[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4A920BE4.10901@security-assessment.com>
Date: Mon, 24 Aug 2009 15:41:24 +1200
From: Nick Freeman <nick.freeman@...urity-assessment.com>
To: full-disclosure@...ts.grok.org.uk
Subject: WizzRSS Firefox Extension - Privileged Code
Injection
( , ) (,
. `.' ) ('. ',
). , ('. ( ) (
(_,) .`), ) _ _,
/ _____/ / _ \ ____ ____ _____
\____ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ | \\ \__( <_> ) Y Y \
/______ /\___|__ / \___ >____/|__|_| /
\/ \/.-. \/ \/:wq
(x.0)
'=.|w|.='
_='`"``=.
presents..
WizzRSS Firefox Extension Code Injection Vulnerability
Versions affected: WizzRSS Reader < 3.1.0.0
WizzRSS Reader Lite < 3.0.0.9b
+-----------+
|Description|
+-----------+
The WizzRSS Firefox extension will generate a preview
of any RSS item, from feeds you have currently
subscribed to.
Security-Assessment.com discovered that WizzRSS is
vulnerable to multiple injection vulnerabilities which
can be exploited through a malicious RSS feed.
Cross-Site Scripting and HTML injection
vulnerabilities were discovered within the RSS
<description> tags of subscribed feeds.
WizzRSS directly evaluates remotely supplied content,
within the privileged chrome context. This occurs when
a user hovers over a feed item in the WizzRSS sidebar,
rendering a preview of the feed item at the bottom of
the sidebar. This can allow a remote feed to exploit
users browsing it, and may lead to the complete
compromise of the host.
+------------+
|Exploitation|
+------------+
This vulnerability can be exploited in several ways.
As the injection point is in the chrome privileged
browser zone, it is possible to bypass Same Origin
Policy (SOP) protections, and also access Mozilla
built-in XPCOM components. XPCOM components can be
used to read and write from the file system, as well
as execute arbitrary commands, steal stored passwords,
or modify other Firefox extensions.
+--------+
|Solution|
+--------+
Security-Assessment.com follows responsible disclosure
and promptly contacted the developer after discovering
the issue. The developer was contacted on February 18,
2009, and a response was received on the same day. A
fix was released on March 20, 2009.
The vendor supplied patch is available
from Mozilla (https://addons.mozilla.org/en-US/firefox/addon/424)
or from the developer’s personal website,
http://www.wizzrss.com.
+------+
|Credit|
+------+
Discovered and advised to the WizzRSS developer
February 2009 by Nick Freeman of
Security-Assessment.com.
Contact: Nick Freeman \\AT\\ security-assess\m/ent.com
Personal Page: http://atta.cked.me
For full details regarding this vulnerability
(including a detailed proof of concept exploit)
download the PDF from our website:
http://security-assessment.com/files/advisories/WizzRSS_Firefox_Extension_Privileged_Code_Injection.pdf
For more details regarding exploitation of Firefox
extensions, refer to our DEFCON 17 presentation at
http://security-assessment.com/files/presentations/liverani_freeman_abusing_firefox_extensions_defcon17.pdf.
Security-Assessment.com is a New Zealand based world
leader in web application testing, network security
and penetration testing. Security-Assessment.com
services organisations across New Zealand, Australia,
Asia Pacific, the United States and the United
Kingdom.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists