lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <e1653960704052030l73f07ec1w29f2781f5e237cb3@mail.gmail.com>
Date: Fri, 6 Apr 2007 05:30:50 +0200
From: "Thor Larholm" <larholm@...il.com>
To: "pdp (architect)" <pdp.gnucitizen@...glemail.com>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com,
	"WASC Forum" <websecurity@...appsec.org>,
	"webappsec @OWASP" <webappsec@...ts.owasp.org>
Subject: Re: Firefox extensions go Evil - Critical Vulnerabilities in Firefox/Firebug

I have identified a second critical 0day vulnerability in Firebug
which also affects the updated Firebug v1.0.3. The scope is the same,
read/write/execute files.

http://larholm.com/2007/04/06/more-0day-in-firebug/

There's a detailed walkthrough at the above, including a simplistic
POC that verifies whether script was injected into the browser Chrome.
>From there any practical exploit would be similar to all of the older
Firefox browser Chrome exploits.

Joe Hewitt has already responded to the above and my previous post
(http://larholm.com/2007/04/06/0day-vulnerability-in-firebug/),
stating that an updated version of Firebug (1.0.4) should be released
now. Updates are available and should trickle out to Firebug users
through Mozilla's automated update system within the next few days. If
you can't wait for that then go to Tools, Add-ons and click "Find
Updates".

The updated version of Firebug should also prevent any closely related
vulnerabilities as Joe has updated his domplate constructors to
forcefully escape all strings before they are inserted into the
console HTML.


Cheers
Thor Larholm



On 4/4/07, pdp (architect) <pdp.gnucitizen@...glemail.com> wrote:
> http://www.gnucitizen.org/blog/firebug-goes-evil
>
> There is critical vulnerability in Firefox/Firebug which allows
> attackers to inject code inside the browser chrome. This can lead to a
> lot of problems. Theoretically everything is possible, from modifying
> the user file system to launching processes, installing ROOTKITs, you
> name it.
>
> I recommend to disable Firebug for now until the issue is fixed. The
> issues is a bit critical since Firebug is one of the most popular
> extensions for Firefox. Given the fact that a lot of the Firefox users
> are geeks, the chances to have Firebug installed in a random Firefox
> client are quite high.
>
> I wrote two POC to demonstrate the issue. You can find them from the
> page on the top of this message. The first POC runs calc.exe and
> cmd.exe on windows systems. The second POC does a count down from 10
> to 0 and executes calc.exe to prove that automatic execution is
> possible.
>
> --
> pdp (architect) | petko d. petkov
> http://www.gnucitizen.org
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