Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 6 Jan 2009 14:46:46 -0500 (EST)
From: Josh Bressers <bressers@...hat.com>
To: oss-security <oss-security@...ts.openwall.com>
Cc: Manuel.Reimer@....de, coley@...re.org
Subject: Fwd: Using xdg-open in /etc/mailcap causes hole in Firefox
 (Demonstration/Exploit included)

Here's a heads up for everyone (I've CCd the discoverer)

Steve, can you assign a CVE id.

Thanks.

----- Forwarded Message -----

Hello,

as I've seen, you also seem to use xdg-open in /etc/mailcap.

The problem is, that xdg-open, itself, detects the right mime-type. This allowes an attacker to deliver a dangerous file with a trustworthy mime-type to get it executed by xdg-open.

I've created an example page:
https://prefbar.mozdev.org/testxdgopen.html (With SSL)
http://prefbar.mozdev.org/testxdgopen.html (Without SSL)

This page delivers a .desktop file with the mime-type "application/pdf". In default configuration, Firefox offers to open this file with the default application, which is xdg-open. Just one click on "OK" (and most users won't have a closer look at the dialog!) and the content in the .desktop file is immediately executed!

Other combinations are possible, I just got the first result with .desktop files. There may be other dangerous types, Firefox may be tricked to open with xdg-open. It's even possible to hide the real file type.

See also:
https://bugs.freedesktop.org/show_bug.cgi?id=19377
Problem: Their security bugs are open to the public :-( Fast reaction would be required :-(

Yours

Manuel Reimer
-- 
()  ascii ribbon campaign - against html mail
/\                        - gegen HTML-Mail
answers as html mail will be deleted automatically!
Antworten als HTML-Mail werden automatisch gelöscht!

Sensationsangebot verlängert: GMX FreeDSL - Telefonanschluss + DSL 
für nur 16,37 Euro/mtl.!* http://dsl.gmx.de/?ac=OM.AD.PD003K1308T4569a

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.