Multiple Mozilla products chrome: URI directory traversal (HTML_Mozilla_ChromeURI_Traversal)

About this signature or vulnerability

Proventia Network IDS, IBM Security Host Protection for Desktops, Proventia-G 1.1 and earlier, RealSecure Server Sensor, Proventia Network MFS, IBM Security Host Protection for Servers (Windows), IBM Security Network Protection, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology, Proventia Network IPS, IBM Security Host Protection for Servers (Unix):

This signature detects a directory traversal attempt using an escaped sequence in a 'chrome://' URI. This can result in script execution on the local system.


Default risk level

Medium risk vulnerability  Medium

Sensors that have this signature

Proventia Network IDS: XPU 28.040, IBM Security Host Protection for Desktops: 2180, Proventia-G 1.1 and earlier: XPU 28.040, RealSecure Server Sensor: XPU 28.040, Proventia Network MFS: XPU 28.040, IBM Security Host Protection for Servers (Windows): 1.0.914.2180, IBM Security Host Protection for Servers (Windows): 2.0.252.2180, IBM Security Host Protection for Servers (Windows): 2.1.14.2400, IBM Security Network Protection: 5.1, Virtual Server Protection for Vmware: 1.0, Proventia Server IPS for Linux technology: 28.040, Proventia Network IPS: XPU 28.040, IBM Security Host Protection for Servers (Unix): 2.2.2

Systems affected

RedHat Enterprise Linux: 3 Desktop, RedHat Enterprise Linux: 3 AS, RedHat Enterprise Linux: 3 ES, RedHat Enterprise Linux: 3 WS, RedHat Enterprise Linux: 2.1 AS, RedHat Enterprise Linux: 2.1 ES, RedHat Enterprise Linux: 2.1 WS, MandrakeSoft Mandrake Linux Corporate Server: 3.0, RedHat Enterprise Linux: 4 AS, SuSE SuSE SLES: 9, Novell Linux Desktop: 9, RedHat Enterprise Linux: 4 Desktop, RedHat Enterprise Linux: 4 WS, RedHat Enterprise Linux: 4 ES, Sun Solaris: 10 x86, Sun Solaris: 10 SPARC, Mozilla Firefox: 2.0, Mozilla Thunderbird: 2.0.0.9, Mozilla SeaMonkey: 1.1.5, RedHat Enterprise Linux Optional Productivity Applications: 5.1.z EUS, Mozilla SeaMonkey: 1.1.6, Mozilla Firefox: 2.0.0.11, RedHat Enterprise Linux: 4.6.z AS, RedHat Enterprise Linux: 4.6.z ES, Mozilla Firefox: 2.0.0.8, Mozilla SeaMonkey: 1.1.4, Mozilla Thunderbird: 2.0.0.7, Mozilla Thunderbird: 2.0.0.6, Mozilla Firefox: 2.0.0.7, RedHat Enterprise Linux: 5 Client, Canonical Ubuntu: 7.10, MandrakeSoft Mandrake Linux: 2007.1 X86_64, MandrakeSoft Mandrake Linux: 2008.0, RedHat Enterprise Linux: 5.1.z EUS, Mozilla Thunderbird: 2.0.0.4, Mozilla Thunderbird: 2.0.0.3, Mozilla SeaMonkey: 1.1.1, Mozilla SeaMonkey: 1.1.0, Mozilla SeaMonkey: 1.1.2, Mozilla Thunderbird: 2.0.0.2, Mozilla Thunderbird: 2.0.0.1, Mozilla Firefox: 2.0.0.9, Mozilla SeaMonkey: 1.1.3, Mozilla Thunderbird: 2.0.0.5, Mozilla Firefox: 2.0.0.5, Novell SUSE Linux Enterprise Server: 10 SP1, Mozilla Firefox: 2.0.0.6, Novell SUSE Linux Enterprise Desktop: 10 SP1, Mozilla Firefox: 2.0.0.4, MandrakeSoft Mandrake Linux: 2008.0 X86_64, MandrakeSoft Mandrake Linux: 2007.1, Mozilla Firefox: 2.0.0.3, Mozilla Firefox: 2.0.0.2, RedHat Enterprise Linux Optional Productivity Applications: 5 Server, Canonical Ubuntu: 7.04, Debian Debian Linux: 4.0, RedHat Enterprise Linux: 5, RedHat Enterprise Linux: 5 Client Workstation, Mozilla Firefox: 2.0.0.1, Novell Linux POS: 9, RedHat Linux Advanced Workstation: 2.1 Itanium, MandrakeSoft Mandrake Linux Corporate Server: 4.0 X86_64, MandrakeSoft Mandrake Linux Corporate Server: 4.0, MandrakeSoft Mandrake Linux Corporate Server: 3.0 X86_64, Canonical Ubuntu: 6.10, SUSE SuSE Linux: 10.1, Canonical Ubuntu: 6.06 LTS, Novell OpenSUSE: 10.2, Novell OpenSUSE: 10.3, Sun OpenSolaris: build_snv_89 x86, Sun OpenSolaris: build_snv_89 SPARC, Mozilla Thunderbird: 2.0.0.10, Sun OpenSolaris: 2008.5 SPARC, Sun OpenSolaris: 2008.5 x86, Mozilla Firefox: 2.0 rc1, Mozilla Firefox: 2.0 Beta2, Novell Open Enterprise Server, Mozilla SeaMonkey: 1.1 Beta, Mozilla Firefox: 2.0 rc3, Mozilla Firefox: 2.0.0.10, Mozilla Firefox: 2.0 rc2, Mozilla Firefox: 2.0 Beta1, Mozilla Thunderbird: 2.0.0.0, Mozilla Thunderbird: 2.0.0.11, Mozilla SeaMonkey: 1.1, Mozilla SeaMonkey: 1.1.7, Mozilla Thunderbird: 2.0.0.8

