Date: Mon, 12 Feb 2007 00:34:46 +0100 (CET)
From: Michal Zalewski <lcamtuf@xxxxxxxxxxxx>
To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: MSIE, Firefox focus stealing vulnerabilities (updated for
BUGTRAQ)
[ Moderator: I managed to generate quite a flood of messages in BUGTRAQ
queue. Please feel free to reject them and approve this summary
instead. Otherwise, if the rest already went through, please reject
this
post. My bad. ]
There is an interesting logic flaw in Microsoft Internet Explorer and
Mozilla Firefox web browsers.
Vulnerable browsers, credits
----------------------------
Two problems are reported here:
* The MSIE flaw, tested with IE7, is a newly discovered, distinct
vulnerability that exploits a problem similar, but separate from,
previously reported flaws found by Charles McAuley and Bart van
Arnhem
in June 2006 (these were fixed in IE7). Credit: me.
* The Firefox exploit, tested with 2.0.0.1 and 1.5.0.9, is an
independently discovered and improved variant of an unpatched bug
that
had an entry in Bugzilla at least since 2000, and was most recently
reported by Charles McAuley in June 2006 (thanks to Paul Szabo for
spotting this). Charles was there first, I'm just providing a new
and perhaps more convincing exploit.
Flaw description
----------------
In all modern browsers, <INPUT TYPE=FILE> form fields (used to upload
user-specified files to a remote server) enjoy some added protection
meant
to prevent scripts from arbitrarily choosing local files to be sent, and
automatically submitting the form without user knowledge. For example,
.value parameter cannot be set or changed, and any changes to .type
reset
the contents of the field.
Unfortunately, there are some problems that allow user's keyboard input
in
unrelated locations to be selectively, transparently redirected to these
input fields, and hence affect file selection to attacker's liking.
Even
though some browsers try to prevent file field hiding, it can be be
easily
stowed off-screen at negative window coordinates. The script can then
automatically submit the entire form, including victim's sensitive
files.
In MSIE7, unlike with previously reported focus-related attack vectors
that no longer work in that version, this can be achieved by selectively
removing input field focus from within a key event handler (see exploit
code).
In Firefox, this is possible by moving the focus between onKeyDown and
onKeyPressed events.
Mitigating factors
------------------
User interaction is required, limiting the impact somewhat - but any
website where the user can be reasonably expected to enter some text (a
keyboard-controlled web game, a blog posting or commenting interface)
can
attempt to exploit the vulnerability, and eventually succeed with one
user
or another.
Firefox requires absolute, fully-qualified file locations to be entered;
on Windows, this must include either a drive name, or a SMB host name -
both of which depend on the presence of less commonly used ':' or '\'
characters; *nix attacks are easier in that regard. MSIE is less
demanding
altogether, and will accept just about anything.
Exploit code
------------
A quick and naive demonstration of the new vulnerability in MSIE7
can be seen here:
An improved, automated version of an exploit for Firefox can be examined
here:
Petko's address bar attack
--------------------------
Petko d. Petkov noticed that the MSIE7 attack, which repeatedly
refocuses
the browser on a form input, effectively denies access to address bar
both
in MSIE and in Firefox. This is a less critical issue, but can be
creatively combined with the aforementioned bugs.
Other browsers?
---------------
Opera is not vulnerable, because it is impossible to focus on the file
input text field, only on the 'browse' button; other browsers were not
tested.
