Browser Focus RIP
There was a discussion on Full-disclosure and Bugtraq about a very peculiar vulnerability in Internet Explorer and Mozilla Firefox which can be used by attackers to trick victims into uploading local files.
It was Michal Zalewski who brought this subject back on the table. The vulnerability he described is not new. In fact, it is a variation of an issues discovered back in 2000. The peculiar thing about it is that it was reported to Mozilla’s Bugzilla back then but never fixed.
If you read about what Michal’s exploit does, you can easily get lost, so I will try to explain the issue as clearly as I can and provide you with some examples of how it can be used in real attacks.
The only component in the DOM (Document Object Model) that allows us to send locally selected files to a remote location is the file input box, usually declared as
<input type="file"/>. This is not a standard input field because it has a browse button that is attached at the end and also because, once inside a
However, by using a clever focus diversion tricks, attackers can make certain characters, that the victim typed, to leak inside the file input field. They can achieve that by using a filter that allows and disallows keyboard events based on the key code order in the file path string that needs to be retrieved.
In simple words, when the user types characters inside some text field, they are actually typing them inside a file input box, which filters out the unnecessary characters in order to compose the desired string. Everything else, is totally emulated, so the user thinks they are typing in the right place not knowing what is actually happening. The following text translates to
/etc/shadow, which can be used to steal that particular file:
Bob! Check this out http://www.example.com. this is very cool: http://www.someserver.com. hei man, do you still need that wonderful CD I gave you long time ago?
You probably think that I am mad! Now, have a look at the following text, which shows all key characters that are required to build the file string.
Bob! Check this out http:
[t]his is very
[do]you still need that
[w]onderful CD I gave you long time ago?
Black magic! The filter removes the parts that are not required and only the characters that are needed are passed into the input field.
In some situations the user doesn’t need to type that much text at all. They can be tricked into typing the desired string in a much clever way. For example, the following sequence of characters composes the
b/etlc/shradow. It is not obvious that this 14 character long string corresponds to the 11 character long
/etc/shadow path. Still, the question is how the attacker can force the victim to type these characters inside the page. Well, attackers need to be creative in this case. Check this two examples: