http://www.osnews.com/story/17376/IE_Firefox_Share_Vulnerability Exploring the Future of Computing en-us Copyright 2001-2009, David Adams adam+nospam@osnews.com Tue, 10 Nov 2009 05:01:25 GMT http://www.osnews.com/images/osnews.gif http://www.osnews.com http://osnews.com/thread?216944 http://osnews.com/thread?216944 A piece of software has a bug in it. Software reverse-engineered from the main piece of sofware has the same bug in it. Film at 11. Tue, 27 Feb 2007 18:03:00 GMT donotreply@osnews.com (Almafeta) Comments http://osnews.com/thread?216945 http://osnews.com/thread?216945 I tried the demonstration at:
http://lcamtuf.coredump.cx/focusbug/ffversion.html

And nothing happened. This is Firefox 2.0.0.2 on XP. Perhaps the demonstration is buggy. Tue, 27 Feb 2007 18:05:00 GMT donotreply@osnews.com (nxsty) Comments http://osnews.com/thread?216964 http://osnews.com/thread?216964 Is this FUD?

So for you Firefox is a reverse engineered version of IE...

Don't you know that HTML is a markup language universally known, so you can make yourself your personal rendering engine for html pages.. Would it be a reverse-engineered version of MS Internet Explorer? ....

....

-__- my god. Tue, 27 Feb 2007 18:37:00 GMT donotreply@osnews.com (Tanner) Comments http://osnews.com/thread?216973 http://osnews.com/thread?216973 So, it appears that using Javascript, the page is redirecting select input from the user to the file input box - and then uploading the file to the server once complete.

This doesn't really surprise me - but I wouldn't have thought of it

So, mitigating factors appear to be: Have an exploitable browser, have a C:boot.ini (although any file could be used for this), have administrative priveleges (so that accessing boot.ini is possible for the browser in the first place) and have Javascript enabled.

For the record, it does work on my system... but I have to type very slowly as it's shifting focus around and has a hard time keeping up.Edited 2007-02-27 18:51 Tue, 27 Feb 2007 18:50:00 GMT donotreply@osnews.com (umccullough) Comments http://osnews.com/thread?216977 http://osnews.com/thread?216977 It worked here.

Firefox 2.0.0.2, WinXP SP2, running with admin user. Tue, 27 Feb 2007 18:54:00 GMT donotreply@osnews.com (pandronic) Comments http://osnews.com/thread?217024 http://osnews.com/thread?217024 how does the test work in linux? my boot drive is hdb1, incidentally i like penguins? Tue, 27 Feb 2007 20:36:00 GMT donotreply@osnews.com (Dekkard) Comments http://osnews.com/thread?217045 http://osnews.com/thread?217045 Don't think that's the way he meant it.
Try it again changing IE for Firefox and vice versa. Tue, 27 Feb 2007 21:15:00 GMT donotreply@osnews.com (Nico57) Comments http://osnews.com/thread?217047 http://osnews.com/thread?217047 The example won't work on my machine, since my boot.ini is on F:

Worth noting it doesn't work in Opera either.

It's an interesting example - the javascript engines in both IE and FF only allow the most recent keypresses to be added to a file input... I think the example is a bit more complex than it needs to be - I'm gonna have to play with this. It should be possible to simply use the return state and CSS layering to do this a LOT simpler than how this example is working. Tue, 27 Feb 2007 21:18:00 GMT donotreply@osnews.com (deathshadow) Comments http://osnews.com/thread?217048 http://osnews.com/thread?217048 Yeah, sure, since Vista doesn't have a boot.ini it's not affected. Tue, 27 Feb 2007 21:18:00 GMT donotreply@osnews.com (Nico57) Comments http://osnews.com/thread?217050 http://osnews.com/thread?217050 Good point - in fact I believe I read that this problem exists on Firefox on Linux as well - allowing the upload of a file that the user has access to (i.e. /etc/passwd if the user is root) - would be interesting to see the same exploit written for that scenario

