PAC privilege escalation using Function.prototype.call
- July 25, 2006
- Firefox, SeaMonkey
- Fixed in
- Firefox 18.104.22.168
- SeaMonkey 1.0.3
moz_bug_r_a4 reports that a malicious Proxy AutoConfig (PAC) server could serve a PAC script that can execute code with elevated privileges by setting the required FindProxyForURL function to the eval method on a privileged object that leaked into the PAC sandbox. By redirecting the victim to a specially-crafted URL -- easily done since the PAC script controls which proxy to use -- the URL "hostname" can be executed as privileged script.
A malicious proxy server can perform spoofing attacks on the user so it was already important to use a trustworthy PAC server.
Disable Proxy AutoConfig (the default setting). If that is impractical ensure that the PAC server and proxy you use are trustworthy and reached over a trusted network. Do not use the WPAD setting if you have a mobile computer that is ever used outside of the trusted network (such as at a WiFi hotspot).