Type

Unauthorized Access Attempt

Vulnerability description

Multiple Mozilla products with flat-packaged add-ons installed could allow a remote attacker to traverse directories on the system when the local file location is known. By persuading a victim to visit a malicious Web site embedded with a specially-crafted chrome: Uniform Resource Identifier (URI) containing encoded "dot dot" sequences (%2e%2e%2f), an attacker could exploit this vulnerability to view JavaScript, images or stylesheets, and obtain the contents of the sessionstore.js file.

How to remove this vulnerability

Refer to MFSA 2008-05 for patch, upgrade or suggested workaround information. See References.

For other distributions:
Apply the appropriate update for your system. See References.

References

Mozilla Web site
Firefox web browser
http://www.mozilla.com/en-US/firefox/

hiredhacker Web site
Firefox chrome: URL Handling Directory Traversal.
http://www.hiredhacker.com/2008/01/19/firefox-chrome-url-handling-directory-traversal/

Full-Disclosure Mailing List, Tue, 22 Jan 2008 19:16:37 +0100
Firefox 2.0.0.11 Chrome Privilege Escalation PoC
http://seclists.org/fulldisclosure/2008/Jan/0457.html

MFSA 2008-05
Directory traversal via chrome: URI
http://www.mozilla.org/security/announce/2008/mfsa2008-05.html

Netscape Web site
Release Notes: What's New in Netscape Navigator 9.0.0.6
http://browser.netscape.com/releasenotes/

Sun Alert ID: 238492
Multiple Security Vulnerabilities in Solaris 10 Firefox may Allow Execution of Arbitrary Code and Access to Unauthorized Data
http://sunsolve.sun.com/search/document.do?assetkey=1-66-238492-1

Sun Alert ID: 239546
Security Vulnerabilities in Thunderbird for Solaris May Result in Privilege Escalation or Cross-Site Scripting (XSS)
http://sunsolve.sun.com/search/document.do?assetkey=1-66-239546-1

ISS X-Force
Multiple Mozilla products chrome: URI directory traversal
http://www.iss.net/security_center/static/39840.php

CVE
CVE-2008-0418
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0418