Extremely Critical Firefox Advisory

[markwolfe Veteran]

Advisory released just today

Source: Secunia.com

Peter Zelezny has discovered a vulnerability in Firefox, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to the shell script used to launch Firefox parsing shell commands that are enclosed within backticks in the URL provided via the command line. This can e.g. be exploited to execute arbitrary shell commands by tricking a user into following a malicious link in an external application which uses Firefox as the default browser (e.g. the mail client Evolution on Red Hat Enterprise Linux 4).

This vulnerability can only be exploited on Unix / Linux based environments.

The vulnerability has been confirmed in version 1.0.6 on Fedora Core 4 and Red Hat Enterprise Linux 4. Other versions and platforms may also be affected.

[Pliskin]

Why isn't this on front page news..

[ichi]

Not sure, but I think I can fix this myself. Tweaking the parse_cmdline in mozilla-launcher should do the trick.

I'll give it a try... :ninja:

[dduardo]

I don't see how this can be extremely critical. You actually have to execute this from the command line for it to work.

bash # firefox http://local`df`host

You can't just plug in the url into the address bar of a currently open window and have it start executing commands.

[Syphonic]

Why isn't this on front page news..

586554310[/snapback]

This vulnerability can only be exploited on Unix / Linux based environments.

[Veedems Veteran]

Wow Firefox on Linux. That's a combination you'd least expect to hear a flaw coming out of. I hope the team can seal this hole as quickly as possible.

[exotoxic]

Wow Firefox on Linux. That's a combination you'd least expect to hear a flaw coming out of. I hope the team can seal this hole as quickly as possible.

586554762[/snapback]

more popular it becomes more it will happen...

[Fotix]

That's a bummer. I happen to be running the latest 1.5 nightly build on Ubuntu Linux. :s

[ichi]

Correct me if I'm wrong, but in order to fix this you'd only have to do this:

-Open /usr/libexec/mozilla-launcher with a text editor.

-Scroll down to the parse_cmdline() bit.

-Scroll down a bit more to the part where it starts parsing urls. It begins like this:

if [[ $1 == *: //*/* ]]; then

urls=("${urls[@]}" "$1")

-Change every line that changes the value of urls adding single quotes to the $1 part:

urls=("${urls[@]}" "$1") would become urls=("${urls[@]}" "'$1'")

urls=("${urls[@]}" "$1/") becomes urls=("${urls[@]}" "'$1/'")

urls=("${urls[@]}" "file://$PWD/$1") becomes urls=("${urls[@]}" "'file://$PWD/$1'")

...and so on.

Single quotes scape the backticks, so the command isn't executed.

(it's not the most elegant fix, but seems to work here).

*Edit: ok, after some trying maybe it doesn't really work, but the problem seems to be in that part of the script nonetheless. Damn I suck at bash :p

Edited September 20, 2005 by ichi

[supernova_00]

bug is already fixed and another spin for linux builds for 1.0.7 so expect release either tomorrow or thursday.

[markwolfe Veteran]

I don't see how this can be extremely critical. You actually have to execute this from the command line for it to work.

586554741[/snapback]

No you don't. You could receive an email in Evolution (or other clients that launch the browser from the bash shell, apparently) that contains a hyperlink of something like

http://`rm -rf /`

and it would attempt to erase everything, starting at the root of your filesystem (which would either fail, or not do much if you weren't logged in as root). There is no elevation of privelege, but there is running arbitrary commands with the same authority of the user.

Potentially nasty. It looks like other mail clients use a different method to invoke firefox, so it sounds like they would be immune.

Not sure where this bug really lies... :ermm:

Evolution (and potentially other apps that use bash to invoke another app)?

bash? (I don't think so, its job is to execute commands like this)

Firefox?

[Pox]

oh well, it's only linux :shifty:

i guess all of our fellow *nixers will have to switch to opera8.5... that's if it's even out on linux :s

[Fotix]

oh well, it's only linux :shifty:

i guess all of our fellow *nixers will have to switch to opera8.5... that's if it's even out on linux :s

586555694[/snapback]

It is, I have 8.5 installed on Ubuntu as well.

[Rablet]

Fixed already. In 1.07

[Pox]

they're fast, aren't they :s gotta love open source, a new buiuld every night :s

[Guol]

fix found already for it... good ol' mozilla :happy:

[Mathiasdm]

oh well, it's only linux :shifty:

i guess all of our fellow *nixers will have to switch to opera8.5... that's if it's even out on linux :s

586555694[/snapback]

Or one could use... another browser.

[Brandon Live Veteran]

they're fast, aren't they :s gotta love open source, a new buiuld every night :s

586556881[/snapback]

Umm, most commercial software has a new build every night. But getting a build just after it's compiled means it hasn't been tested. We're not talking about a beta here, we're talking about a completely untested build. Do you really want to be running that?