Mozilla has patched a zero-day flaw that would allow attackers to search for sensitive files and upload them to a server.
The company found a working exploit for the vulnerability, which used an advertisement on a news site in Russia to compromise visitors, uploading information to a service in Ukraine. All Firefox users regardless of location are urged to update to Firefox 39.0.3. The fix has also been shipped in Firefox ESR 38.1.1.
The vulnerability comes from the interaction of the mechanism that enforces JavaScript context separation (the “same origin policy”) and Firefox’s PDF Viewer. Mozilla products that don’t contain the PDF Viewer, such as Firefox for Android, are not vulnerable.
The flaw doesn’t enable the execution of arbitrary code, but the exploit was able to inject a JavaScript payload into the local file context. This allowed it to search for and upload potentially sensitive local files.
“The files it was looking for were surprisingly developer-focused for an exploit launched on a general audience news site, though of course we don’t know where else the malicious ad might have been deployed,” said Mozilla researcher Daniel Veditz.
Specifically, on Windows the exploit looked for subversion, s3browser, and Filezilla configurations files, .purple and Psi+ account information, and site configuration files from eight different popular FTP clients. On Linux the exploit goes after the usual global configuration files, and then in all the user directories it can access it looks for configuration files and keys, configuration files for remina, Filezilla, and Psi+, text files with “pass” and “access” in the names, and any shell scripts.
Some variants have a Mac section, looking for much the same kinds of files as on Linux.
“The exploit leaves no trace it has been run on the local machine,” Veditz added. “If you use Firefox on Windows or Linux it would be prudent to change any passwords and keys found in the above-mentioned files if you use the associated programs. People who use ad-blocking software may have been protected from this exploit depending on the software and specific filters being used.”