MoBB #28: Mozilla Navigator Object
The following bug (mfsa2006-45) was tested on Firefox 1.5.0.4 running on Windows 2000 SP4, Windows XP SP2, and a recently updated Gentoo Linux system. This bug was reported by TippingPoint and fixed in the latest 1.5.0.5 release of Mozilla Firefox. This is different from the bug I reported (mfsa2006-48) and is trivial to turn into a working exploit. The demonstration link below will attempt to launch "calc.exe" on Windows systems, execute "touch /tmp/METASPLOIT" on Linux systems, and bind a command shell to port 4444 for Mac OS X Intel and PowerPC systems (thanks Todd and nemo!).
window.navigator = (0x01020304 / 2);
java.lang.reflect.Runtime.newInstance( java.lang.Class.forName("java.lang.Runtime"), 0);
Demonstration
This bug has been added to the OSVDB:
Mozilla Multiple Product Window Navigator Object Arbitrary Code Execution
posted by hdm @ 11:40 PM
34 comments
links to this post
34 Comments:
Just tested on a fully up-to-date Gentoo Linux system - worked as advertised. (They really need to move to Firefox 1.5.0.5 ASAP, but they're being a bit slow about it).
Success on Windows XP SP2 + Firefox 1.5.0.2 + jre-1_5_0_06
nice one. Affected me on Unbuntu as well. /tmp/METASPLOIT was actually created since it wasn't there. Created with 644 privs and owned by user with group set to user.
This is a pretty decent bug.
On Windows XP SP2 + Firefox 2.0b1 no success
Blocked by noscript extension.
Doesn't affect Firefox 2b1
Proof of concept incorrectly thinks Java is not present (I just verified the plugins are installed).
Doesn't work if you have NoScript installed and blocking...(smile)
I LOVE NO SCRIPT BEST THING SINCE FIREFOX AND GMAIL
Are you the "anonymous researcher for TippingPoint and the Zero Day Initiative" who initially discovered this bug?
I did not sell this bug to ZDI, I just read the advisory and figured it out like everyone else :-)
Worked for me with firefox 1.5.0.4 + installed update (via firefox) to 1.5.0.5.
Completly reinstalled firefox (1.5.0.5) - works no more.
Windows 2000 SP4.
TAKE CARE WITH FIREFOX UPDATE SERVICE! SEEMS NOT TO BE AS RELIABLE AS A FULL REINSTALL!!!!
Fixed in Firefox 1.5.0.5 - does not work. However, nice one...
Doesn't work with up-to-date Debian Unstable with Firefox 1.5.dfsg+1.5.0.4-3 (but crashes browser)
no success on Mac OS X 10.4.7 & Firefox 1.5.5. Says no java is installed.
Seems like they fixed it in time.
Quote (the comment above mine)
How come this code still crashes a patched firefox (1.5.0.5)?
It appears that the code doesn't detect Java 1.5.0_06-b05 in my W2K test machine and will interrupt.
After reinstalling Firefox completly exploit fails with "no Java plugin installed."
REINSTALL FROM SCRATCH!
Can confirm that an updated Firefox is still subject to a crash; although calc.exe is not started, Firefox munches up as many RAM as it can. Will try to deinstall and reinstall from scratch.
AUTOUPDATE SEEMS NOT TO PROTECT YOU FROM EXPLOIT!
The memory usage is just a side effect of the exploit and not a bug in the browser. Any browser can eat all system memory in a few seconds, that behavior is by design. The demo allocates about half a gigabyte of RAM to make sure that the exploit attempt succeeds against vulnerable systems.
Hi,
I was the first "Anonymous" reporting an updated firefox is still crashing / vulnarable. In particular, my first attempt results in a firefox crashing - without starting calc. However, in my second attempt I got calc started (and, of course, firefox crashing again, as this is the trick allmost every exploit works:-))
Indeed, the firefox guys should fix their update script asap.
On Windows XP SP2 + Firefox 1.5.0.5 no success! Muharhar
ps: java + javascript were enabled.
i use Suse Linux 10.0, KDE 3.5.3, Konqueror 3.5.3
konqueror seems to be affected as well.
Doesn't work with an updated firefox 1.5.0.5. The most obvious reason that it still works for some might be a missing browser-restart ;)
Hi,
I already updated to Firefox 1.5.0.5, but even though Firefox crashed...
f***
No success under Ubuntu Dapper with updated FF 1.5.0.5 and JRE 1.4.2.02 - it says "no Java-plugin installed" ??
Success on Windows XP SP2,
Firefox 1.5.0.5,
Java 1.5.0 (Build 1.5.0_07-b03)
no succes think me firewall in the router mess it up
Sorry for the delay, I tried to post this question several days ago but only just realised that the CAPTCHA wasn't working because I wasn't allowing any cookies from blogger.
hdm, I am curious: does successful exploitation of this vulnerability require Java, or do you simply use it because it was a simple way of creating a PoC?
Thank you for your response,
Demo complains that no java plugin is installed, although there is one.
(tested on moz navigator 1.7.12 w2k, sun jre 1.4.1)
Doesn't work without Javascript. ;-)
WOrk in Firefox 1.5.06 ...I´m going to install the 2b1 version...bye
Post a Comment
Links to this post:
Create a Link
<< Home