Vulnerability In Firefox Popup Blocker

cj writes in with news of a vulnerability in Firefox's stock popup blocker discovered by Michal Zalewski. The vulnerability can allow a malicious user to read files from an affected system. The attacker would "need to plant a predictably named file with exploit code on the target system. This sounds hard, but isn't," according to the article.

Anyone knows if the 2.x tree is vulnerable too?

[A beautiful mind]

From TFA:

Vulnerable Systems:
* Firefox version 1.5.0.9

Can anyone test?

Re:

[Tony Hoyle]

Is anyone still running 1.5.0? I thought the auto upgrade had handled that months ago.

Re:

[Richard_at_work]

Im using 1.5.0.9 at the moment, no 2.0 upgrade was ever pushed out to me, and checking now manually shows no updates waiting.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[linuxci]

Firefox 2 is still an optional upgrade so is not pushed through auto-update, the 1.5 series is still supported. Once 1.5 gets closer to end of life then 2.0 will be offered.

Re:

[N7DR]

FYI, the auto-update to 2.0.x has been delayed a few times. It will happen sometime soon.

http://wiki.mozilla.org/Major_Update_1.5.0.x_to_2. 0.0.x [mozilla.org]

Re:

[Baron Eekman]

I use Ubuntu Dapper, and it hasn't updated to 2.0 yet, I type this running 1.5.0.9. I do not really understand the exploit, but it seems quite elaborate. There is no concept of proof that I can test over there, sorry. It doesn't say whether only Windows versions are susceptible either.

Re:

[Baron Eekman]

"proof of concept" that is; I should go to bed

Re:

[porl]

i don't think dapper will ever roll over to 2.x. from memory the firefox 1.5 code was buried too deeply in their customised gnome packages or something, so it was a major undertaking to pull it out. when i ran dapper though i found it easy to download and install firefox 2 off the official site and either run it from my home dir or install system wide, just install to /usr/local/bin etc and do something like ln -sf /usr/local/bin/firefox /usr/bin/firefox if you want to make it completely override the system

Re:

[starnix]

Bullshit.... I have Dapper running FF 2.0.0.1 and it was very EASY to install it.

Re:

[HUADPE]

Bullshit.... I have Dapper running FF 2.0.0.1 and it was very EASY to install it.

From grandparent when i ran dapper though i found it easy to download and install firefox 2 off the official site

Bullshit apparently now means "I agree with you."

Re:

[Anonymous Coward]

Bullshit.

Re:

[aymanh]

I used this script [psychocats.net] to install Firefox 2 on Dapper. It automatically downloads the latest version, installs it, integrates it with plugins installed through apt-get, and updates symbolic links. Works like a charm.

Re:Anyone knows if the 2.x tree is vulnerable too?

[rainman_bc]

Is anyone still running 1.5.0? I thought the auto upgrade had handled that months ago.

Fedora has no plans to officially release a 2.0 for FC6:

http://fedoraproject.org/wiki/Firefox2 [fedoraproject.org]

"Fedora users will be to stay with Firefox 1.5 and wait for the Firefox 3.0 update"

That's left me a bit annoyed personally... I like the changes to FF2...

Re:

[donaldm]

When I put FC6 on my 64 bit dual core AMD laptop it came standard with Firefox 1.5 while OpenSUSE (put this on my son's PC) came with Firefox 2. To upgrade to version 2 was fairly easy since all I had to do was download the rpm then remove version 1.5 then install the rpm. Firefox 2 seems to work well and I can even install global or personal plug-ins. I have a 64 bit processor and most of my apps are 64 bits (including Firefox) have to use nspluginwrapper to add 32 bit plug-ins because some vendors (cough

Re:

[smoker2]

Fedora has no plans to officially release a 2.0 for FC6

Back when FC4 was current, I got fed up with waiting for updates for FF from fedora, and even more fed up with broken updates for FF. So I uninstalled the FC release of Firefox, and downloaded a copy direct from the FF homepage. It has worked well, and been auto-updating without incident ever since.
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.1) Gecko/20061208 Firefox/2.0.0.1

On a tangent, why does the headline not say "Vulnerability in Win32 Fir

Re:Anyone knows if the 2.x tree is vulnerable too?

