IE and Firefox Share a Vulnerability

← Back to Stories (view on slashdot.org)

IE and Firefox Share a Vulnerability

Posted by kdawson on Monday February 26, 2007 @05:51PM from the upload-with-daring-and-whimsy dept.

hcmtnbiker writes with news of a logic flaw shared by IE 7 and Firefox 2.0. IE 5.01, IE 6, and Firefox 1.5.0.9 are also affected. The flaw was discovered by Michal Zalewski, and is easily demonstrated on IE7 and Firefox. The vulnerability is not platform-specific, but these demonstrations are — they work only on Windows systems. (Microsoft says that IE7 on Vista is not vulnerable.) From the vulnerability description: "In all modern browsers, form fields (used to upload user-specified files to a remote server) enjoy some added protection meant to prevent scripts from arbitrarily choosing local files to be sent, and automatically submitting the form without user knowledge. For example, '.value' parameter cannot be set or changed, and any changes to .type reset the contents of the field... [in this attack] the keyboard input in unrelated locations can be selectively geared toward input fields by the attacker."

38 of 207 comments (clear)

Min score:

Reason:

Sort:

Awww, that's so cute by varmint+jerky · 2007-02-26 17:57 · Score: 5, Funny

Next thing you know they'll be coquettishly batting eyelashes at each other and accidently eating the same strand of spaghetti.
1. Re:Awww, that's so cute by mrbluze · 2007-02-26 20:12 · Score: 3, Insightful
  
  It's certainly romantic, kind of - a bit like a fake pic of Bush and Osama in bed together that was floating around a few years ago.. ewwww!
  
  Maybe the vulnerability they share is "that they both run in Windows".
  
  --
  Do it yourself, because no one else will do it yourself. [beta blockade 10-17 Feb]
2. Re:Awww, that's so cute by LordEd · 2007-02-27 03:35 · Score: 2, Informative
  
  Maybe the vulnerability they share is "that they both run in Windows".
  That's a bit unnecessary. TFS(summary) even says "The vulnerability is not platform-specific, but these demonstrations are -- they work only on Windows systems."
  
  Save the windows bashing for actual causes.
Nope by The+Bungi · 2007-02-26 18:01 · Score: 3, Informative

Not Firefox 1.5x under a non-admin account on XPSP2, though I admit that setup, while sane, is unfortunately not really common...
1. Re:Nope by TheLink · 2007-02-26 18:16 · Score: 4, Interesting
  
  Well, in theory it's just for fishing a particular file with the filename that you type.
  
  I'm not too worried about it, because in my office I use Linux and I run WinXP in a virtual machine, in that VM I use a nonadmin account for normal stuff - viewing and priting Word or Excel docs, instant messaging, AND I use the Run As feature to launch browser windows as yet another different nonadmin account. On the Linux host itself, I run firefox as a different user from my main user account.
  
  So if I gather correctly, you can grab my bookmarks or downloaded files, IF I actually type all the letters to those specific paths? That's it?
  
  I'd be more worried about Windows graphic driver exploits - graphics drivers seem a bit shoddy- plus they are all about performance, not security. And currently it's basically - Nvidia, ATI and Intel.
  
  I've had weird things happen with Linux sound though so I wonder about the security of such stuff. I've pretty much given up on getting Linux sound to work properly for sustained periods of time (this on suse 10.0, perhaps I should try 10.2).
  --
  
  Too many replies beneath your current threshold
2. Re:Nope by ArwynH · 2007-02-26 20:17 · Score: 2, Informative
  
  *Doh*
  
  I wonder how many other /.ers tried it, like I did and couldn't get it to work because they forgot to turn off NoScript...
3. Re:Nope by Anonymous Coward · 2007-02-26 21:05 · Score: 2, Interesting
  
  Isn't anyone using Google Mail? Just compose a new mail, and attach a file. Type in the file name, and Gmail will automatically upload it without you submitting anything. The "feature" has been there for ages, so frankly I'm puzzled why all the fuss now and not months ago?
  
  So now that this is a bug, it makes Gmail an exploit, which makes Google do evil.
  
  Boycott Google, Hail Microsoft! ..right?
4. Re:Nope by TheLink · 2007-02-26 22:42 · Score: 3, Insightful
  
  Someone using the exploit can only grab any file on your filesystem that the user account your browser runs as has permissions to read, which may be significantly restricted (I found that hard to do on Linux in the old days, but I guess nowadays it should be easier with better filesystem ACLs).
  
