS X.

The patch only closes the directory traversal aspect on Windows. You can still read local files in Firefox 2.0.0.4 on Windows, but it is now limited to the files within your Firefox installation directory such as update.xml and install.log that reveal your current Firefox patch status. It is still possible to determine the local installation path and query for the installation status of arbitrary plugin DLL’s, as I demonstrated with the PoC in my previous post. Non-Windows operating systems are still vulnerable to the full directory traversal vulnerability, allowing you to read any local files that your user account can reach.

Before the 2.0.0.4 patch the input to nsResProtocolHandler::ResolveURI was already checked to prevent any : characters from sneaking in, which can allow absolute URI references such as “res:C:boot.ini” or “res:http://www.google.com/”. This check is still in place in lines 334 to 336.

    // Don't misinterpret the filepath as an absolute URI.
    if (filepath.FindChar(':') != -1)
        return NS_ERROR_MALFORMED_URI;

Since the previous directory traversal vulnerability depended on URL-escaped characters such as %5C to work the patch added the currently present lines 338 to 340.

    NS_UnescapeURL(filepath);
    if (filepath.FindChar('\\') != -1)
        return NS_ERROR_MALFORMED_URI;

Since the filepath is now unescaped after the check for a : character has occurred, it is possible to inject : characters with the URL-escaped version %3A.

A non-malicious example request that can be used for verification is the following link include, which passes on unfiltered : characters to the host file system.

<link rel="stylesheet" href="resource://gre/browserconfig%3A.properties" />

It is also possible to pass on @ characters to the host file system, which at least on the Windows platform can be used to implement Basic Authentication style URI’s.

There are some odd URI resolver logic in nsIStandard::Resolve that I will still have to look into. Under some circumstances on Windows, I can get / characters translated into \ characters and have triple dots translated into double dots, which will once again allow the full directory traversal vulnerability. However, the output is flaky at best and I will have to do some tedious single stepping through the URI resolver logic code to determine at what point the input is unescaped twice :)

May 25th, 2007

Firefox 0day local file reading

RSnake mentioned a potential way to read security sensitive configuration settings from Firefox on ha.ckers.org, with an example PoC from Sergey Vzloman that used the resource:// URL protocol handler in Firefox. Unfortunately, the settings that were read were the default settings inside the Firefox install directory.

An example resource URL would be resource://gre/greprefs/security-prefs.js which reads the security-prefs.js file from your Firefox install directory, which on Windows could be C:\Program Files\Mozilla Firefox\greprefs\security-prefs.js. Mozilla must have acknowledged the potential for directory traversal here, as they have blocked any attempts at including the string ..\ or ../ inside resource: requests.

BK demonstrated in the thread that Mozilla does not properly sanitize the input properly, and that you can circumvent this restriction by using ..%5C instead of ..\ which means that you can read arbitrary files from the local system by exposing the file contents as readable properties on SCRIPT or CSS tags.

For the sake of a demonstration, let’s assume that you have a file called C:\resource.txt that contains

secretinfo = “steal me”

In this case you could expose the local file content to your website with the following script include.

<script src=”resource://gre/..%5C..%5Cresource.txt”></script>

This would expose the secretinfo as a Javascript variable. If you are uncertain of the Firefox installation directory you can always append additional directory traversal separators, but see below for more on that.

Daniel Veditz opened up the ongoing Bugzilla report #367428, given that this is now being discussed in public, and from that report we can see that Mozilla has been struggling to fix this vulnerability since January 18 2007. We can also see that the currently proposed patches are only sanitizing input for the Windows platform and that Linux and Mac directory traversals have not been addressed.

It is good to see that Mozilla has picked up the pace now that this is public knowledge. However, even after they fix the directory traversal vulnerability we can still use the resource protocol to query and read any file inside the Firefox installation directory. This includes reading the update.xml, install.log or even browserconfig.properties which contains your homepage settings. It also allows us to query for the status of any installed plugin.

I don’t want to help out scrupulous advertisers with a ready-to-use script that hands them my homepage setting, so instead I have put up a simple PoC that demonstrates how to read your local Firefox install directory and the status of a few plugins. You can find that at http://larholm.com/misc/ffresourcefile.html :)

Regardless of how we look at this you can expect to see a Firefox 2.0.0.4 release very soon. My hope is, regardless of what patch makes into the source tree, that access to the entire resource:// URL protocol handler is blocked for Internet sites.

UPDATE June 11 2007.

Remember to read the follow-up post with details about the patch in firefox 2.0.0.4, http://larholm.com/2007/06/04/unpatched-input-validation-flaw-in-firefox-2004/.

