Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 6 Jan 2009 14:46:46 -0500 (EST)
From: Josh Bressers <bressers@...hat.com>
To: oss-security <oss-security@...ts.openwall.com>
Cc: Manuel.Reimer@....de, coley@...re.org
Subject: Fwd: Using xdg-open in /etc/mailcap causes hole in Firefox
 (Demonstration/Exploit included)

Here's a heads up for everyone (I've CCd the discoverer)

Steve, can you assign a CVE id.

Thanks.

----- Forwarded Message -----

Hello,

as I've seen, you also seem to use xdg-open in /etc/mailcap.

The problem is, that xdg-open, itself, detects the right mime-type. This allowes an attacker to deliver a dangerous file with a trustworthy mime-type to get it executed by xdg-open.

I've created an example page:
https://prefbar.mozdev.org/testxdgopen.html (With SSL)
http://prefbar.mozdev.org/testxdgopen.html (Without SSL)

This page delivers a .desktop file with the mime-type "application/pdf". In default configuration, Firefox offers to open this file with the default application, which is xdg-open. Just one click on "OK" (and most users won't have a closer look at the dialog!) and the content in the .desktop file is immediately executed!

Other combinations are possible, I just got the first result with .desktop files. There may be other dangerous types, Firefox may be tricked to open with xdg-open. It's even possible to hide the real file type.

See also:
https://bugs.freedesktop.org/show_bug.cgi?id=19377
Problem: Their security bugs are open to the public :-( Fast reaction would be required :-(

Yours

Manuel Reimer
-- 
()  ascii ribbon campaign - against html mail
/\                        - gegen HTML-Mail
answers as html mail will be deleted automatically!
Antworten als HTML-Mail werden automatisch gelöscht!

Sensationsangebot verlängert: GMX FreeDSL - Telefonanschluss + DSL 
für nur 16,37 Euro/mtl.!* http://dsl.gmx.de/?ac=OM.AD.PD003K1308T4569a

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