Closed Bug 324300 Opened 20 years ago Closed 19 years ago

Trojan or e-mail could allow remote code execution.

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: mduclos3, Unassigned)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5 Affected OS: Windows 95 and later Affected products: Firefox(all versions), Mozilla(all versions), Internet Explorer(all versions)*, Opera(all versions), Netscape(all versions), MSN Explorer**, AOL(all versions)** Security Rating: Critical *was able to fix IE with widely available 3rd party program. **Exploit only exists when logged in. Being a Linux buff, but converting some designs to Windows and trying to make products as safe as possible, I tested 2 of my company's proprietary exploit scripts. Main reason was to test my upcoming project beta release, but I included many major web browsers as you can see. This is a long standing windows vulnerability that Mozilla can fix in all its products with a simple modification which I'll explain. Besides my trojan test, the 2 major scripts are written in Java and for Macromedia Flashplayer. They resemble a Java/Macromedia game code, but are not designed to send and recieve game data. They are designed to run in Win 32 and act as a 2 way trojan for remote execution. The vulnerability varies with simple code modification as to whether to give you a virus, install spyware, or steal personal information. The malicious code must be hosted on remote server and client must either fall for e-mail with the tainted link or get the malware trojan through P2P networks, open firewall, or tainted website. It's main job is to open the web browser and direct it to actual malicious code. The trojan method can be more randomized if not detected, like to launch at a set interval as it runs in background on the pc. This is not theoretical, I have accomplished it, but the code is company secret. Now the fix: Make a patch or new browser version where browser asks permission for programs to launch it, and as an extra measure, asks permission for the referred site to run scripts. I have more hope for Mozilla than Microsoft and saw an easy fix that could be done with the browser. As this is more a windows vulnerability, I do not expect the bounty reward but am a fan of your products and thought this gaping hole in an almost perfect browser would be easily patched. As for IE, advise the third party product 12 Ghosts popup killer, free for personal use. It stops a trojan from executing the script by asking permission for IE to open. Reason I mention this is I don't want someone to have IE in addition to Mozilla products and be hacked through IE. I am experimenting with hosts file hijack on common adware and will report my findings. Good luck. Reproducible: Always Steps to Reproduce: 1.Infect pc through remote site with trojan or get other pc to read bogus e-mail. 2.Causes Javascript and Flash to run malicious code 3.PC comprimised Actual Results: PC on remote end almost under my total control with exception of GUI. Expected Results: same as above was expected. Optimally a browser should warn that something is trying to run it, so please take the suggestion :) Built in permissions would be a rare browser security feature that would close many vulnerabilities like this. Only my upcoming beta has it so far, a free client based on our corporate browser. But have only suggested to Mozilla that other browsers include it because your products have served me for a long time even before I started officially commercially developing outside of networking. It is even possible a trusted program is the abused program and opens Firefox with the Trojan method. Program abuse is common in windows, but so easily fixed.
Staff just confirmed WIN32 vulnerability through types of virus that write hosts file. 192.168.100.21 successfully written with modified e-mail virus as shown. 192.168.100.21 www.mozilla.org Yes this test is done on internal networks as I would not expose the internet to a potential hazard. :)
> This is not theoretical, I have accomplished it, but the code is company > secret. Claiming you've found a security hole but not telling us what it is isn't very nice. >Now the fix: Make a patch or new browser version where browser asks >permission for programs to launch it Firefox isn't an operating system, so it is neither expected nor able to protect itself from programs that are allowed to modify it. >and as an extra measure, asks permission for the referred site to run scripts. I don't understand what you mean by this. What's the security hole that allows the trojan to get installed in the first place?
Whiteboard: [sg:needinfo]
This seems to be saying that once you're infected that infection can use the browser to further its ends. True, but it's too late at that point. After nine months as "needinfo" it doesn't look like we're getting any more info on this one.
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → INVALID
Whiteboard: [sg:needinfo]
You need to log in before you can comment on or make changes to this bug.