Mozilla Foundation Security Advisory 2006-52
PAC privilege escalation using Function.prototype.call
- Announced
- July 25, 2006
- Reporter
- moz_bug_r_a4
- Impact
- Moderate
- Products
- Firefox, SeaMonkey
- Fixed in
-
- Firefox 1.5.0.5
- SeaMonkey 1.0.3
Description
moz_bug_r_a4 reports that a malicious Proxy AutoConfig (PAC) server could serve a PAC script that can execute code with elevated privileges by setting the required FindProxyForURL function to the eval method on a privileged object that leaked into the PAC sandbox. By redirecting the victim to a specially-crafted URL -- easily done since the PAC script controls which proxy to use -- the URL "hostname" can be executed as privileged script.
A malicious proxy server can perform spoofing attacks on the user so it was already important to use a trustworthy PAC server.
Workaround
Disable Proxy AutoConfig (the default setting). If that is impractical ensure that the PAC server and proxy you use are trustworthy and reached over a trusted network. Do not use the WPAD setting if you have a mobile computer that is ever used outside of the trusted network (such as at a WiFi hotspot).
References
-
https://bugzilla.mozilla.org/show_bug.cgi?id=337389
CVE-2006-3808