Open Bug 557415 Opened 14 years ago Updated 2 years ago

2 JS LiveConnect Vulnerabilities.

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Version:
3.6 Branch
Platform:
x86
Windows XP
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: info, Unassigned)

Details

Attachments

(3 files)

Bug 1: Computer/Path name
681 bytes, text/html
Details
Bug 2: Floppy noise.
438 bytes, text/html
Details
Java Crash log
23.58 KB, text/plain
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3

Hope you all had a Happy Easter,

I have two Easter eggs that are related, created to raise a little more awareness of the problematic LiveConnect technology that is still supported by Mozilla.

1st Bug: Computer name & Path discovery.

Found a new way to discover the Computer name and location of a file through JS LiveConnect. Note; This happened before with a htmlFor bug on a HTML FILE field, and got fixed not too long ago. This is another approach, using the Java LiveConnect package to reach the same objective.

2nd Bug: Not sure how to call this one. 

It utilizes JS LiveConnect again to access a Floppy drive (or any drive), it cannot read nor write, but obviously makes your Floppy drive makes funny noises. Throw it in a loop, and you get more fun you've bargained for. 

See the PoC's for all the fun.

Reproducible: Always

Steps to Reproduce:
1. Open PoC's
2. Run it
3. Smile!
Actual Results:  
A website discovers my Computer name, and can make my floppy make funny noises. Sometimes it crashes in various different setups.

Expected Results:  
Bug 1: Strip out the computer name and path name. (like the FILE field)
Bug 2: Don't allows JS to open/access drives without permission.

PoC summary: http://pastie.org/904887

PoC 1: http://www.scarletred.nl/poc/cptest.html
PoC 2: http://www.scarletred.nl/poc/floppy.html

    
    

    
  

      
      
      
      

        Attached file
          
        Bug 2: Floppy noise.
      

    


  

    
  
Severity: major → normal

    
    

    
  

      
      
      
      

        Attached file
          
        Java Crash log
      

    


  
Firefox crashed too, no log. Happens randomly.

    
    

    
  
have you submitted a report to Sun(Oracle)?

    
    

    
  
No I haven't, according to their crash log it happened outside their VM;  in XUL.dll I added the log so you can see which version of java I use, plus my configuration/setup. I cannot make Bug #2 crash consistently yet, but it seems pretty unstable at times.

    
    

    
  
sorry, it's been a while since i've had to read java logs.

https://developer.mozilla.org/En/How_to_get_a_stacktrace_with_WinDbg

    
    

    
  
Just learned that Mozilla now hooks everything into the Java plugin instead of relying on LiveConnect. Wow pretty bad decision in my opinion. I just upgraded and noticed that Java cannot be disabled anymore in about:config, instead you have to remove the plugin? Given this, does that mean that Sun is now responsible for these two bugs?

    
    

    
  
you can disable any plugin in tools>addons>plugins

    
  
Version: unspecified → 3.6 Branch

    
  
Severity: normal → S3

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: