Protection from http://www.securityfocus.com/bid/34235/info
Protection from http://www.securityfocus.com/bid/34235/info
Hello,
can noscript protect from:
http://www.securityfocus.com/bid/34235/info
I tried the proof of concept through a local file but even putting file:// out of whitelist still triggers the bug.
Is there a way to be protected against it?
Thanks,
Riccardo
can noscript protect from:
http://www.securityfocus.com/bid/34235/info
I tried the proof of concept through a local file but even putting file:// out of whitelist still triggers the bug.
Is there a way to be protected against it?
Thanks,
Riccardo
Mozilla/5.0 (X11; U; Linux i686; it; rv:1.9.0.7) Gecko/2009030422 Ubuntu/8.04 (hardy) Firefox/3.0.7
-
- Ambassador
- Posts: 1586
- Joined: Fri Mar 20, 2009 4:47 am
- Location: Colorado, USA
Re: Protection from http://www.securityfocus.com/bid/34235/info
Yes. Don't allow JavaScript on any but trusted sites, and then, only when absolutely necessary.Riccardo wrote:Is there a way to be protected against it?
http://hackademix.net/2009/03/26/lock-d ... e-weekend/
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: Protection from http://www.securityfocus.com/bid/34235/info
As I wrote in the article linked by Alan, the crash still happens because the XSLT gets parsed, but it's not exploitable because with no JavaScript (or other active content) enabled the attacker can't use any of the well known "Heap Spray" technique required to inject the actual malicious code in the random memory area where such a crash makes Firefox's program counter jump.
Furthermore, since a crash is always an annoyance (albeit non-exploitable and notwithstanding session restore), and since other XSLT bugs are likely to be discovered in the future, next NoScript development version (probably out later today) will consider XSLT as active content, blocking XSL stylesheets on untrusted documents and/or from untrusted sources.
Furthermore, since a crash is always an annoyance (albeit non-exploitable and notwithstanding session restore), and since other XSLT bugs are likely to be discovered in the future, next NoScript development version (probably out later today) will consider XSLT as active content, blocking XSL stylesheets on untrusted documents and/or from untrusted sources.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7 (.NET CLR 3.5.30729)
Re: Protection from http://www.securityfocus.com/bid/34235/info
Just to point out ...
securityfocus only lists FF3. But FF2 & FF3.1 (aka FF3.5) are vulnerable too.
The (generally acknowledged) bug is, Bug 485217: Exploitable crash in [@txMozillaXSLTProcessor::TransformToDoc ]. In actuality (or as it now stands) the actual fix will be whats included (& is already in FF 3.0.8) which is the fix for Bug 485286 (which for security reasons is not accessible to most), an alternate fix to 485217.
securityfocus only lists FF3. But FF2 & FF3.1 (aka FF3.5) are vulnerable too.
The (generally acknowledged) bug is, Bug 485217: Exploitable crash in [@txMozillaXSLTProcessor::TransformToDoc ]. In actuality (or as it now stands) the actual fix will be whats included (& is already in FF 3.0.8) which is the fix for Bug 485286 (which for security reasons is not accessible to most), an alternate fix to 485217.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.22pre) Gecko/20090327 SeaMonkey/1.1.16pre
- GµårÐïåñ
- Lieutenant Colonel
- Posts: 3365
- Joined: Fri Mar 20, 2009 5:19 am
- Location: PST - USA
- Contact:
Re: Protection from http://www.securityfocus.com/bid/34235/info
Thank you Giorgio, I think that consideration will be a worthwhile addition to NoScript. Thanks for your hard work as always.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: Protection from http://www.securityfocus.com/bid/34235/info
XSLT protection is already in latest development build, and Firefox 3.0.8 should also be on its way, since the update date has been anticipated to today.GµårÐïåñ wrote:Thank you Giorgio, I think that consideration will be a worthwhile addition to NoScript. Thanks for your hard work as always.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7 (.NET CLR 3.5.30729)
Re: Protection from http://www.securityfocus.com/bid/34235/info
But will only work if file:// is not allowed?XSLT protection
(Or maybe, will only work locally if file:// is not allowed?)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.22pre) Gecko/20090327 SeaMonkey/1.1.16pre
- GµårÐïåñ
- Lieutenant Colonel
- Posts: 3365
- Joined: Fri Mar 20, 2009 5:19 am
- Location: PST - USA
- Contact:
Re: Protection from http://www.securityfocus.com/bid/34235/info
Then more appropriately, thank you +1Giorgio Maone wrote:XSLT protection is already in latest development build, and Firefox 3.0.8 should also be on its way, since the update date has been anticipated to today.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7
- GµårÐïåñ
- Lieutenant Colonel
- Posts: 3365
- Joined: Fri Mar 20, 2009 5:19 am
- Location: PST - USA
- Contact:
Re: Protection from http://www.securityfocus.com/bid/34235/info
Cool then, I never have file:// allowed and only give it temporary permission when I am testing something I am working on myself. Thanks.therube wrote:But will only work if file:// is not allowed?