update: oh, someone did
http://www.thanhngan.org/fflinuxversion.htmlEdited 2007-02-27 21:30 Tue, 27 Feb 2007 21:21:00 GMT donotreply@osnews.com (umccullough) Comments http://osnews.com/thread?217069 http://osnews.com/thread?217069 hey dude, I am running XP SP2 with all the latest patches applied and Firefox 2.0.2 and this exploit NO LONGER WORKS. So next time get your story straight and then post. Tue, 27 Feb 2007 22:49:00 GMT donotreply@osnews.com (cg0def) Comments http://osnews.com/thread?217137 http://osnews.com/thread?217137 I am running XP SP2 with all the latest patches applied and Firefox 2.0.2 and this exploit NO LONGER WORKS

Same here, and it works fine. Damn, must suck when you can't even get a perfectly working exploit to work Wed, 28 Feb 2007 00:35:00 GMT donotreply@osnews.com (umccullough) Comments http://osnews.com/thread?217156 http://osnews.com/thread?217156 Just to reiterate, yes it does work with Firefox 2.0.0.2 and XP SP2. Wed, 28 Feb 2007 01:05:00 GMT donotreply@osnews.com (smitty) Comments http://osnews.com/thread?217171 http://osnews.com/thread?217171 >> Yeah, sure, since Vista doesn't have a boot.ini
>> it's not affected.

The example doesn't work - the technique itself DOES. Theoretically you could pull any file, so long as you were able to get the user to type in ALL the characters in the filename in the order you want them... Which is why embedding this into a blog, forums or any other large text entry box could be a easy way to gather information...

The above paragraph for example, could (in theory) be used to pull info.txt from the current default browser upload directory (notice the bits in italic)

Would be interesting to see if it could be exploited by making it look like some kind of captcha.Edited 2007-02-28 01:49 Wed, 28 Feb 2007 01:48:00 GMT donotreply@osnews.com (deathshadow) Comments http://osnews.com/thread?217181 http://osnews.com/thread?217181 Running Ubuntu Edgy with Firefox 2.0.0.2 and it does not work. Wed, 28 Feb 2007 02:50:00 GMT donotreply@osnews.com (lawina) Comments http://osnews.com/thread?217190 http://osnews.com/thread?217190 :D Wed, 28 Feb 2007 03:51:00 GMT donotreply@osnews.com (Nico57) Comments http://osnews.com/thread?217245 http://osnews.com/thread?217245 Doesn't work too well. One has to write very very slowly for the example to work. But it does illustrate it, though. Wed, 28 Feb 2007 13:07:00 GMT donotreply@osnews.com (dylansmrjones) Comments http://osnews.com/thread?217338 http://osnews.com/thread?217338 Are you logged as an admin or a user with 'read' rights to C:boot.ini ? Wed, 28 Feb 2007 20:01:00 GMT donotreply@osnews.com (Snifflez) Comments http://osnews.com/thread?217413 http://osnews.com/thread?217413 By default, Konqueror asks the user for confirmation when sending a local file. Simple and effective, whatever tricks the webpage may use to set the input to a malicious value. Wed, 28 Feb 2007 23:10:00 GMT donotreply@osnews.com (moltonel) Comments http://osnews.com/thread?217424 http://osnews.com/thread?217424 Everyone should just use NoScript on Firefox. Makes things so much easier, vast majority of the new exploits don't work without javascript.

NoScript is pretty good at managing javascript permissions. Wed, 28 Feb 2007 23:33:00 GMT donotreply@osnews.com (Wintermute) Comments http://osnews.com/thread?217477 http://osnews.com/thread?217477 Konqueror asks the user for confirmation when sending a local file

And I would hope this is exactly what will be done with Firefox. That feature along with whitelisting support should be sufficient, and I mean jeez - how often do people upload to a website. Usually one uses just a few such sites regularly (email, photo sharing...)

Not sure about IE, Microsoft has a habit of doing stupid things to "fix" exploits. Thu, 01 Mar 2007 03:22:00 GMT donotreply@osnews.com (umccullough) Comments