Mozilla Foundation Security Advisory 2006-52

PAC privilege escalation using Function.prototype.call

Announced
July 25, 2006
Reporter
moz_bug_r_a4
Impact
Moderate
Products
Firefox, SeaMonkey
Fixed in
  • Firefox 1.5.0.5
  • SeaMonkey 1.0.3

Description

moz_bug_r_a4 reports that a malicious Proxy AutoConfig (PAC) server could serve a PAC script that can execute code with elevated privileges by setting the required FindProxyForURL function to the eval method on a privileged object that leaked into the PAC sandbox. By redirecting the victim to a specially-crafted URL -- easily done since the PAC script controls which proxy to use -- the URL "hostname" can be executed as privileged script.

A malicious proxy server can perform spoofing attacks on the user so it was already important to use a trustworthy PAC server.

Workaround

Disable Proxy AutoConfig (the default setting). If that is impractical ensure that the PAC server and proxy you use are trustworthy and reached over a trusted network. Do not use the WPAD setting if you have a mobile computer that is ever used outside of the trusted network (such as at a WiFi hotspot).

References