Text :  

---------------------------------------------------------------------------

Title: Setting arbitrary Personas without user interaction in Firefox
3.6
Product: Mozilla Firefox
Version: 3.6
PoC: http://wtikay.com/personas/
By: Artur Janc
Date: 01/26/2010
---------------------------------------------------------------------------


1. OVERVIEW

The recent release of Firefox 3.6 introduces support for browser
"Personas"
-- lightweight image-based themes which alter the look and feel of the
browser chrome.

A malicious website can set a user's Persona to an arbitrary theme,
disable
Undo functionality in the browser's information bar, and obfuscate the
Persona
entry in the Themes pane of the Tools | Add-ons pane to make the detection
and
deletion of a rogue theme somewhat more difficult.

2. DETAILS

2.1. Behavior

The ability to install or preview Personas is controlled by the same
Allowed
Sites whitelist as for installing Firefox extensions. However, contrary to
the
extensions installation process, setting Personas does *not* require the
user's
explicit agreement (for example the post-upgrade "firstrun" page
previews
featured Personas on hover). To give users control of the currently set
Persona, Firefox displays an information bar with "Undo" and
"Manage Themes"
buttons upon any Persona-related action (preview or installation).

2.2. Vulnerability Description
Any XSS vulnerability in one of the two hosts whitelisted by default
(getpersonas.com and addons.mozilla.org) will allow the attacker to install
and
activate an arbitrary Persona using a JavaScript event with a properly
specified DOM element as an argument, without prompting the user.

The PoC uses XSS in http://www.getpersonas.com/en-US/gallery/Designer/XXX

Setting the same rogue theme twice in quick succession will render the
Undo
button useless, as the "previous" theme will be the same as the
last one set by
the attacker.

The user will be able to click "Manage Themes" on the information
bar to view
installed themes. However, all pieces of Persona-related information shown
in
the list are controlled by the attacker, so nothing prohibits the attacker
from
calling her theme "Default", setting the author to "Mozilla
Corp." and setting
an innocuous icon and "preview" image to resemble the default
Firefox theme.
The same Persona can be installed with multiple IDs to introduce clutter in
the
menu and make detecting the rogue Persona and cleaning up the list more
painful.

2.3. Proof of Concept
http://wtikay.com/personas/
http://wtikay.com/personas/persona-non-grata.js

3. IMPACT

This issue might cause some inconvenience to users whose browsers' UI
suddenly
starts showing intrusive ads or pornography, or becomes completely garbled
(see PoC), especially those not savvy enough to figure out which of the
installed Personas is causing the problem. Another, more surreptitious and
troubling possibility is to install a Persona indistinguishable from the
default theme (i.e. transparent image) and use a custom updateURL argument
to
get the victim's browser to periodically phone home to the attacker's
webserver, potentially enabling some level of user tracking.

4. FIX

To ensure that Personas cannot be automatically set by malicious websites,
Firefox should follow the model it adopted with browser extensions and
prompt
the user before installing any new Persona. In the absence of such a fix,
it is
necessary to audit all whitelisted Mozilla hosts for XSS vulnerabilities
(probably a good idea anyway) and hope that site updates don't introduce
any
new ones.

5. DISCLOSURE

Since the immediate workaround for this problem is to patch XSS
vulnerabilities
on Mozilla webservers, which doesn't require pushing client-side updates,
Mozilla is notified by receiving a copy of this report.

  References :  

None