On Mon, May 11, 2009 at 11:03 PM, Anurag anurag@gnuer.org wrote:
From what I understand of mozilla's javascript engine, it runs inside a sandbox and has no permission to do anything with the operating system. A javascript code wouldn't be able to automagically download files and set chmod bits.
Not the javascript engine as such, but the extensions surely can do a lot of things like uploading/downloading files. Don't know if they can chmod stuff though.
But chmod is not really necessary actually. I shot my mouth off (more my fingers than mouth actually ;) ) in the earlier email but I remember someone blogging about launchers being used to overcome the execute barrier. One could "execute" a launcher without it requiring execute permissions. In fact, it cannot be too difficult to do the following:
1) Get user to download the launcher 2) Double-click on the launcher, which could make some change in the menu list such that one of the administrative tasks is modified with my little trojan launcher 3) When the user launches the "infected" administrative task, he is prompted for the sudo/su password, which he happily enters 4) Pwned!
I can't seem to find the blog post off-hand, I think someone at work had pointed us to it. Will post the link when I find it.