[hal9000(jr)]

Yep, on windows. I moved to FF2.0 when it came out, got hosed by java handling and other stuff, and jumped back to 1.5. I will wait a bit longer before I make the leap again.

Re:

[TubeSteak]

I didn't change over to FF 2.0, mostly out of sheer laziness.

Then I went and grabbed FF Portable & just unzipped it into a folder.
http://portableapps.com/apps/internet/firefox_port able [portableapps.com]

There's an installer, but you can just unzip the .exe
Note: The actual FF executable is a folder or two deep

Re:

[HeroreV]

I don't believe Firefox can be upgraded from 1.5 to 2.0. So far only security patches have been released as updates.

Re:

[DrSkwid]

not all operating systems are the same

the upgrade pusher will not work for some, and neither should it

Re:

[MilesAttacca]

I'm still using 1.5.0.9, giving 2.0 a little bit of time for all or most of my favorite extensions to catch up, and some bugs to be resolved. (I'm also telling myself "I have to organize my bookmarks so I can switch," as if that's ever happening anyway.)

Re:Anyone knows if the 2.x tree is vulnerable too?

[Tony Hoyle]

Can anyone test?

Nope, because no example exploit is given and the means of exploitation looks rather unlikely:

"To create a popup warning, a script embedded on the page calls: window.open('file:///c:/windows/temp/xxxxxxx.htm', 'new2',''),

with a name calculated by repeating a procedure implemented in SetUpTempFile() with a seed calculated by the server based on reported system time (p2.html?time)."

1. It assumes that the temp file is c:/windows/temp. It isn't, unless you're running Windows 95, and only then if you've not changed it from default. That's the *system* default temp file. The *user* temp directory is inside local settings in the user specific area (much harder to find out remotely. Maybe not impossible, but you'd have to get lucky (it's not just the username as the directory name.. it has things like .000 after it).
2. Calculating the seed to that accuracy is damned hard.

Re:

[iago-vL]

For what it's worth, from Zalewski's original post,

Firefox sometimes creates outright deterministic temporary filenames in system-wide temporary directory when opening files with external applications

And according to him, calculating the seed isn't terribly difficult. srand() is called directly before the random file creation and is seeded with the current time, in milliseconds. That time is possible to obtain within a narrow margin using JavaScript.

Re:

[Tony Hoyle]

I strongly doubt it does, because you'd fall foul of vista UAC protection - no user app should go near the systemwide temp directory (that's even if you can find it... %TEMP%, GetTempFileName, etc. will always give you the user one. AFAIK you have to dig into the registry to find the system one, or be running as a system service).

Although a bug exists (file:// bypasses some of the security checks.. fixed already apparently) the theoretical exploit as written isn't usable - probably why there's no working e

Re:

[totally bogus dude]

I strongly doubt it does, because you'd fall foul of vista UAC protection

How does that matter? It's not as if anybody is using Vista yet... :)

On a serious note, is the system temp directory really not world-writeable in Vista?

<rant>Also, what's with Windows never deleting anything in the user temp directories? What part of temporary does it not understand? Every now and then I'll see an app crap itself because it can't create a temporary file... because the directory is full!. What the **** is up with that?! I've still got files in my user temp folder from when the m

Re:Anyone knows if the 2.x tree is vulnerable too?

[Carnildo]

Thanks for the tip. I just checked my temp directory, and I've got stuff dating back to early 2001 in there.

Re:

[ESqVIP]

Windows does clean it... well, sort of.

When you're running low of disk space a warning appears, offering to run the Disk Cleanup tool [microsoft.com], which tries to remove unused temporary files (among other things).

But I wonder why it doesn't erase those pesky thumbs.db files (by checking their last access date).

Re:Anyone knows if the 2.x tree is vulnerable too?

[evilviper]

Also, what's with Windows never deleting anything in the user temp directories? What part of temporary does it not understand?

