Full Disclosure: Re: Firefox/MSIE focus stealing vulnerability

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Full Disclosure mailing list archives

Re: Firefox/MSIE focus stealing vulnerability - clarification

From: Marcello Barnaba <marcello () softmedia info>
Date: Mon, 12 Feb 2007 23:59:13 +0100

Hi Michal,

On Monday 12 February 2007 00:01, Michal Zalewski wrote:

After some research, I can offer this clarification:

  1) The MSIE 7 attack vector I described is a distinctive, new
     vulnerability that differs from the attack reported by Charles
     McAuley and Bart van Arnhem. Attacks described by them were
     fixed in MSIE7 (although MSIE6 is still exposed to the original
     flaw).

     My vulnerability attacks the same form control, but in a different
     manner. Again, the demo for this vulnerability is here:
     http://lcamtuf.coredump.cx/focusbug/ieversion.html

  2) The Firefox attack vector is related to the Charles' CVE-2006-2894,
     which in turn was a rediscovery of a problem known to Mozilla since
     2000 (!); attempts to fix it in official releases failed because the
     problem was repeatedly marked as a duplicate of a too narrowly
     defined issue with control hiding. A broader redesign probably
     eliminated the issue in development branches, but it still affects
     Firefox 1.5 and 2.0.

     This can be considered an independent rediscovery and a more
     practical demonstration of a previously reported vulnerability.
     The exploit is here: http://lcamtuf.coredump.cx/focusbug/index.html


I tested both the ff and ie version on both Safari 2.0.4 (419.3) and Konqueror 
3.5.5.

On the FF version, konqueror does not exhibit any behavior, lets you input 
text and no redirection is made. To my surprise, the IE version instead dumps 
all the keystrokes typed but does not copy them again into the textarea.
Hitting return causes a dialog "The following files will not be uploaded 
because they could be not be found", and the reason is because the file name 
is the whole input phrase.

On Safari the FF version does not dump anything either, just the first C 
keystroke is took and taken directly into oblivion :). OTOH the IE version 
exhibits the same behavior as konqueror, but the "select file" open dialog 
pops up whenever hitting space.

Regards
-- 
pub 1024D/8D2787EF  723C 7CA3 3C19 2ACE  6E20 9CC1 9956 EB3C 8D27 87EF

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

By Date By Thread

Current thread:

Re: Firefox focus stealing vulnerability (possibly other browsers), (continued)
- Firefox/MSIE focus stealing vulnerability - clarification Michal Zalewski (Feb 11)
  - Re: Firefox/MSIE focus stealing vulnerability - clarification Marcello Barnaba (Feb 12)
  - Re: Firefox/MSIE focus stealing vulnerability - clarification Ruud H.G. van Tol (Feb 12)
    - Re: Firefox/MSIE focus stealing vulnerability - clarification Tyop? (Feb 12)
    - Re: Firefox/MSIE focus stealing vulnerability - clarification Marcello Barnaba (Feb 12)