===================================================================== CERT-Renater Note d'Information No. 2007/VULN334 _____________________________________________________________________ DATE : 01/08/2007 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running Firefox, Thunderbird, SeaMonkey. ====================================================================== http://www.mozilla.org/security/announce/2007/mfsa2007-27.html http://www.mozilla.org/security/announce/2007/mfsa2007-26.html ______________________________________________________________________ Mozilla Foundation Security Advisory 2007-27 Title: Unescaped URIs passed to external programs Impact: Critical Announced: July 30, 2007 Reporter: Jesper Johansson Products: Firefox, Thunderbird, SeaMonkey Fixed in: Firefox 2.0.0.6 Thunderbird 2.0.0.6 Thunderbird 1.5.0.13 SeaMonkey 1.1.4 Description Jesper Johansson pointed out that Mozilla did not percent-encode spaces and double-quotes in URIs handed off to external programs for handling, which can cause the receiving program to mistakenly interpret a single URI as multiple arguments. The danger depends on the arguments supported by the specific receiving program, though at the very least we know Firefox (and Thunderbird) 2.0.0.4 and older could be used to run arbitrary script (see [26]MFSA 2007-23). The vast majority of programs do not have dangerous arguments, though many could still be made to do something unexpected. A similar issue with URIs passed to external handlers was reported by Billy Rios and Nate McFeters. When running Firefox on Windows XP with IE7 installed, URIs for certain common protocols (such as mailto:) that contain a %00 do not launch the protocol handler registered for that scheme but instead launch a file handling program based on the file extension at the end of the URI. Coupled with the issue reported by Jesper Johansson this appears to allow execution of any program installed at a known location and limited argument passing that might be enough to exploit a system. Further investigation by Secunia showed that a % not followed by a valid two-digit hexadecimal number also triggered the problem for the affected protocols. The Firefox and Thunderbird 2.0.0.6 releases contain fixes that prevent the original demonstrations of this variant, but it is still possible to launch a filetype handler based on extension rather than the registered protocol handler. A way to exploit a common handler with a single unexpected URI as an argument may yet be found. Since this handling is a property of the Windows Shell API this variant appears to affect other internet-enabled applications that pass these URIs to the Windows Shell. Workaround By default Firefox will ask before launching external protocol handlers, and these prompts should be denied from sites that are not trustworthy, especially if the requested URL contains spaces and double-quote (") characters. An exception is made for mail-related protocols in Firefox, they do not prompt by default. If the default mail handler is Thunderbird 2.0.0.5 or later there will not be a problem, but if another program or older version of Thunderbird is the default handler then mail URIs can be made to prompt as well. (Similarly, in Thunderbird browser protocols like http: and ftp: do not prompt but instead launch the default browser.) To make mail-related links prompt in Firefox before launching external programs: * Enter about:config in the location bar * Enter warn-external in the Filter: box * Double-click to set the mailto, news, nntp, and snews lines to true References * Jesper's Blog http://msinfluentials.com/blogs/jesper/archive/2007/07/20/hey-mozilla-quotes-are-not-legal-in-a-url.aspx * https://bugzilla.mozilla.org/show_bug.cgi?id=389106 * CVE-2007-3845 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3845 * Secunia Advisory SA26201 http://secunia.com/advisories/26201/ * US-CERT Vulnerability Notes VU#783400 and VU##403150 http://www.kb.cert.org/vuls/id/783400 http://www.kb.cert.org/vuls/id/403150 * https://bugzilla.mozilla.org/show_bug.cgi?id=389580 ___________________________________________________________________________ Mozilla Foundation Security Advisory 2007-26 Title: Privilege escalation through chrome-loaded about:blank windows Impact: Moderate Announced: July 30, 2007 Reporter: moz_bug_r_a4 Products: Firefox 2.0.0.5, Thunderbird 2.0.0.5, SeaMonkey 1.1.3 Fixed in: Firefox 2.0.0.6 Thunderbird 2.0.0.6 Thunderbird 1.5.0.13 SeaMonkey 1.1.4 Description Mozilla researcher moz_bug_r_a4 reported that a flaw was introduced by the fix for [26]MFSA 2007-20 that could enable privilege escalation attacks against addons that create "about:blank" windows and populate them in certain ways (including implicit "about:blank" document creation through data: or javascript: URLs in a new window). Workaround Any workaround would depend on the addon in question. One addon known to be affected was the Web Developer Toolbar, which was safe in its default configuration but potentially vulnerable to malicious web content if informational windows were opened as separate windows instead of tabs. The workaround for this, then, is to switch back to the default setting. Other affected addons might not have a workaround other than to upgrade to a fixed version of Firefox. References * https://bugzilla.mozilla.org/show_bug.cgi?id=388121 * CVE-2007-3844 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3844 ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================