Firefox exploit found in the wild

Daniel Veditz

23

Yesterday morning, August 5, a Firefox user informed us that an advertisement on a news site in Russia was serving a Firefox exploit that searched for sensitive files and uploaded them to a server that appears to be in Ukraine. This morning Mozilla released security updates that fix the vulnerability. All Firefox users are urged to update to Firefox 39.0.3. The fix has also been shipped in Firefox ESR 38.1.1.

The vulnerability comes from the interaction of the mechanism that enforces JavaScript context separation (the “same origin policy”) and Firefox’s PDF Viewer. Mozilla products that don’t contain the PDF Viewer, such as Firefox for Android, are not vulnerable. The vulnerability does not enable the execution of arbitrary code but the exploit was able to inject a JavaScript payload into the local file context. This allowed it to search for and upload potentially sensitive local files.

The files it was looking for were surprisingly developer focused for an exploit launched on a general audience news site, though of course we don’t know where else the malicious ad might have been deployed. On Windows the exploit looked for subversion, s3browser, and Filezilla configurations files, .purple and Psi+ account information, and site configuration files from eight different popular FTP clients. On Linux the exploit goes after the usual global configuration files like /etc/passwd, and then in all the user directories it can access it looks for .bash_history, .mysql_history, .pgsql_history, .ssh configuration files and keys, configuration files for remina, Filezilla, and Psi+, text files with “pass” and “access” in the names, and any shell scripts. Mac users are not targeted by this particular exploit but would not be immune should someone create a different payload.

The exploit leaves no trace it has been run on the local machine. If you use Firefox on Windows or Linux it would be prudent to change any passwords and keys found in the above-mentioned files if you use the associated programs. People who use ad-blocking software may have been protected from this exploit depending on the software and specific filters being used.

23 responses

Post a comment

  1. Olivier wrote on :

    – Mozilla: “Disable Flash, it has so many security flaws!”
    – Me: “Uninstall Firefox, it has so many security flaws!”

    Reply

    1. Cadeyrn wrote on :

      There is no browser without security flaws. Important is how fast Mozilla (and other browser developers) provide updates and communicate the security flaws.

      Thanks Mozilla.

      Reply

      1. Olivier wrote on :

        Same regarding Flash.

        Thanks Adobe.

        Reply

        1. Dolfje wrote on :

          Though Mozilla is releasing and communicating a little bit faster than Adobe. (1 day vs 2 weeks)

          Reply

          1. Jeff wrote on :

            Adobe released their patch 2 days after the last major exploit was discovered.

            Lying and saying “2 weeks” is a bit libelous, especially over a topic as serious as this.

            Reply

        2. Anon wrote on :

          Flash ? Are you an archaeologist ? 😀

          Reply

          1. Andrea Giammarchi wrote on :

            haha, came here for this: not disappointed!

            Reply

    2. Barry Allen wrote on :

      Oliver: “Uninstall Firefox, it has so many security flaws!”
      Me: “Don’t use computers, they have so many security flaws!”

      Reply

  2. Vasya wrote on :

    Hi!
    What was the news site where the exploit was shared? I want to estimate my risks.

    Reply

    1. Sergei wrote on :

      Since that was an ad that contained the exploit, it could be on any news site and elsewhere. Consider the wost case scenario: your data leaked. Change passwords as recommended.

      Reply

  3. Alexey wrote on :

    Hello.
    Please publish the site address as soon as possible!

    Reply

  4. Jonathan wrote on :

    If the files are stored on an encrypted drive, would the exploit pull obfuscated data or human readable data?

    Reply

    1. ernesto wrote on :

      If the drive is “mounted”/opened (if you have entered the password), that is if the files are accessible e.g. in the Windows Explorer, then human readable data would be uploaded. (Otherwise the files couldn’t be found at all.)

      Reply

  5. Oliver wrote on :

    Let’s make it an opportunity to remind you people that, while firefox won’t store your passwords in plain text, plenty of other programs will do, such as Filezilla (the “and site configuration files from eight different popular FTP clients” reminded me of it.)

    Reply

  6. Jonas Lejon wrote on :

    Is the Tor Browser Bundle vulnerable?

    Reply

    1. Khannie wrote on :

      Very interested in this.

      Also I would like to know how the user discovered that the exploit was being run.

      Lastly I would like to know how the exploit worked.

      Thank you.

      Reply

  7. Keanzu wrote on :

    Thanks for the fix, I’ll be sticking with Firefox.

    Reply

  8. Marcello Romani wrote on :

    Form me the takeaway from this is: download PDFs to disk and open them with a “normal” PDF viewer program.

    Reply

  9. Ollie wrote on :

    Could you share some unique strings transferred over the network by this attack? (E.g. from the js code.)

    This way people who have a pcap record of their network traffic could determine whether they were targeted.

    (I’m assuming here that the data extractor encodes the payload somehow, so looking for my passwords in the pcap won’t help.)

    Reply

  10. myf wrote on :

    Could that exploit have worked even with `pdfjs.disabled;true`?

    Reply

  11. horst wrote on :

    Am I affected by this if I set firefox to “always ask” for PDF files?

    Reply

  12. VVSite wrote on :

    Why You don’t publish name of this news site? I can’t check browser history and instruction to change all my passwords drives me crazy >:(

    Reply

  13. alp wrote on :

    Can you point to commits fixing this issue? Is it https://github.com/mozilla/pdf.js/commit/4f3f983a214867011dda8c5597a4d3523c5f1423 or something else? I’d like to try porting it to ESR 24….

    Reply

Post Your Comment