  If you use the same user account for work, ssh and browsing then you risk exposing stuff like:
  
  ~/.ssh/id_dsa
  ~/.ssh/id_rsa
  
  Which in some cases might be more interesting than /etc/fstab ;).
  --
  
  Too many replies beneath your current threshold
5. Re:Nope by ttldkns · 2007-02-27 00:25 · Score: 2, Informative
  
  Ahhh, but then they know valid account names on your box to start blasting with a dictionary. Imagine if you ran an SSH server where only users in a certian group could ssh in. Then grabbing /etc/group can tell you which usernames to focus on.
  
  --
  How many computers are too many?
6. Re:Nope by Phisbut · 2007-02-27 01:51 · Score: 2, Informative
  
  Interesting targets would be e.g. /etc/passwd
  
  Other than getting a full list of user names on my system, what does the /etc/passwd file contain that I don't want others to know? It's not like passwords are stored in there or anything...
  
  --
  After 3 days without programming, life becomes meaningless
  - The Tao of Programming
How it works by Anonymous Coward · 2007-02-26 18:07 · Score: 3, Insightful

Is the way this works by attaching keydown/keyup events to the document object, and then switching focus to the file upload field in order to let the user fill in the upload? Ingenious :)

So a browser would fix this by not allowing programmatic access to focus() for file uploads?

It doesn't sound like this would be particularly exploitable because you'd need them to type the letters in the right order (with other arbitrary letters as padding between this). Getting someone to type something might prove easier though now due to the prevalence of Capchas.
1. Re:How it works by amrust · 2007-02-26 18:12 · Score: 5, Insightful
  
  Getting someone to type something might prove easier though now due to the prevalence of Capchas.
  
  You took the words right out of my keyboard, no pun intended*.
  
  It won't affect my commenting on blogs or sites that I normally frequent. But after that demo, I admit I probably won't look at captchas the same way again.
  
  * OK maybe one quick pun.
  
  --
  VOTE!
2. Re:How it works by ShieldW0lf · 2007-02-26 20:18 · Score: 2, Insightful
  
  The reason focus() exists is to allow you to send the cursor to the field that needs correcting when you're doing form validation. It would suck if it wasn't available.
  
  --
  -1 Uncomfortable Truth
Re:IE7 Vista by holloway · 2007-02-26 18:14 · Score: 2, Interesting

Is it invulnerable because the file they happened to choose is restricted (c:\boot.ini) or because the browser is now smart enough not to give javascript focus to file upload fields?

If so then it's still vulnerable because they'll release a patch to stop hackers from uploading user files, like those with predictable filenames. It seems wrong to say that IE+Vista aren't vulnerable when the IE bug still exists.

(of course if IE7 prevents giving focus to the upload field then I'm wrong -- but I don't think that's the case. The same bug exists in IE7 on Vista)

--
-Docvert converts MSWord to OpenDocument, clean HTML
The real common vulnerability... by NotQuiteReal · 2007-02-26 18:14 · Score: 2, Funny

Is 90% of those vulnerable are "regular users".
For good or ill, I don't know many regular users, of course it is lonely at times...

--
This issue is a bit more complicated than you think.
Doesn't work with Firefox 2.0.0.1 on Windows XP by Anonymous Coward · 2007-02-26 18:18 · Score: 4, Informative

I tried with a limited user account, but of course boot.ini can only be read by administrators. Then I tried with an administrator user, and still boot.ini wasn't shown. Fud?

Also, there is no need to type all that jibberish about cheese. Just slowly type in:

C:\boot.ini

Type it too quick, and the javascript in the background won't be able to keep up with the rate of keystrokes you enter.
1. Re:Doesn't work with Firefox 2.0.0.1 on Windows XP by SashaMan · 2007-02-26 20:07 · Score: 2, Informative
  
  You are missing the point. The demo program just uses boot.ini as an example, but the core problem of redirecting keystrokes to a file upload is the issue, because any file with a well-known location could be uploaded. You could write a simpler program yourself by just using two fields, a text box and a file input, and show how typing in the text box immediately appears in the file input.
Vulnerability doesn't work on Vista (Sort of) by Anonymous Coward · 2007-02-26 18:25 · Score: 2, Interesting

Vulnerability kinda doesn't work using Firefox 2.0.0.2 and Internet Explorer 7 (Both 32 bit and 64 bit version) on Vista Business Retail.

