Jump to content

Recommended Posts

Posted

You've all updated your Firefox recently to version 2.0.0.4 . If you haven't updated it yet, do it asap. Here's something concerning the security update.

 

Unpatched Input Validation Flaw in Firefox (Directory Traversal) 

5 Jun. 2007

 

 

Firefox 2.0.0.4 contains a fix for a directory traversal vulnerability that allowed you to read local files through the resource protocol.

 

However, the patch only partially fixed the vulnerability on Windows systems and accidentally circumvents an existing input validation check.

 

The net result is that you can still read some local files on Windows and all user accessible files on Linux/Unix/OS X, with all user accessible files potentially readable as well on Windows through the patch regression.

 

 

The original article can be found here)

 

 

The patch from Bugzilla report 367428 that was introduced in Firefox 2.0.0.4 accidentally opens up the resource protocol to a separate input validation flaw. But first, a recap.

 

There were a number of interesting comments on Thor's previous post, Firefox 0day local file reading. Checking the current Windows patch status was suggested by Sergey Vzloman and H D Moore highlighted what has now become general knowledge - that the directory traversal vulnerability in Firefox 2.0.0.3 is still present in the updated Firefox 2.0.0.4 under Linux/Unix and OS X.

 

The patch only closes the directory traversal aspect on Windows. You can still read local files in Firefox 2.0.0.4 on Windows, but it is now limited to the files within your Firefox installation directory such as update.xml and install.log that reveal your current Firefox patch status. It is still possible to determine the local installation path and query for the installation status of arbitrary plugin DLL's, as Thor demonstrated with the PoC in Thor's previous post. Non-Windows operating systems are still vulnerable to the full directory traversal vulnerability, allowing you to read any local files that your user account can reach.

 

Before the 2.0.0.4 patch the input to nsResProtocolHandler::ResolveUR it was already checked to prevent any : characters from sneaking in, which can allow absolute URI references such as "res:C:boot.ini" or "res:http://www.google.com/". This check is still in place in lines 334 to 336.

 

       

// Don't misinterpret the filepath as an absolute URI.
        if (filepath.FindChar(':') != -1)
            return NS_ERROR_MALFORMED_URI;

 

Since the previous directory traversal vulnerability depended on URL-escaped characters such as %5C to work the patch added the currently present lines 338 to 340.

 

       

NS_UnescapeURL(filepath);
        if (filepath.FindChar('\') != -1)
            return NS_ERROR_MALFORMED_URI;

Since the filepath is now unescaped after the check for a : character has occurred, it is possible to inject : characters with the URL-escaped version %3A.

 

A non-malicious example request that can be used for verification is the following link include, which passes on unfiltered : characters to the host file system.

 

   

<link rel="stylesheet" href="resource://gre/browserconfig%3A.properties" />

 

It is also possible to pass on @ characters to the host file system, which at least on the Windows platform can be used to implement Basic Authentication style URI s.

 

There are some odd URI resolver logic in nsIStandard::Resolve that he will still have to look into. Under some circumstances on Windows, Thor can get / characters translated into \ characters and have triple dots translated into double dots, which will once again allow the full directory traversal vulnerability. However, the output is flaky at best and he will have to do some tedious single stepping through the URI resolver logic code to determine at what point the input is unescaped twice :)

 

 

 

if it is posible plz tell and in greek langafe (me liga logia) what is happen, what include this new up-date for non-expert at english language :D

Posted

No, it is not possible to translate it, sorry, some terms are meant to be in English, and I think these terms are what you don't understand.

Posted

No, it is not possible to translate it, sorry, some terms are meant to be in English, and I think these terms are what you don't understand.

 

**sorry for GR

me liga logia, ine kalo na to kanoume to up-date? exoume kalitero apodosi? kaliteri prostasia? de sou zito na mou to metafrasis olo, alla periliptika se 2-3 sires ti neo mas parexi to new up-date

Posted

Λοιπόν, όπως όλα τα updates, έτσι κι αυτό είναι απαραίτητο να γίνει γιατί διορθώνει κάποια κενά ασφαλείας της προηγούμενης έκδοσης. Αυτό που εξηγώ στο άρθρο είναι το κενό αυτό, καθώς και ότι δεν καλύφθηκε πλήρως (ισχύει ακόμη κατά κάποιο τρόπο). Το update σε μένα έγινε αυτόματα χθες ή προχθές, αν θυμάμαι καλά. Από εκεί και ύστερα παραθέτω το vulnerability.

Guest
This topic is now closed to further replies.
×
×
  • Create New...