(Or maybe, will only work locally if file:// is not allowed?)
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: Protection from http://www.securityfocus.com/bid/34235/info
It will work if the attacker's site is not allowed. In other words, I'm regarding XSLT just as it was scripting, since XSL has been demonstrated Turing-complete.therube wrote:But will only work if file:// is not allowed?XSLT protection
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7 (.NET CLR 3.5.30729)
Re: Protection from http://www.securityfocus.com/bid/34235/info
EDIT: I guess what I'm saying is that if file:// is allowed, you crash - even with XSLT protection enabled.
(And then maybe I'm not understanding what is supposed to happen, & if you allow file:// <or some malware domain?> then that is to be expected?)
[ i was typing as you were replying, & from the looks of it we are saying the same thing in different ways ]
(And then maybe I'm not understanding what is supposed to happen, & if you allow file:// <or some malware domain?> then that is to be expected?)
[ i was typing as you were replying, & from the looks of it we are saying the same thing in different ways ]
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.22pre) Gecko/20090327 SeaMonkey/1.1.16pre
Re: Protection from http://www.securityfocus.com/bid/34235/info
For those wishing to (try?) to crash their browser, another testcase can be found at URL: in this bug,
Bug 460090 - Firefox crashes (segfault) on attempting to view XSL Transform (xml file with linked xsl) [ txMozillaXSLTProcessor::TransformToDoc ]
* So with an unpatched Mozilla & without NoScript 1.9.1.5, you'll crash.
* With an unpatched Mozilla & NoScript 1.9.1.5 & XSLT enabled & launchpadlibrarian allowed, you'll crash.
* With an unpatched Mozilla & NoScript 1.9.1.5 & XSLT enabled & launchpadlibrarian blocked, no crash.
* (And with a patched Mozilla, no crash.)
Bug 460090 - Firefox crashes (segfault) on attempting to view XSL Transform (xml file with linked xsl) [ txMozillaXSLTProcessor::TransformToDoc ]
* So with an unpatched Mozilla & without NoScript 1.9.1.5, you'll crash.
* With an unpatched Mozilla & NoScript 1.9.1.5 & XSLT enabled & launchpadlibrarian allowed, you'll crash.
* With an unpatched Mozilla & NoScript 1.9.1.5 & XSLT enabled & launchpadlibrarian blocked, no crash.
* (And with a patched Mozilla, no crash.)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.22pre) Gecko/20090327 SeaMonkey/1.1.16pre
- GµårÐïåñ
- Lieutenant Colonel
- Posts: 3365
- Joined: Fri Mar 20, 2009 5:19 am
- Location: PST - USA
- Contact:
Re: Protection from http://www.securityfocus.com/bid/34235/info
Understood.Giorgio Maone wrote:It will work if the attacker's site is not allowed. In other words, I'm regarding XSLT just as it was scripting, since XSL has been demonstrated Turing-complete.
Checked there and the dev build is holding its ground. As long as not allowed, the crash is a no go. Thanks for the test case and thanks Giorgio.therube wrote:For those wishing to (try?) to crash their browser, another testcase can be found at URL: in this bug,
Bug 460090 - Firefox crashes (segfault) on attempting to view XSL Transform (xml file with linked xsl) [ txMozillaXSLTProcessor::TransformToDoc ]
* So with an unpatched Mozilla & without NoScript 1.9.1.5, you'll crash.
* With an unpatched Mozilla & NoScript 1.9.1.5 & XSLT enabled & launchpadlibrarian allowed, you'll crash.
* With an unpatched Mozilla & NoScript 1.9.1.5 & XSLT enabled & launchpadlibrarian blocked, no crash.
* (And with a patched Mozilla, no crash.)
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7
Re: Protection from http://www.securityfocus.com/bid/34235/info
Here is the report (now visible, earlier it was not) of the bug which was actually implemented as the fix: Bug 485286 - XSLT should heap allocate all evalContexts.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b4pre) Gecko/20090327 SeaMonkey/2.0b1pre
Re: Protection from http://www.securityfocus.com/bid/34235/info
Thanks for the feedback; I saw the browser crashing so I suspected I could be vulnerable but it was not the case.
As usual noScript rocks, thanks Giorgio
As usual noScript rocks, thanks Giorgio
Mozilla/5.0 (X11; U; Linux i686; it; rv:1.9.0.8) Gecko/2009032711 Ubuntu/8.04 (hardy) Firefox/3.0.8