OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: Two Vulnerabilities in Mozilla may lead to remote compromise

From: Daniel Veditz (dveditzcruzio.com)
Date: Tue Jul 13 2004 - 12:01:03 CDT


Mind Warper wrote:
> Vendor : informed on 11/06/04
> Mailed advisory: 13/06/04

In the future please send notification to security at mozila.org. The only
thing we could find was a bug filed two days ago.

> There are two vulnerabilities in Mozilla that may lead to remote code execution under local zone.

Mozilla does not have a local zone.

> The problem is that firefox stores its cache in a known directory,

It does not, each user's profile directory is unique. Upon receiving this
we're reconsidering whether three bytes of randomness is sufficient, but in
any case it isn't trivial as you suggest. (Also the "Administrator" part of
the path will differ depending on the windows login name, but an attacker
could stick with "Owner" and get 99% of all WinXP Home users.)

> The second vulnerability allows the attacker to modify the mime type by using the infamous NULL byte.

This is clearly a bug, thank you. From our brief look this morning we're not
convinced it's exploitable, but it's troubling and we'll fix it.

> 2. C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.nop\Cache\_CACHE_002_
> 3. C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\default.nop\Cache\_CACHE_003_
> [ These 2 cache files store the html data ]

Those files will have pieces of different documents. If it contains just
your planted file that would be quite a coincidence.

-Dan Veditz
Mozilla Security Group