Extremely Critical Firefox Advisory

By markwolfe
in Back Page News

 Share

Recommended Posts

Grand Master

markwolfe Veteran

Posted
  • Veteran
Posted

Advisory released just today

Source: Secunia.com crit_5.gif

Peter Zelezny has discovered a vulnerability in Firefox, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to the shell script used to launch Firefox parsing shell commands that are enclosed within backticks in the URL provided via the command line. This can e.g. be exploited to execute arbitrary shell commands by tricking a user into following a malicious link in an external application which uses Firefox as the default browser (e.g. the mail client Evolution on Red Hat Enterprise Linux 4).

This vulnerability can only be exploited on Unix / Linux based environments.

The vulnerability has been confirmed in version 1.0.6 on Fedora Core 4 and Red Hat Enterprise Linux 4. Other versions and platforms may also be affected.

Link to comment
https://www.neowin.net/forum/topic/374829-extremely-critical-firefox-advisory/
Share on other sites
Proficient

dduardo

Posted
Posted

I don't see how this can be extremely critical. You actually have to execute this from the command line for it to work.

bash # firefox http://local`df`host

You can't just plug in the url into the address bar of a currently open window and have it start executing commands.

Grand Master

ichi

Posted
Posted (edited)

Correct me if I'm wrong, but in order to fix this you'd only have to do this:

-Open /usr/libexec/mozilla-launcher with a text editor.

-Scroll down to the parse_cmdline() bit.

-Scroll down a bit more to the part where it starts parsing urls. It begins like this:

if [[ $1 == *: //*/* ]]; then

urls=("${urls[@]}" "$1")

-Change every line that changes the value of urls adding single quotes to the $1 part:

urls=("${urls[@]}" "$1") would become urls=("${urls[@]}" "'$1'")

urls=("${urls[@]}" "$1/") becomes urls=("${urls[@]}" "'$1/'")

urls=("${urls[@]}" "file://$PWD/$1") becomes urls=("${urls[@]}" "'file://$PWD/$1'")

...and so on.

Single quotes scape the backticks, so the command isn't executed.

(it's not the most elegant fix, but seems to work here).

*Edit: ok, after some trying maybe it doesn't really work, but the problem seems to be in that part of the script nonetheless. Damn I suck at bash :p

Edited by ichi
Grand Master

markwolfe Veteran

Posted
  • Author
  • Veteran
Posted
I don't see how this can be extremely critical. You actually have to execute this from the command line for it to work.

586554741[/snapback]

No you don't. You could receive an email in Evolution (or other clients that launch the browser from the bash shell, apparently) that contains a hyperlink of something like

http://`rm -rf /`

and it would attempt to erase everything, starting at the root of your filesystem (which would either fail, or not do much if you weren't logged in as root). There is no elevation of privelege, but there is running arbitrary commands with the same authority of the user.

Potentially nasty. It looks like other mail clients use a different method to invoke firefox, so it sounds like they would be immune.

Not sure where this bug really lies... :ermm:

Evolution (and potentially other apps that use bash to invoke another app)?

bash? (I don't think so, its job is to execute commands like this)

Firefox?

Grand Master

Brandon Live Veteran

Posted
  • Veteran
Posted
they're fast, aren't they :s gotta love open source, a new buiuld every night :s

586556881[/snapback]

Umm, most commercial software has a new build every night. But getting a build just after it's compiled means it hasn't been tested. We're not talking about a beta here, we're talking about a completely untested build. Do you really want to be running that?

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.