Firefox 3.5 Security Threats. Serious or not serious?
- July 27th, 2009
- Write comment
Shortly after the release of Firefox 3.5 on June 30th, I noticed a flourish of Firefox 3.5 vulnerabilities followed by several PoCs. I am going to touch on each vulnerability that I stumbled upon followed by a PoC and analyze the severity of each.
The first thing that really caught my attention, and as far as I know, one of the few that’s not fully patched yet, was the “Firefox URI Spoofing Bug”. I noticed it on Security Focus on July 24th. According to the article, the bug is stated to affect Firefox version 3.0.11. But after trying out the PoC I noticed that it works perfectly fine in 3.5. According to SecurityFocus, the bug–discovered by Juan Pablo Lopez Yacubian–was that one was able to alter the error page generated by Firefox, using JavaScript, when you attempt to open a URL with an invalid char. You then Stop the page from further loading in JavaScript to achieve the full affect. Juan put together an example page exemplifying the bug. I minimally altered Juan’s PoC and hosted it on my own server to help you better understand the vulnerability. The example page can be viewed here.
So what exactly is happening? Lets take a look at the JavaScript.
<script>
function spoof()
{
a = window.open("http://www.gmail.com%20");
a.document.write("<title>Gmail</title>");
a.document.write("<h1>Welcome to fake Gmail.com</h1>");
a.stop();
}
</script>
A new window is opened to the URL: http://www.gmail.com%20. The %20, which is hex for a space , is concatenated to the end of the URL. This makes the URL invalid which would normally bring up the “Server Not Found” error page. But, if you immediately use JavaScript to alter the newly created Window object by writing custom HTML to it using the document.write() function, you can spoof the URL of any page in the address bar.
I believe this bug is quite serious. Juan has contacted Mozilla and they are aware of this bug and hopefully fixing it soon. This bug takes phishing to a whole new level. As average users are getting smarter and smarter when it comes to phishing, and checking the address bar, this bug only allows someone to make a phisher look more legit. Someone can easily embed a full page iframe pointing to a genuine site, followed by an Ajax keylogger or the whole BeEf XSS Exploitation Framework. Hopefully Mozilla will take care of this soon.
The next series of exploits takes advantage of a serious memory corruption vulnerability in Firefox 3.5. Mozilla acknowledges the vulnerabilities to be patched in the urgent release of Firefox 3.5.1 on July 17.
The first exploit that I stumbled across on milw0rm, written by Simon Berry-Byrne, was a Remote Heap Spray Exploit that took advantage of a buffer overflow vulnerability with the font tags in Firefox 3.5. After looking over the exploit code I notice that the exploit is loading up an array buffer called sprayContainer[] with thousands of consecutive characters followed by shell code used to execute Calc.exe over and over again. Then another multi-dimensional array buffer called searchArray[][] is loaded up with the innerHTML located within each of the font tags within each p tag in the div container. The values within the array are then repeatedly concatenated to the end of a string labeled html, until enough memory has been sprayed to cover targeted memory that will be executed by the targeted process. Simon posted another exploit shortly after (written in Python), taking advantage of the vulnerability, but this time binding a shell to port 5500. He then slightly modified the bind shell exploit to work in OS X. After searching around to find a more easily understandable example of the exploit in the wild, I came across this video on YouTube posted by someone who noticed arbitrary code being executed remotely on their machine after visiting a malicious webpage. Andrew Haynes and Simon Berry-Byrne were also able to exploit a similar vulnerability with a Unicode Buffer Overflow.
Mozilla made an attempt calm the public by down denying the severity of the vulnerability according to NetworkWorld. But they later admit it to be that Mozilla admits to be it being self-inflicted.
Another article I found quite interesting was at ha.ckers.org. The article discusses the security threats of Firefox 3.5’s CORS (Cross-Origin Resource Sharing) solution which is a new way to perform cross domain XMLHTTPRequests. Just the thought of cross domain XMLHTTPRequests should immediately raise a red a flag. CORS works securely by using an authentication handshake between the host making the request and the host receiving the request. This handshake ensures that the connecting host is allowed to connect to the target host. As stated in the article at ha.ckers.org, although the connecting host is allowed to know if the page outside of its domain exists or not, it is still able to make that initial request to the target host. If the target host is not there, it will return immediately, if it is there, there is return a timeout, estimated to be between 20-75 seconds. This timeout is not port specific, so the hosts that are scanned do not need to have port 80 open to timeout. This method can be used to do a “pseudo ‘ping’ sweep” of hosts within ones intranet. Basic and digest authentication popups are suppressed as well, so the sweep would not alert the victim. You can view a live demonstration of the pseudo “ping” sweep in using Firefox here. And you can view the same demonstration using IE8’s XDomainRequest here.
And last but not least is the Firefox 3.5 Escape() Value Exploit. According to PaulDotCom, the Firefox 3.5 Escape() Value Exploit is alive and well in XP, and it has been improved in the Metasploit framework. This exploit has also been expanded to cover OSX 10.5.7.
So what does this mean for Firefox 3.5? Although a few of these threats may have been extremely volatile, it was only that way for a short period of time. I believe that this should not alter your decision to continue to use Firefox because it surely has not altered mine. I will always continue to enjoy doing web development for Firefox, as well as use it as my primary browser. Hopefully the Mozilla team will take care of the couple of un-patched vulnerabilities soon and continue keeping an eye out for new vulnerabilities.