I would also like to point out that Aviv Raff was the first to discover the “.sheet.href” vulnerability component in his post on ha.ckers.org, which is crucial for parsing text from the requested resource :)

May 22nd, 2007

WordPress 0day vulnerabilities

WordPress is a widely used blogging tool that has a huge array of nifty features even in the default installation. If that is not enough then there are thousands of interesting, useful and quirky plugins that can be used to enhance it. It is one of the most prevalent blogging tools on the Internet, with millions of installations maintained by individuals and corporations and is the preferred choice of many webhosting companies. I use it myself on Larholm.com, which is why it saddens me to now see it riddled with holes.

The pluggable.php source file in the wp-includes directory has a number of SQL injection vulnerabilities. The first to be reported today was from line 294

$cookie = explode(‘; ‘, urldecode(empty($_POST['cookie']) ? $_GET['cookie'] : $_POST['cookie']));

The reason why this is bad is because the user and password parts of the cookie is then passed to the wp_login function which calls get_userdatabylogin with the username. Since we can control the contents of the cookie we can control the $userlogin variable inside get_userdatabylogin, which is then used in line 126

if ( !$user = $wpdb->get_row(“SELECT * FROM $wpdb->users WHERE user_login = ‘$user_login’”) )

The wp_login function is called with our arbitrary input in several places which provide multiple attack vectors, from the get_currentuserinfo, auth_redirect and check_ajax_referer functions.

It’s simple enough to fix while we wait for an official upgrade from WordPress, just add $user_login = mysql_real_escape_string($user_login); before the SQL query. A far safer solution would be to bind all of the SQL input through prepared statements and specific input types.

The sad thing is that there are other potential SQL injection vulnerabilities in the WordPress code. And while the rest of you are looking for those I am chilling with ascii` on IRC looking through the WordPress mailer code which seems to have a direct command execution vulnerability :)

April 8th, 2007

Thor, the Benevolent Leader

I am always amused when I take a personality test. I find it easy to discern the reasoning behind the questions and more often than not I disagree with the wording of specific questions. Just today, I found an interesting test with some funky sliders and graphs at personaldna.com, and the results are in:

And there you have it, I am a very manly and functional Benevolent Leader with low Authoritarianism. You can hover those individual color bars for an explanation of each.

Coincidentally, I am not a big fan of having Benevolent Leader turned into a link that points at personaldna.com as I have already been kind enough to link their way. So how do we remove this link but retain the hover functionality? If you’re curious the script code for embedding the above color bar is:

<script src=”http://personaldna.com/h/?k=ajbecRqMlZIdRcZ-OO-AAAAA-b077&t=Benevolent+Leader”>
</script>

There is a lack of input validation of the t parameter which enables a XSS vulnerability on personaldna.com. If you specify t=Benevolent+Leader',true);alert(location)// you are overwriting their script logic. If you specify t=</a>Benevolent+Leader you are injecting HTML. A properly URL encoded parameter would be t=%3C/a%3EBenevolent+Leader".

So there you have it, the same colored bar but without a link on the text portion :)

April 6th, 2007

More 0day in Firebug

As I promised in my previous post I would be detailing a fresh 0day vulnerability in Firebug for my next post. Well, this is that post, or if you’ve just read the Hitch Hikers Guide to the Galaxy, that will be this post in the future which is now.

The culprit in the previous vulnerability was a lack of HTML escaping which allowed you to inject arbitrary HTML and Javascript into the Chrome context from which Firebug operates. Once you are running script with Chrome privileges you can do pretty much anything, open listening ports, send email, read/write/execute files – your typical system compromise.

Read the rest of this entry »

April 6th, 2007

0day vulnerability in Firebug

I’m posting a fresh 0day vulnerability in Firebug in my next post! But first, an analysis of the current 0day vulnerability:

Firebug is a very popular web application development tool that comes in quite handy when debugging HTML, CSS and Javascript. It’s intuitively easy to use, has got great features such as console logging and live debugging of XMLHTTPRequest queries and it gets the Thumb Up from Thor – I use it daily.

It seems that pdp over at gnucitizen discovered a 0day vulnerability in Firebug. Joe Hewitt, the author of Firebug, has published an entry on his blog about the Firebug v1.0.2 and v1.0.3 updates that he released in response.

Firebug is a great tool and Joe Hewitt is a fine developer, but when you combine the inherent lack of separation between trusted and untrusted content in Firefox with a development tool that exposes near-direct access to its custom-built HTML construction logic you will inevitably end up with some security vulnerabilities. The Javascript chrome code inside Firebug comes in at roughly 700KB, a large portion of which deals with the function oriented tag construction logic that Joe decided to implement in Firebug.

Read the rest of this entry »

April 5th, 2007

Cheers and musing

Another visitor!

You might know me, you might not. In either case, welcome. I used to have my web presence on jscript.dk, but alas some domain shark grabbed it when I forgot to renew the domain.

So what will I amuse you with to stay a while? Mostly random musings over security vulnerabilities, javascript development, the web and myself. In the mean time I will be making a less bloggy template for WordPress and enjoy my Easter vacation.

improbot.gif