[转载]Mozilla Firefox Window Spoofing (Firespoofing)
信息来源:[url]www.securiteam.com[/url]Summary
Using JavaScript it is possible to spoof the content of security and download dialogs by partly covering them with a popup window. This can fool a user to download and automatically execute a file (if a file extension association exists) or to grant a script local data access (if codebase principals are enabled).
Credit:
The information has been provided by Michael Krax.
The original article can be found at: [url]http://www.mikx.de/?p=7[/url]
Details
Affected Software:
* Mozilla Firefox version 1.0
* Mozilla version 1.7.5
* Netscape version 7.1
All under Windows XP SP2
Expected Behavior:
Modal dialogs should always be on top and it should not be possible to obfuscate their appearance.
Vendor Status:
The bug is confirmed but currently unfixed (open for more than 3 months). As a partial workaround set dom.disable_window_flip to true in about:config. The vendor failed to respond to multiple status requests which led to this public disclosure.
2004-09-20 Vendor informed (bugzilla.mozilla.org #260560)
2004-09-20 Vendor confirmed bug
2004-10-20 Status request (open for 1 month - no reply)
2005-01-03 Status request (open for 3 months - no reply)
2005-01-07 Status request (disclosure warning - no reply)
2005-01-11 Public disclosure
Exploit:
The PoC is designed for Firefox 1.0 running in a maximized window.
Part 1 - download dialog spoofing
Shows how to cover a download dialog and fool the user to execute a file with a standard windows file association (in this case a .ht file). BTW, remember the latest .ht buffer overflow...
Part 2 - security dialog spoofing
Shows how to cover a security dialog. Make sure codebase principals are enabled (not default but encouraged by many XUL sites). Creates the file c:\booom.txt to proof local system access.
The exploit is also available at: [url]http://www.mikx.de/firespoofing/[/url]
[url]http://www.eviloctal.com/forum/read.php?tid=6742[/url]
页:
[1]