I had to create a Boot.ini file in my C: drive since Vista doesn't have it there anymore. IE7 and Firefox will be able to pull information out of the file if you have permissions to read the file but if you don't it won't work. This is probably why some people are reporting it doesn't work in Win XP with a user account. Only admin accounts are affected because the user accounts probably don't have read access for boot.ini.

This means that the vulnerability won't be able to access any system files but it could potentially access sensitive data you have because you'd obviously have permissions to read those files (i.e. Word documents on your desktop).

It seems that the person using this exploit would have to know the exact filename and path of the file he wants so this seems like a minor issue. The real risk is with system files because the directory and filenames for those will most likely be the same on most systems but those can't be read and I'm not sure what you'd do with the info anyway...
Try as I might... by oceanstream · 2007-02-26 18:41 · Score: 2, Interesting

I cannot get this flaw to work in Firefox on Linux. I've gawked and re-written the code several times, created dummy text files that are mode 0666, to no avail. I think it could be exploitable only under the loosest of security profiles. Did I miss something from TFA that makes this windows-specific?
1. Re:Try as I might... by nmb3000 · 2007-02-26 20:14 · Score: 3, Informative
  
  Did I miss something from TFA that makes this windows-specific?
  
  I think the presence of a C:\ might help.
  
  --
  "What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
  /)
Sad realization by Anonymous Coward · 2007-02-26 18:47 · Score: 2, Funny

So...Safari on the Mac is A-OK?
Re:IE7 Vista by jasonwea · 2007-02-26 18:47 · Score: 2

The test as it stands now is not valid for Vista as (afaik) it doesn't have boot.ini.

From what TFA says though, protected mode protects IE on Vista.
Anyone else try Opera ? by Joebert · 2007-02-26 19:13 · Score: 2, Insightful

I tried this on
Windows XP
As Administrator
With No 3rd party anti-virus or anti-spyware protection whatsoever (total of 20 processes running including Opera)
Opera 9.10
All scripting enabled
Checked the presense of boot.ini

And while it did continue to a new page when I typed the phrase, that new page didn't have the contents of my boot.ini file.
Just a message telling me what that page was about.

--
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
1. Re:Anyone else try Opera ? by KDR_11k · 2007-02-26 19:25 · Score: 2, Interesting
  
  When I try that the input field that's supposed to contain the filename just collapses to a 2 pixel wide line and nothing else happens.
  
  --
  Justice is the sheep getting arrested while an impartial judge declares the vote void.
They already share a vulnarability... by TEMMiNK · 2007-02-26 19:21 · Score: 2, Insightful

the user.

--
"The stupider people think you are, the more surprised they will be when you kill them..."
Requires javascript by pedrop357 · 2007-02-26 19:29 · Score: 3, Informative

I use Noscript to block javascript. The exploit didn't work until I allowed javascript for that site.

New/unknown sites won't be able to do this, but my previously "trusted" ones will.
Re:IE7 Vista by evilgrug · 2007-02-26 19:40 · Score: 5, Informative

It didn't protect IE on Vista for me. I created a dummy boot.ini and IE7 Vista happily spat it out.
Re:IE7 Vista by brainhum · 2007-02-26 19:53 · Score: 5, Insightful

The latest Web 2.0 Captcha:
C:\ W IN D O W S\ sys tem 32\config\S AM

You heard it here first! /.
Variation on an old bug by jesser · 2007-02-26 20:06 · Score: 4, Informative

I'm not sure why this is getting press now, given that a very similar exploit has been known and public since October 2000 (bug 56236). It was even fixed on trunk in September 2005, but left unfixed on branch intentionally because we weren't confident we had the UI right.

Zalewski's version is bug 370092, and he was unhappy when I marked it as a duplicate of bug 56236.

--
The shareholder is always right.
1. Re:Variation on an old bug by Kopretinka · 2007-02-26 22:07 · Score: 2, Insightful
  
  I'm not sure why this is getting press now, given that a very similar exploit has been known and public since October 2000...
  If it gets press, the fix might finally be released, perhaps?
  
