Shellsec / Hacking / Artikler v / Tekr - Firefox Exploit Found in The Wild

Tråd bedømmelse:
  • 0 Stemmer - 0 Gennemsnit
  • 1
  • 2
  • 3
  • 4
  • 5
Visning af Tråd
Tekr - Firefox Exploit Found in The Wild
10-08-2015, 17:14
#1
VIPSmokers Choice er Offline
Big black cat, with a big black hat.
****
 		Indlæg: 1.033
Registreret: Feb 2013
Omdømme: 17
Tekr - Firefox Exploit Found in The Wild
Tekr Skrev:A major vulnerability discovered by Mozilla lurking in an advertisement shown by a Russian news site could steal your files and upload them to a Ukrainian server without you ever knowing. The flaw exploits Firefox’s PDF viewer and the JavaScript context to inject a script that can search for and upload local files. All you need to do is load the page with the exploit and it’ll silently steal files in the background.

Lets just start off by saying that this vulnerability was fixed in the latest version of Mozilla Firefox. If you have updated recently you’re safe. But if you haven’t, you should asap.

As said in the introduction, this vulnerability has to do with Firefox’s PDF viewer. The vulnerability comes from the interaction of Firefox’s mechanism to enforce JavaScript. Mozilla products that don’t contain the PDF viewer, such as the Android Firefox Browser, are not vulnerable to this exploit. The vulnerability does not include any execution of arbitrary code, but it was able to inject JavaScript into the local file context. Which allowed it to upload potentially sensitive local data files.

Surprisingly most of the files it searches for are developer type files. Such as Windows FTP configuration files, subversion, .purple and account information. On Linux the exploit goes for more global files, such as /etc/password then in all user directories it searches for files such as .bash_history .mysql_history .pgsql_history .ssh, configuration files for remina, and other keys. Mac users aren’t specifically targeted by these attacks, but it was found they are still vulnerable.

The exploit is theoretically impossible to trace as it is ran on the local machine. But the good news is the attack doesn’t seem to be widespread right now, and has only been found on a Russian ad network. If you use Firefox on Windows or Linux we would suggest changing your keys and passwords for the files mentioned above. Firefox users who use adblocking software should be safe from this as it will block the ads trying to exploit this vulnerability, but you should still update just to be safe.

All versions of Firefox are affected and Mozilla says that to protect against the exploit you should update to version 39.0.3 right now. Enterprise users can patch to 38.1.1.
http://tekr.net/firefox-exploit-found-in-the-wild/
Find alle beskeder fra denne bruger
Citer denne besked i et svar
10-08-2015, 19:49
#2
ModeratorAsh er Offline
Administrator
******
 		Indlæg: 2.371
Registreret: Feb 2013
RE: Tekr - Firefox Exploit Found in The Wild
Og det er så derfor Google har aftale med Adobe om deres PDF reader i Chrome ;)
yolo
Find alle beskeder fra denne bruger
Citer denne besked i et svar
10-08-2015, 22:59
#3
AdministratorDoctor Blue er Offline
Administrator
***********
 		Indlæg: 2.350
Registreret: Feb 2013
Omdømme: 51
RE: Tekr - Firefox Exploit Found in The Wild
(10-08-2015, 19:49)Ash Skrev: Og det er så derfor Google har aftale med Adobe om deres PDF reader i Chrome ;)

Nu er det jo ikke fordi Adobe Reaser er specielt sikker heller :)
Mangler du hjælp?
Regler |  E-mail (PGP)
Besøg denne brugers hjemmeside Find alle beskeder fra denne bruger
Citer denne besked i et svar
10-08-2015, 23:00
#4
ModeratorAsh er Offline
Administrator
******
 		Indlæg: 2.371
Registreret: Feb 2013
RE: Tekr - Firefox Exploit Found in The Wild
(10-08-2015, 22:59)Doctor Blue Skrev: Nu er det jo ikke fordi Adobe Reaser er specielt sikker heller :)

Adobe Reader nope.. Chrome's Adobe Reader yes!
yolo
Find alle beskeder fra denne bruger
Citer denne besked i et svar
10-08-2015, 23:31
#5
MalcolmXI er Offline
Aktivt Medlem
***
 		Indlæg: 837
Registreret: May 2013
Omdømme: 32
RE: Tekr - Firefox Exploit Found in The Wild
http://paste.ubuntu.com/12030863/

Det ville da have været oplagt at søge efter f. eks. wallet.dat og lignende.
Find alle beskeder fra denne bruger
Citer denne besked i et svar
11-08-2015, 00:16
#6
AdministratorDoctor Blue er Offline
Administrator
***********
 		Indlæg: 2.350
Registreret: Feb 2013
Omdømme: 51
RE: Tekr - Firefox Exploit Found in The Wild
(10-08-2015, 23:31)MalcolmXI Skrev: http://paste.ubuntu.com/12030863/

Det ville da have været oplagt at søge efter f. eks. wallet.dat og lignende.

Ja det skulle man mene. Der findes vel snart ikke noget malware der ikke gør det.
Mangler du hjælp?
Regler |  E-mail (PGP)
Besøg denne brugers hjemmeside Find alle beskeder fra denne bruger
Citer denne besked i et svar
11-08-2015, 10:35
#7
ModeratorAsh er Offline
Administrator
******
 		Indlæg: 2.371
Registreret: Feb 2013
RE: Tekr - Firefox Exploit Found in The Wild
(11-08-2015, 09:52)idkfa Skrev: Chrome kommer med pdfium som default built-in PDF reader. Og den er bestemt ikke udviklet af Adobe. Den er et samarbejde mellem Google og Foxit teamet. Kan du uddybe hvad du mener?

Ah, det kan godt være de har skiftet. Jeg ved i hvert fald den var powered by Adobe engang.
yolo
Find alle beskeder fra denne bruger
Citer denne besked i et svar
11-08-2015, 14:45
#8
VIPSmokers Choice er Offline
Big black cat, with a big black hat.
****
 		Indlæg: 1.033
Registreret: Feb 2013
Omdømme: 17
RE: Tekr - Firefox Exploit Found in The Wild
Ash got rekt. RIP.
Find alle beskeder fra denne bruger
Citer denne besked i et svar
11-08-2015, 16:36
#9
ModeratorAsh er Offline
Administrator
******
 		Indlæg: 2.371
Registreret: Feb 2013
RE: Tekr - Firefox Exploit Found in The Wild
(11-08-2015, 14:45)Malmoc Skrev: Ash got rekt. RIP.

Det kan også være jeg bare har haft en Adobe PDF reader plugin, men jeg er sikker på de har haft en aftale med Adobe.. Men det er nok længe siden, fordi der har stået powered by Adobe (eller noget i den stil) før.
yolo
Find alle beskeder fra denne bruger
Citer denne besked i et svar
« Ældre | Nyere »




User(s) browsing this thread: 1 Gæst(er)
Kontakt os | Shellsec | Vend tilbage til toppen | Let (arkiv) udseende | RSS synkronisering |