As opposed to Linux, which also doesn't clear /tmp?

Windows is slightly worse, but not by a lot.

Re:

[spikedvodka]

man tmpwatch

Re:

[evilviper]

No manual entry for tmpwatch
$

Re:

[evilviper]

The fact that it can be installed is not the point. The point is that it isn't installed by default on most distros... Much like Windows.

Re:

[mashade]

Many linux distros keep /tmp as a ramdisk which means they're cleared the moment the machine is shut off. I believe Slackware clears /tmp at least partially on every boot, so... Go do some research ;)

Re:

[anagama]

What the heck? Are you trying to ruin my uptime???

Re:

[evilviper]

Many linux distros keep /tmp as a ramdisk

By "many" do you perhaps mean "none"?

There's always the odd floppy or CD-based mini distro, but that's really not relevant.

I believe Slackware clears /tmp at least partially on every boot, so...

I just checked my Slackware machine's init scripts. It clears /tmp/.X11 lock files, but that's it.

Go do some research ;)

*Ahem*

Re:

[OmnipotentEntity]

Well, at least I know my Debian box does it on bootup, check /etc/rcS.d/S36mountall-bootclean.sh for more details.

Re:

[Zonnald]

I think the idea is that the application that writes to the temp directory is supposed to remove it when it doesn't need it any more. This has mostly been my experience with software written by Microsoft. Especially annoying when such software crashes before the file is release/deleted and then can't recreate the file next time you run it. (VB6).

Re:

[kosmosik]

You kind of right. It is hard but not impossible or in fact very easy for skilled cracker.

I've always liked MZ way of thinking. I've read his book. Usually his discoverings do not cover the mass side of a thing. He usually focuses on targeted attacks which are hard but possible - I mean attacks when you target some individual or organisation to get data, not when you want to have biggest coverage of zombies on casual-home-user-machines.

Same as in here. If you are a security professional (I can guess - I am

Re:

[Tony Hoyle]

Paranoia is good - I don't disagree that there's an issue that needs fixing, but the way it's presented is as if there's a general exploit, but it just isn't that easy.

Clearly targeting a specific user where you knew information like the username and system setup beforehand would make this possible (independent of OS).

Re:

[kosmosik]

> Paranoia is good - I don't disagree that there's an issue that
> needs fixing, but the way it's presented is as if there's a
> general exploit, but it just isn't that easy.

You mean how it is presented here (on Slashdot). Well you must be new here. ;))) They always present it like that - this is like lowest grade journalism. But I like the fact that users that read this kind of information are geek enough to understand that this is overhyped. It is some kind of local (global in fact) folklor that is

Re:

[JackHoffman]

Yes, one can test the primary vulnerability quite easily and yes, it works in Firefox 2.0. The popup blocker allows users to retroactively open file: URLs which are called from webpages (http://...) even though Firefox normally blocks all such accesses. If you can place a file with a known pathname on the user's system, you can read every file. The PRN bug is only one way by which an attacker could place his helper file, the article mentions one more.

Re:

[Tharkban]

The exploit code does not work on my own computer (Ubuntu edgy, firefox 2.0.0.1)

I just checked whether I could get the provided code to run at all, file:/// or http:/// [http] popup or not, nothing worked XMLHttpRequest.open() is not allowed in any scenario (including directed at external sites). That being said, I did manage to get the popup to display a file:/// url, so maybe there is some vulnerability there. But for my setup the exploit code doesn't do anything.

Re:

[ewl1217]

This only affects the 1.5.x branch, not the current 2.x stuff...

Re:

[mrgavins]

That's wrong. This bug affects both 2.0 and 2.0.0.1. This confusion seems to stem from the version field in the bug, which is set to the earliest version that's affected.

Re:

[rapidweather]

Glad to hear that the current 2.x stuff is not affected. I'm using FF 2.0.0.1 now, in my knoppix remaster (see screenshots below), and have other things I need to be doing with the remaster than upgrading FF. I do, however, jump on it and upgrade the browsers whenever they have new versions out. With Firefox, I put 9 RSS feeds on the toolbar by default, and for it's home page, I use a local version of this one [geocities.com], but with a slide-out ~/ menu setup, for browsing the /ramdisk.
I notice that Netscape 9 for linux [netscape.com]

Right...

[CasperIV]

That was quite possibly the most ignorant statement I have read on slashdot recently. I'm not particularly partial to either Firefox or IE, but exploit for exploit, your statement has no merit. What will be the deciding factor will be how fast it is patched.

I was refering to ewl1217's post...

[CasperIV]

I didn't make it clear that the start of my post was directed at ewl1217's post above my own.

Re:Right...

[pairo]

That was quite possibly the most ignorant statement I have read on slashdot recently.

You don't really read much of Slashdot, do you?

Re:

[iggymanz]

he meant by a non-author/non-editor

Re:

[bcmm]

You have said about three things, and totally failed to link any of them together.

Re:

[adpsimpson]

oops...

Seems I've just entered the unintentionally-trollish-joke-taken-for-a-troll camp. The original (ok, cryptic) meaning of my post was that this exploit is lame-ass - open source should be, apparently, so we're told by some, catching up with proprietory - and yet this is the best style of exploit it can come up with? It's crap!

Oh well. Suddenly I see the thrill of trolling. The pull of the dark side is strong. [mumble mumble hot grits mumble Natelie Portman mumble mumble overlords mumble mod me down

Re:

[Secrity]

Parent post looks like it is written in English, but it does not parse.

Oblig.

[element-o.p.]

"Humor. It is a difficult concept. It is not logical." --Lt. Saavik

Windows only?

[jimbobborg]

From the fine article:

"When the user chooses to manually allow a blocked popup however, normal URL permission checks are bypassed. "

So you have to MANUALLY disable the popup blocker on a site you don't know in order to make this work. Also, the article keeps talking about c:\whatever. It does not indicate if this is a vulnerability in a non-Windows system.

Re:Windows only?

[Tony Hoyle]

From the text it's hardcoded to a specific installation of Windows (not even the default config). It wouldn't work on most systems.

Re:

[JackHoffman]

The file:-opening bug is universal, only the URLs that are used would have to be adapted to different operating systems (easy, just look at the user-agent string). Even if you can't guess or calculate the temporary filename, there may be other vulnerabilities which allow an attacker to place a custom file with a known pathname on the victim's computer, which can then be called from a webpage and relay every file that is readable by the webbrowser.

Re:Windows only?

[codepunk]

You have to chmod 777 every file in the root and home file systems, log in as root, open a port for ssh, disable ip tables and or ipchains and post the user name (root of course), password and ip to a irc channel, turn off pop up blocking...yep see it effects linux also.

That is the lamest vulnerability post I have seen in a long time...really stretching here are we not?

Re:

[bl8n8r]

Crap... where's the undo button for Xchat?

Lamest. Vulnerability-post. Ever.

[JacksBrokenCode]

That is the lamest vulnerability post I have seen in a long time...

You sure about that? [slashdot.org]

Linux can still be secure

[r00t]

If you have SE Linux running with a strict policy, it just doesn't matter if they do log in as root. They'd have to get into the correct role and level as well, which would be blocked.

Even before levels were added, there used to be SE Linux systems on the net with public root passwords. (one Gentoo, and one either Debian or Red Hat) You could log in as root, look around a tad, append a message to a file, run a few processes... and that was about it. You couldn't load drivers, reboot, read log files, install

Re:

[someone1234]

In other words, they had a regular user account with the name 'root' :)

nope, UID was 0

[r00t]

The UID really was zero, which is NOT a regular user account. It's a normal root account.

I couldn't even write to files that were world-writable, owned by root or not.

Do an "ls -Z" on a default Fedora install to see what is going on. Fedora can be nearly like the system described if you install the "strict" policy.

To admin the system, you need to change roles. No single role can do everything, and many role-to-role transitions are prohibited.

Re:

[petermgreen]

Even before levels were added, there used to be SE Linux systems on the net with public root passwords. (one Gentoo, and one either Debian or Red Hat) You could log in as root, look around a tad, append a message to a file, run a few processes... and that was about it. You couldn't load drivers, reboot, read log files, install software, etc. SE Linux locked the system down good and hard.
so how exactly were theese boxes administered?

unless there is an admin there with physical access who doesn't mind doing a

Re:

[r00t]

To admin the system, you need to change roles. No single role can do everything, and many role-to-role transitions are prohibited.

So there is NOT an administrative login that lets you do everything. There are numerous limited-capability administrative logins, sort of. They are not related to UID.

First you'd log in as root, since the old UID-based system is still being enforced. You'd need to do this from the console to get put into a role which is able to transition to something interesting. Then you run th

Re:

[petermgreen]

First you'd log in as root, since the old UID-based system is still being enforced. You'd need to do this from the console to get put into a role which is able to transition to something interesting.
so what you are saying is that while the people have the root password the box has been configured in such a way that a root login from remote isn't really root.

which is ok if the admin has local acess to the machine but renders the system pretty useless otherwise.

Re:

[kalleguld]

Well, all it takes is a bit of social engineering to convince most users to disable the pop-up blocker for their site (after all, it's only like two clicks with the mouse). And really, do hackers care if they can infect Linux?

Re:

[mrgavins]

Your explanation is slightly misleading. You don't need to "manually disable the popup blocker" to reproduce the popup opening part of the theoretical exploit. All you need to do is click "show popup [once]" option in the popup blocker UI for a blocked file:// popup.

I tried with /etc/passwd

[McNihil]

No result back with either FF1.5.0.9 and FF 2.0.0.1 using remote page. Local works obviously.

Fixed

[Anonymous Coward]

Already fixed: https://bugzilla.mozilla.org/show_bug.cgi?id=36942 7 [mozilla.org]

Re:

[MMC Monster]

Well, according to earlier replies to this article, this is also fixed if you are running windows 2K or later. (well, not exactly fixed, but the exploit is nearly impossible given the number of assumptions made on stock win 2K/XP/Vista systems) So yes, this is probably fixed on your system as well. :-)

bullshit

[tomstdenis]

Firefox/mozilla/etc run as your user. At most this would be able to infect my user, not the system. Even in windows, if you don't run as root it should be the same deal.

This exploit requires you to download the exploit code then, click on a link with file:/// with CTRL down (to turn off popup blocking). Sounds less like an exploit of firefox and more of the stupid user who runs things.

Tom

Re:

[Goaway]

What exactly do you think a malicious app wants to do that it can't do when running under your user account?

Re:

[drinkypoo]

Firefox/mozilla/etc run as your user. At most this would be able to infect my user, not the system.

Oh good! So the most it can do is wipe out all your data!

I sure do hope you're not a security consultant...

Re:

[tomstdenis]

How does my comment show a lack of security concern? You want user apps to only run as the user. That's the point of privilege separation. If I had 30 users on a box, and one of them decides to run a virus, it should at most destroy their data.

Also, this is why we backup data.

Tom

Re:

[jesser]

Firefox doesn't have a "Hold Ctrl to disable pop-up blocking" feature. Maybe you're thinking of another browser or a Firefox extension?

This vulnerability involves the "Show blocked popup" feature, which you can activate from the status bar icon indicating that a popup was blocked. If the popup is allowed in the first place, the security check works correctly.

Wow...

[thanksforthecrabs]

you mean the *other* browser has holes too?

Only 6% of my visitors are using 1.5x.

[JAB Creations]

Only 6% of my users so far this year are using Firefox 1.5x compared to 68% using Firefox 2.0. There are still about 4% of users who are using IE 6 without service pack 2 on XP (or are using IE6 on older versions of Windows). Point: it's a vulnerability that hackers won't bother to exploit and Mozilla will probably patch quickly anyway.

Whew!

[cciRRus]

Good thing I'm using the Internet Explorer.