  --
  Yesterday was the time to do it right. Are we having a REVOLUTION yet?
What about Konqueror? Or Safari? Or Opera? by Phil+Urich · 2007-02-26 20:13 · Score: 3, Interesting

Is this a case where using a really non-standard browser (well, I mean, Konqueror is standard for KDE but it's not like KDE is a common household word in middle America, heh) leaves one untouched? Or is this potentially a wider implementation problem? I did RTFA, and it is speculated upon. In Michal Zalewski's bug submission:
Opera is unlikely to be vulnerable to that exact attack, because it is impossible to focus on the file input text field, only on the 'browse' button; other browsers were not tested, but I would expect at least some to be susceptible (naturally, on MacOS X or Linux, test cases have to be modified to access an existing file). However this leaves the question mostly still open (even Opera perhaps, if something related that took into account Opera's different handling of these cases, right? Or am I reading wrong?).

--
I remember sigs. Oh, a simpler time!
OT: CS:101 - Lost updates. by TapeCutter · 2007-02-26 21:11 · Score: 2, Informative

"Often when somebody prints out a document to distribute at a meeting they print the full path to the document in the footer of every page. This has always seemed like a bad idea to me."

Managing documents is not a task to be taken lightly, especially when the document is the product of more than one person, document management systems work in essentially the same way as source control systems. The reason the file is on the footer is to deliberately identify where the document came from (ie: is it "official" or just someones private backup copy). It is also (ironically) a simplistic security measure that makes hard copies somewhat trackable.

Removing the path is a "security through obscurity" solution that would impose an inconvienince on the people who create/edit/review documentation and would increase the risk of corrupt documentation (ie: lost update syndrome).

OTOH: I'm sure there are cases where "burning" is demanded because "shreading" is considered too risky, but I rather think they would be the exception rather than the rule.

--
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
Re:Offtopic rant by julesh · 2007-02-26 22:22 · Score: 4, Informative

I abhor the use of the word "enjoy" in the media and by marketing people in particular. Form fields may *have* protection; they do not *enjoy* protection because they aren't fucking conscious. And nobody enjoys, say, the protection of car insurance. I don't sit at home feeling all warm and fuzzy because I've just taken out some policy.

Seeing this in tech news just shows how much this has spread. I no longer want to use the word enjoy at all because every time I hear it, I am reminded of this usage and feel a twinge of annoyance.

I want my English language back from these idiots!
Online Etymology Dictionary
enjoy
c.1380, [...] Sense of "have the use or benefit of" first recorded c.1430. [...]

Online Etymology Dictionary, © 2001 Douglas Harper (Link)

You'll have to go a long way back to claim this one.
Works on FireFox under Linux by smiggly · 2007-02-26 23:44 · Score: 5, Interesting

It just takes a few changes. Try this:

http://www.thanhngan.org/fflinuxversion.html
IP violation by darth_linux · 2007-02-27 01:31 · Score: 2, Funny

Firefox obviously violates M$ IP if there is a shared venerability.

--
Power to the Penguin!
That's mostly right, actually by Anonymous Coward · 2007-02-27 04:22 · Score: 2, Informative

To do something useful with the exploit, the attacker needs to know the name and location of a desired file, and the browser has to be permitted to upload (read) the file. Obviously one dramatic way to use the information gained is to hack the victim's system. Most OSes, properly configured, don't let ordinary users (or their browsers) read critical system files, but Windows does.

Even on better-designed OSs, though, the exploit has uses for espionage and spam. People tend to put data files in predictable places, using predictable names. With a little luck or a large pool of visitors you can get financial information from QuickBooks, personal info (and valid email adresses) from Outlook contact books, business information from powerpoint documents stored in My Documents, or the complete set of somebody's recent email correspondence.

The focus-diversion technique sounds awkward at first, but I've been thinking of ways to make it more reliable without the user getting suspicious (eg, trick them into typing several backslashes in between other text) - and if I can think of them, others can too.
Comment removed by account_deleted · 2007-02-27 05:03 · Score: 2, Funny

Comment removed based on user account deletion
Re:Flaw is locale-dependent by ESqVIP · 2007-02-27 07:51 · Score: 2, Interesting

I could be wrong, but I don't think you can really predict the character output of a keydown event, as it happens on a keystroke-level, before important factors (dead keys, shift and caps state, keyboard layout) are analyzed to determine the final character. The appropriate event for that would be keypress, but on my tests it can't be hijacked (maybe there could be some trick). So, you'd need a few initial keystrokes to test which characters they produce, and then attempt to guess the layout being used.