SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#973309

Mozilla may execute JavaScript with elevated privileges when defined in site icon tag

Overview

Mozilla may execute JavaScript contained within a site icon tag with elevated privileges. This may allow an attacker to execute arbitrary commands on a vulnerable system.

I. Description

XPCOM

XPCOM is a cross-platform component object model similar to Microsoft COM or CORBA. XPCOM provides the following features to software developers:

  • Component management
  • File abstraction
  • Object message passing
  • Memory Management
XPConnect

XPConnect enables simple interoperation between XPCOM and JavaScript. XPConnect allows JavaScript to access and manipulate XPCOM objects. It also allows JavaScript objects to present XPCOM compliant interfaces to be called by XPCOM objects.

Chrome

The Mozilla user interface components outside of the content area are created using chrome. This includes toolbars, menu bars, progress bars, and window title bars. Chrome provides content, locale, and skin information for the user interface.

Chrome script

Chrome scripts have elevated privileges. Because of the extra privileges, they can perform actions that web scripts cannot. Chrome scripts also do not prompt for permission before executing potentially dangerous commands, such as creating or calling XPCOM components.

Site icons

A site icon is an icon associated with a particular web site or page. This icon may appear in the address bar or bookmarks of the web browser. A web page can specify a site icon by using the <LINK REL="icon"> or <LINK REL="shortcut icon"> HTML tags.

The problem

Mozilla executes script within a LINK tag that specifies a site icon. This script is treated as a chrome script and is therefore granted extra privileges. By granting UniversalXPConnect privileges to itself, a chrome script can gain unrestricted access to browser APIs using XPConnect. A script with these privileges may create and execute arbitrary files on the local filesystem.

II. Impact

By convincing a user to view an HTML document (e.g., a web page), an attacker could execute arbitrary commands or code with the privileges of the user. The attacker could take any action as the user. If the user has administrative privileges, the attacker could take complete control of the user's system.

We have received reports of active exploitation of this vulnerability.

III. Solution

Install an update

This issue is resolved in Firefox 1.0.4 and Mozilla Suite 1.7.8 according to the Mozilla Security Advisory 2005-43. The fix described in the Mozilla Security Advisory 2005-37 prevented an attack vector but did not fully address the vulnerability.

Disable site icons

By performing the following steps, it is possible to prevent Mozilla from retrieving and displaying site icons.

    1. Enter "about:config" in Mozilla's address bar. This will display Mozilla's configuration values.
    2. Set the following value to false:
    browser.chrome.site_icons
Disable JavaScript

Disabling JavaScript appears to prevent exploitation of this vulnerability. Instructions for disabling JavaScript can be found in the Malicious Web Scripts FAQ.

Systems Affected
VendorStatusDate Updated
MozillaVulnerable6-May-2005
Red Hat Software, Inc.Vulnerable1-Aug-2005

References


http://www.mozilla.org/security/announce/mfsa2005-37.html
http://www.mozilla.org/security/announce/mfsa2005-43.html
http://www.mikx.de/firelinking/
https://bugzilla.mozilla.org/show_bug.cgi?id=290036
https://bugzilla.mozilla.org/show_bug.cgi?id=204779
http://secunia.com/advisories/14938/
http://secunia.com/advisories/14992/
http://www.osvdb.org/displayvuln.php?osvdb_id=15686
http://xforce.iss.net/xforce/xfdb/20134
http://www.securityfocus.net/bid/13216/

Credit

This vulnerability was disclosed by the Mozilla Foundation, who in turn credits Michael Krax for reporting the information.

This document was written by Will Dormann.

Other Information

Date Public04/15/2005
Date First Published04/19/2005 06:14:37 PM
Date Last Updated08/01/2005
CERT Advisory 
CVE NameCAN-2005-1155
US-CERT Technical Alerts 
Metric34.42
Document Revision25

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2005 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader