17-Bug años en Firefox permite ataques locales robo de Archivos
CYBER NOTICIAS

17-Bug años en Firefox permite ataques locales robo de Archivos

1 Star2 Stars3 Stars4 Stars5 Stars (Sin clasificación todavía)
Cargando ...

El investigador de seguridad Barak Tawily llegó recientemente a través de una vulnerabilidad de seguridad de 17 años de edad, la última versión de Mozilla Firefox. Resulta que el navegador ampliamente popular es vulnerable al ataque de robo de archivos local en cualquier sistema operativo.




Vulnerability in Firefox Allows Local Files Theft

The attack is possible due to improper implementation of Same Origin Policy for file scheme URLs, dijo el investigador. There’s also a proof-of-concept for the attack. The vulnerability is yet to be patched.

En otras palabras, the vulnerability would allow attackers to steal files stored on the user’s computer. The attack leverages the way the Firefox browser implements Same Origin Policy for the “expediente://” scheme URI (Uniform Resource Identifiers), which allows any file in a folder on a system to get access to files in the same folder and subfolders.
The researcher shared a complete attack scenario based on this vulnerability:

1. Attacker sends email to victim with attachment file to be downloaded / Victim browse to malicious website and download file
2. The victim opens the HTML malicious file
3. The file loading the containing folder in an iframe (so my file path is file:///home/user/-malicious.html, and the iframe source will be file:///home/user/)
4. The victim thinks he clicks on a button on the malicious HTML, but in fact he is clicking on the malicious file html inside the iframe’s directory listing (using ClickJacking technique, in order to apply the “context switching bug” which allows me access the directory listing of my containing folder)
5. The malicious iframe now have escalated privileges and is be able to read any file on the folder contains the malicious file, (in most cases downloads folder, in my case is file:///home/user/).
6. The malicious file is able to read any file on it’s containing folder (expediente:///home/user/), such as SSH private key by simply fetching the URL file:///home/user/.ssh/ida_rsa and stealing any file by 1 more fetch request to the attacker’s malicious website with the files’ content.
7. The attacker gains all files in the folder containing the malicious file exploit this vulnerability

The researcher believes that the issue stems from the web origin concept RFC which is not describing a well-defined implementation of SOP for file scheme URLs.

Relacionado: El malware Mozilla Firefox plugins plaga el repositorio oficial

Tawily was curious to see for how long Firefox has been ignoring complaints without doing anything about the “insecure approach”. To his own surprise, he managed to get hold of a bug quite similar to this vulnerability vulnerability (except for the directory listing context switch bug). The similar bug was already reportado 17 hace años que.

Tawily reported his findings to Mozilla who responded that this was aduplicate report“, agregando que “the specification of the Same Origin Policy is unclear here Our implementation of the Same Origin Policy allows every file:// URL to get access to files in the same folder and subfolders“.

avatar

Milena Dimitrova

Un escritor inspirado y gestor de contenidos que ha estado con SensorsTechForum de 4 año. Disfruta ‘Sr.. Robot’y miedos‘1984’. Centrado en la privacidad de los usuarios y el desarrollo de malware, ella cree firmemente en un mundo donde la seguridad cibernética juega un papel central. Si el sentido común no tiene sentido, ella estará allí para tomar notas. Esas notas pueden convertirse más tarde en artículos!

Más Mensajes

Dejar un comentario

Su dirección de correo electrónico no será publicada. Los campos necesarios están marcados *

Se agotó el tiempo límite. Vuelve a cargar de CAPTCHA.

Compartir en Facebook Compartir
Cargando ...
Compartir en Twitter Pío
Cargando ...
Compartir en Google Plus Compartir
Cargando ...
Compartir en Linkedin Compartir
Cargando ...
Compartir en Digg Compartir
Compartir en Reddit Compartir
Cargando ...
Compartir en Stumbleupon Compartir
Cargando ...