Overview
Mozilla may execute JavaScript contained within a site icon tag with elevated privileges. This may allow an attacker to execute arbitrary commands on a vulnerable system.
Description
XPCOM XPCOM is a cross-platform component object model similar to Microsoft COM or CORBA. XPCOM provides the following features to software developers:
XPConnect enables simple interoperation between XPCOM and JavaScript. XPConnect allows JavaScript to access and manipulate XPCOM objects. It also allows JavaScript objects to present XPCOM compliant interfaces to be called by XPCOM objects. Chrome The Mozilla user interface components outside of the content area are created using chrome. This includes toolbars, menu bars, progress bars, and window title bars. Chrome provides content, locale, and skin information for the user interface. Chrome script Chrome scripts have elevated privileges. Because of the extra privileges, they can perform actions that web scripts cannot. Chrome scripts also do not prompt for permission before executing potentially dangerous commands, such as creating or calling XPCOM components. Site icons A site icon is an icon associated with a particular web site or page. This icon may appear in the address bar or bookmarks of the web browser. A web page can specify a site icon by using the <LINK REL="icon"> or <LINK REL="shortcut icon"> HTML tags. The problem Mozilla executes script within a LINK tag that specifies a site icon. This script is treated as a chrome script and is therefore granted extra privileges. By granting UniversalXPConnect privileges to itself, a chrome script can gain unrestricted access to browser APIs using XPConnect. A script with these privileges may create and execute arbitrary files on the local filesystem. |
Impact
By convincing a user to view an HTML document (e.g., a web page), an attacker could execute arbitrary commands or code with the privileges of the user. The attacker could take any action as the user. If the user has administrative privileges, the attacker could take complete control of the user's system. |
Solution
Install an update |
Disabling JavaScript appears to prevent exploitation of this vulnerability. Instructions for disabling JavaScript can be found in the Malicious Web Scripts FAQ. |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- http://www.mozilla.org/security/announce/mfsa2005-37.html
- http://www.mozilla.org/security/announce/mfsa2005-43.html
- http://www.mikx.de/firelinking/
- https://bugzilla.mozilla.org/show_bug.cgi?id=290036
- https://bugzilla.mozilla.org/show_bug.cgi?id=204779
- http://secunia.com/advisories/14938/
- http://secunia.com/advisories/14992/
- http://www.osvdb.org/displayvuln.php?osvdb_id=15686
- http://xforce.iss.net/xforce/xfdb/20134
- http://www.securityfocus.net/bid/13216/
Acknowledgements
This vulnerability was disclosed by the Mozilla Foundation, who in turn credits Michael Krax for reporting the information.
This document was written by Will Dormann.
Other Information
| CVE IDs: | CVE-2005-1155 |
| Severity Metric: | 34.43 |
| Date Public: | 2005-04-15 |
| Date First Published: | 2005-04-19 |
| Date Last Updated: | 2005-08-01 14:13 UTC |
| Document Revision: | 25 |