exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Chris Evans Security Advisory 2008.9

Chris Evans Security Advisory 2008.9
Posted Nov 19, 2008
Authored by Chris Evans

Firefox versions 2.0.0.18 and below and WebKit nightly are affected by a cross-domain arbitrary image theft vulnerability.

tags | advisory, arbitrary
advisories | CVE-2008-5012
SHA-256 | d0194747a05587197d8e8c47a948cf9b3eee714682e19c5c1a8a0ea718f09d2e

Chris Evans Security Advisory 2008.9

Change Mirror Download
<html>
<head>
<title>
CESA-2008-009 - rev 1
</title>
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
var pageTracker = _gat._getTracker("UA-72867-8");
pageTracker._initData();
pageTracker._trackPageview();
</script>
</head>
<body>
<h2>CESA-2008-009 - rev 1</h2>
<p/>
<br/>
[See all my vulnerabilities at
<a href="http://scary.beasts.org/security">http://scary.beasts.org/security</a>]
<p/>
[Blog if you want to subscribe to new findings is at
<a href="http://scarybeastsecurity.blogspot.com/">
http://scarybeastsecurity.blogspot.com/</a>]
<p/>
<h3>Firefox 2 and WebKit nightly cross-domain image theft</h3>
<hr/>
<br/>Programs affected: Firefox 2, prior to 2.0.0.18. Firefox 3 never affected.
WebKit nightly was affected somewhere between Safari 3 and 4.
<br/>Fixed: Firefox 2.0.0.18, Firefox 3.
<br/>Severity: Cross-domain theft of arbitrary images; machine fingerprinting.
<br/><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5012">
CVE-2008-5012</a>
<br/><a href="http://www.mozilla.org/security/announce/2008/mfsa2008-48.html">
MFSA 2008-48</a>
<p/>
Arbitrary images (authenticated and unauthenticated) can be stolen cross-domain
by fooling the browser about the domain of origin and then rendering the image
to a canvas and stealing it with the Javascript <code>getImageData</code> API.
<p/>
Fooling the browswer about the domain of origin is accomplished by using "the
302 redirect trick". This involves accessing the image via an URL local to the
current (evil) domain. This local URL hosts a redirector which redirects to the
remote image we wish to steal.
<p/>
Interestingly, despite the diverse code base, WebKit had exactly the same issue.
No production WebKit browser that I know was ever affected because Safari 3.1
and Chrome pre-1.0 were based off a WebKit without the APIs which read image
data (such as <code>getImageData</code> and <code>toDataUrl</code>).
<p/>
<h3>Demo</h3>
<p/>
You can read the demo code at
<a href="https://cevans-app.appspot.com/static/ff2stealimgbug.html">
https://cevans-app.appspot.com/static/ff2stealimgbug.html
</a>
<p/>
<h3>Credits</h3>
<ul>
<li>Georgi Guninski independently reported this privately to Mozilla some
time ago. It was silently fixed in Firefox 3 but left unfixed in Firefox 2,
hence the independent discovery.</li>
<li>Michal Zalewski for noting (and demoing) the additional attack vector of
enumerating the locally installed applications, which has fingerprinting
possibilities.</li>
<li>Google - this flaw was discovered in Google's time. I'm with Google's
Security Team, and we're always recruiting talented security individuals.
Mail me.</li>
</ul>
<p/>
<br/>CESA-2008-009 - rev 1
<br/>Chris Evans
<br/><a href="mailto:scarybeasts@gmail.com">scarybeasts@gmail.com</a>
</body>
</html>

Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close