Date: Mon, 12 Feb 2007 00:34:46 +0100 (CET) From: Michal Zalewski To: bugtraq@securityfocus.com Subject: MSIE, Firefox focus stealing vulnerabilities (updated for BUGTRAQ) [ Moderator: I managed to generate quite a flood of messages in BUGTRAQ queue. Please feel free to reject them and approve this summary instead. Otherwise, if the rest already went through, please reject this post. My bad. ] There is an interesting logic flaw in Microsoft Internet Explorer and Mozilla Firefox web browsers. Vulnerabilities, credits ------------------------ First of all, to sort it all out - there are two separate problems being reported here, and it's probably quite important to correctly attribute them: * The MSIE flaw, tested with IE7, is a newly discovered, distinct vulnerability, discovered by me. It exploits a problem similar (but separate from!) previously reported flaws found by Charles McAuley and Bart van Arnhem in June 2006 (these were fixed in IE7). Contrary to what The Register reports, Petko D. Petkov did not discover this problem, but simply participated in a mailing list discussion and offered some insightful suggestions later on (see below). * The Firefox exploit, tested with 2.0.0.1 and 1.5.0.9, is an independently discovered and improved variant of an unpatched bug that had an entry in Bugzilla at least since 2000. It was most recently reported by Charles McAuley in June 2006 (thanks to researcher Paul Szabo for spotting Charles' prior work). Charles was there first, I'm just providing a new and perhaps more convincing exploit. Flaw description ---------------- In all modern browsers, form fields (used to upload user-specified files to a remote server) enjoy some added protection meant to prevent scripts from arbitrarily choosing local files to be sent, and automatically submitting the form without user knowledge. For example, .value parameter cannot be set or changed, and any changes to .type reset the contents of the field. Unfortunately, there are some problems that allow user's keyboard input in unrelated locations to be selectively, transparently redirected to these input fields, and hence affect file selection to attacker's liking. Even though some browsers try to prevent file field hiding, it can be be easily stowed off-screen at negative window coordinates. Once all letters necessary to reconstruct a target filename were entered by the victim as a part of a larger, unrelated body of text, the script can automatically submit the entire form, including victim's sensitive files. In MSIE7, unlike with previously reported focus-related attack vectors that no longer work in that version, this can be achieved by selectively removing input field focus from within a key event handler (see exploit code). In Firefox, this is possible by moving the focus between onKeyDown and onKeyPressed events. Mitigating factors ------------------ User interaction is required, limiting the impact somewhat - but any website where the user can be reasonably expected to enter some text (a keyboard-controlled web game, a blog posting or commenting interface, a web chat, or a captcha) can attempt to exploit the vulnerability, and eventually succeed with one user or another. Contrary to some dismissive responses from Microsoft et al, I do not believe that the aforementioned scenarios require a particularly careless victim to succeed - these are common ways to interact with websites that attract our attention, regardless of how trusted they are. Cross-site scripting can be used to plant the attack code on a trusted web forum or such. On some platforms, it might be harder to construct a valid filename than elsewhere. For example, Firefox requires absolute, fully-qualified file locations to be entered; on Windows, this must include either a drive name, or a SMB host name - both of which depend on the presence of less commonly used ':' or '\' characters; *nix attacks are easier in that regard, because only '/' is required, and this character appears more often in casual text. MSIE is less demanding altogether, and will accept non-qualified paths as well. Exploit code ------------ A quick and naive demonstration of the new vulnerability in MSIE7 can be seen here: http://lcamtuf.coredump.cx/focusbug/ieversion.html An improved, automated version of an exploit for Firefox can be examined here: http://lcamtuf.coredump.cx/focusbug/ffversion.html Both examples are Windows-specific, and require C:\BOOT.INI to exist and be readable by users. The attack itself is not limited to a particular operating system, but I decided to provide a demonstration for the most popular desktop OS - *nix versions that access /etc/hosts or /etc/passwd are easy to develop. Petko's address bar attack -------------------------- Petko D. Petkov noticed that the MSIE7 attack, which repeatedly refocuses the browser on a form input, effectively denies access to address bar both in MSIE and in Firefox. This is a less critical issue, but can be creatively combined with the aforementioned bugs. Petko is also to be credited for the captcha attack vector suggestion. Other browsers? --------------- Opera is unlikely to be vulnerable to that exact attack, because it is impossible to focus on the file input text field, only on the 'browse' button; other browsers were not tested, but I would expect at least some to be susceptible (naturally, on MacOS X or Linux, test cases have to be modified to access an existing file).