Closed Bug 659334 Opened 9 years ago Closed 9 years ago

Remote code execution !!!

Categories

(Firefox :: Security, defect, critical)

x86
Windows XP
defect
Not set
critical

Tracking

()

RESOLVED INVALID

People

(Reporter: federicopugnali, Unassigned)

References

(Blocks 1 open bug, )

Details

User-Agent:       Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.772.0 Safari/535.1
Build Identifier: 3.6.17

When accessing the mentioned URL, a malware virus automatically executes. It leaves a 0.xxxx.exe (where x are random numbers) in the Firefox main folder, and changes a lot of Windows setting to make it very hard to remove. It instantly executes itself displaying a blue windows with foreign chars (undisplayabled in my computer) that won't let you move your mouse away from it.

After a big cleaning, I was able to reproduce it using a sandbox, and I notice after loading the page, the plugin-container.exe will execute, then the java plugin and the flash plugin, the the 0.xxx executable, and the of course the virus will take control.

Reproducible: Always

Steps to Reproduce:
1. Open Firefox 3.6.17
2. Go to http://crimelend.ru/jobsearch
3. wait a few seconds

Actual Results:  
The virus will execute and take control of the machine. Please test it inside a sandbox.

Expected Results:  
Not allow a virus to execute without even clicking on anything!

All my information from my firefox intallation in case there is any plugin affecting this problem:



  Configuración básica de la aplicación

        Nombre
        Firefox

        Versión
        3.6.17

        Directorio de perfil

          Abrir la carpeta que lo contiene

        Plugins instalados

          about:plugins

        Configuración de compilación

          about:buildconfig

  Extensiones

        Nombre

        Versión

        Activada

        ID

        British English Dictionary
        1.19.1
        true
        en-GB@dictionaries.addons.mozilla.org

        Diccionario de Español/España
        1.3.1
        true
        es-es@dictionaries.addons.mozilla.org

        FlashGot
        1.2.8.5
        true
        {19503e42-ca3c-4c27-b1e2-9cdb2170ee34}

        Free Download Manager plugin
        1.3.1
        false
        fdm_ffext@freedownloadmanager.org

        Google Web Toolkit Developer Plugin for Firefox
        1.0.9863
        true
        gwt-dev-plugin@google.com

        Java Console
        6.0.15
        true
        {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

        LogMeIn, Inc. Remote Access Plugin
        1.0.0.406
        false
        LogMeInClient@logmein.com

        Microsoft .NET Framework Assistant
        1.2.1
        true
        {20a82645-c095-46ed-80e3-08825760534b}

        NoScript
        2.1.0.1
        false
        {73a6fe31-595d-460b-a920-fcc0f8843232}

        Skype extension for Firefox
        2.2.0.102
        true
        {B13721C7-F507-4982-B2E5-502A71474FED}

        Firebug
        1.6.2
        true
        firebug@software.joehewitt.com

        Java Console
        5.0.12
        true
        {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA}

  Preferencias modificadas

      Nombre

      Valor

        accessibility.typeaheadfind.flashBar
        0

        browser.history_expire_days.mirror
        180

        browser.places.importBookmarksHTML
        false

        browser.places.importDefaults
        false

        browser.places.leftPaneFolderId
        -1

        browser.places.migratePostDataAnnotations
        false

        browser.places.smartBookmarksVersion
        2

        browser.places.updateRecentTagsUri
        false

        browser.startup.homepage
        http://www.google.com/ig

        browser.startup.homepage_override.mstone
        rv:1.9.2.17

        dom.max_script_run_time
        1800

        extensions.lastAppVersion
        3.6.17

        general.useragent.extra.microsoftdotnet
        ( .NET CLR 3.5.30729)

