Archive for September, 2007

Very short summary:

  1. IE pwns Firefox and Mozilla blames Microsoft for not sanitizing URLs before throwing them at other applications.
  2. Firefox pwns... all the world and Mozilla recognizes the same bug that had been blamed on IE affects Firefox itself.
  3. Mozilla devs fix their bug immediately, while people like Alun Jones (Security Microsoft Valued Partner) and Markellos Diorinos (IE Product Manager) deny such a bug exists at all, thus IE won't be fixed.
  4. ...
  5. Profit!

And this time I can't even insert my usual NoScript plug ;)

Pompei PartyGNUCITIZEN's Petko D. Petkov (AKA pdp) just posted an interesting 0DAY disclosure about a Quicktime bug allowing JavaScript chrome privilege escalation on Gecko-based browsers -- in other words, a full fledged remote arbitrary code execution vulnerability.

If you run one of those demos on Microsoft Windows, you'll see pretty things happening, like calc.exe being launched behind your back.
Both Petko and I said this vulnerability is theoretically cross-platform, but as many reported it couldn't actually be reproduced on Mac OS X.
It doesn't come as a real surprise, though, since this is just another cross-application URI dispatching bug, and the Apple OS has already shown to manage this issue in a much saner way than its counterpart from Redmond.
At any rate, on Windows at least, this can be exploited to do anything the currently logged user can.
Scary, right?

However, thanks to Billy Rios, Thor Larholm and other "URI handler gangsters", NoScript users are protected from this and similar possible exploits since 22-Jun-2007.

Even if gnucitizen.org is in your whitelist, nothing bad will happen thanks to the specific top-level chrome protection implemented almost 3 months ago.

Hmm... alert(Math.round((new Date(2007, 5, 22) - new Date(2007, 8, 12)) / 3600 / 24 / 1000)) ==> -82 ;)

I was checking the Planet WebSec feed this morning (BTW, Christ1an must have something personal against me, as he told me he was about to add my blog one month ago...)

Latest post was this "So you think you're a hacker?" by Gareth Heyes, which in turn tracked back to this "7 minutes to kill a monster" by my friend Eduardo Vela, AKA Sirdarckcat.

Both were about a sort of (un?)official challenge to find XSS vectors capable of bypassing the famous PHPIDS tool, a game both Sirdarckcat and I already found quite funny in the beginning of past July and, according to Mario Heiderich, helped him in hardening his PHPIDS filters.

At any rate, Sirdarckcat's post ended like this:

I'm sure that Gareth Heyes, and Giorgio Maone will be the next to find some vectors

Wow, so there's a party and sounds like I'm officially invited ;)

OK, let's bring in some beer:

  1. a=eval,b=(name);a(b)
  2. a=open,b=(name);a(b)
  3. a=setTimeout,b=(name);a(b)

Notice that -- quite obviously -- you will need to disable NoScript (or at least disable its anti-XSS protection and allow both hackademix.org and php-ids.org), if you want to get some joy from the links above.

Cheers :)

Bad Behavior has blocked 1403 access attempts in the last 7 days.