        network.cookie.prefsMigrated
        true

        network.protocol-handler.warn-external.sop
        false

        network.protocol-handler.warn-external.tvants
        false

        network.protocol-handler.warn-external.tvu
        false

        places.last_vacuum
        1305256075

        print.print_bgcolor
        false

        print.print_bgimages
        false

        print.print_command

        print.print_downloadfonts
        true

        print.print_evenpages
        true

        print.print_in_color
        true

        print.print_margin_bottom
        0.5

        print.print_margin_left
        0.5

        print.print_margin_right
        0.5

        print.print_margin_top
        0.5

        print.print_oddpages
        true

        print.print_orientation
        0

        print.print_pagedelay
        500

        print.print_paper_data
        0

        print.print_paper_height
        11,00

        print.print_paper_size
        7536685

        print.print_paper_size_type
        1

        print.print_paper_size_unit
        0

        print.print_paper_width
        8,50

        print.print_printer
        Bullzip PDF Printer

        print.print_reversed
        false

        print.print_scaling
        1,00

        print.print_shrink_to_fit
        true

        print.print_to_file
        false

        print.printer_Bullzip_PDF_Printer.print_bgcolor
        false

        print.printer_Bullzip_PDF_Printer.print_bgimages
        false

        print.printer_Bullzip_PDF_Printer.print_command

        print.printer_Bullzip_PDF_Printer.print_downloadfonts
        true

        print.printer_Bullzip_PDF_Printer.print_evenpages
        true

        print.printer_Bullzip_PDF_Printer.print_footercenter

        print.printer_Bullzip_PDF_Printer.print_footerleft
        &PT

        print.printer_Bullzip_PDF_Printer.print_footerright
        &D

        print.printer_Bullzip_PDF_Printer.print_headercenter

        print.printer_Bullzip_PDF_Printer.print_headerleft
        &T

        print.printer_Bullzip_PDF_Printer.print_headerright
        &U

        print.printer_Bullzip_PDF_Printer.print_in_color
        true

        print.printer_Bullzip_PDF_Printer.print_margin_bottom
        0.5

        print.printer_Bullzip_PDF_Printer.print_margin_left
        0.5

        print.printer_Bullzip_PDF_Printer.print_margin_right
        0.5

        print.printer_Bullzip_PDF_Printer.print_margin_top
        0.5

        print.printer_Bullzip_PDF_Printer.print_oddpages
        true

        print.printer_Bullzip_PDF_Printer.print_orientation
        1

        print.printer_Bullzip_PDF_Printer.print_pagedelay
        500

        print.printer_Bullzip_PDF_Printer.print_paper_data
        1

        print.printer_Bullzip_PDF_Printer.print_paper_height
        11,00

        print.printer_Bullzip_PDF_Printer.print_paper_size
        7536685

        print.printer_Bullzip_PDF_Printer.print_paper_size_type
        0

        print.printer_Bullzip_PDF_Printer.print_paper_size_unit
        0

        print.printer_Bullzip_PDF_Printer.print_paper_width
        8,50

        print.printer_Bullzip_PDF_Printer.print_reversed
        false

        print.printer_Bullzip_PDF_Printer.print_scaling
        1,00

        print.printer_Bullzip_PDF_Printer.print_shrink_to_fit
        true

        print.printer_Bullzip_PDF_Printer.print_to_file
        false

        print.printer_Generic_/_Text_Only.print_bgcolor
        false

        print.printer_Generic_/_Text_Only.print_bgimages
        false

        print.printer_Generic_/_Text_Only.print_command

        print.printer_Generic_/_Text_Only.print_downloadfonts
        true

        print.printer_Generic_/_Text_Only.print_evenpages
        true

        print.printer_Generic_/_Text_Only.print_footercenter

        print.printer_Generic_/_Text_Only.print_footerleft
        &PT

        print.printer_Generic_/_Text_Only.print_footerright
        &D

        print.printer_Generic_/_Text_Only.print_headercenter

        print.printer_Generic_/_Text_Only.print_headerleft
        &T

        print.printer_Generic_/_Text_Only.print_headerright
        &U

        print.printer_Generic_/_Text_Only.print_in_color
        true

        print.printer_Generic_/_Text_Only.print_margin_bottom
        0.5

        print.printer_Generic_/_Text_Only.print_margin_left
        0.5

        print.printer_Generic_/_Text_Only.print_margin_right
        0.5

        print.printer_Generic_/_Text_Only.print_margin_top
        0.5

        print.printer_Generic_/_Text_Only.print_oddpages
        true

        print.printer_Generic_/_Text_Only.print_orientation
        0

        print.printer_Generic_/_Text_Only.print_pagedelay
        500

        print.printer_Generic_/_Text_Only.print_paper_data
        1

        print.printer_Generic_/_Text_Only.print_paper_height
        11,00

        print.printer_Generic_/_Text_Only.print_paper_size
        7536685

        print.printer_Generic_/_Text_Only.print_paper_size_type
        0

        print.printer_Generic_/_Text_Only.print_paper_size_unit
        0

        print.printer_Generic_/_Text_Only.print_paper_width
        8,50

        print.printer_Generic_/_Text_Only.print_reversed
        false

        print.printer_Generic_/_Text_Only.print_scaling
        1,00

        print.printer_Generic_/_Text_Only.print_shrink_to_fit
        true

        print.printer_Generic_/_Text_Only.print_to_file
        true

        privacy.sanitize.migrateFx3Prefs
        true

        security.warn_viewing_mixed
        false
That page is a 404 - Not found. I see you have Java Console 5.0.12 in addition to 6.0.15. Please visit http://www.mozilla.com/en-US/plugincheck/ and see if all of your plugins are up to date. The latest Java in 6 update 25 and the latest flash is 10.3.181.14. If either are out of date, they are the likely causes of your infection. Please report back here on the versions of Flash and Java you were using before updating.
Sorry, I made a couple of mistakes. The correct site is
http://crimelend.ru/jobseach.htm

And the second started plugin was not flash but Acrobat Reader (my flash plugin was the updated 10.3.181.14 btw).
My java plugin was 1.6.0.15. I updated it to 1.6.0.25 and when accessing the page, nothing happens now. My acrobat plugin is outdated and it's version 7.0.0. But with just the java plugin update the problem seems to be gone. Does it mean it was a java bug?
Sorry, I made a couple of mistakes. The correct site is
http://crimelend.ru/jobseach.htm

And the second started plugin was not flash but Acrobat Reader (my flash plugin was the updated 10.3.181.14 btw).
My java plugin was 1.6.0.15. I updated it to 1.6.0.25 and when accessing the page, nothing happens now. My acrobat plugin is outdated and it's version 7.0.0. But with just the java plugin update the problem seems to be gone. Does it mean it was a java bug?
quite probably this is just a java based attack although many attack pages include several attacks. I'll marked this invalid and open it up. Be sure to update reader as well since it is a vector for attacks as well.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.