Sunday, July 27, 2008

XSS-ing Firefox Extensions

[EDIT]:It turns out I fail at testing things on the latest version, see comments for some more details, sorry about that Roee.[/EDIT]

Roee Hay recently posted a blog post on the Watchfire blog about an XSS bug in the Tamper Data extension (it was posted much earlier, but removed quickly; RSS is fun), however when he assessed the impact he was wrong.

The context of the window is still within the extension, and so by executing the following code you can launch an executable:



var file = Components.classes["@mozilla.org/file/local;1"]
.createInstance(Components.interfaces.nsILocalFile);
file.initWithPath("C:\\WINDOWS\\system32\\cmd.exe");
file.launch();



(Code stolen from http://developer.mozilla.org/en/docs/Code_snippets:Running_applications)

But even then; I had never even heard of the Graphing functionality in Tamper Data, and given the need to actually use the functionality on a dodgy page, the chance of anyone getting owned with this seems very small to me.

3 comments:

Anonymous said...

Hey,

Did you get your payload working?

When i first disclosed the vulnerability I actually tried exploiting it with the exact payload, however, Firefox refused to create the nsILocalFile object (I couldn't even elevate privileges using netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect")).

-Roee

Anonymous said...

To be more specific:

Firefox throws "A script from "moz-nullprincipal:{270839df-288d-476b-b8ec-742aab92ffbb}" was denied UniversalXPConnect privileges." for the elevation request and "Error: Permission denied to get property XPCComponents.classes" for the nsILocalFile instantiation.

-Roee

kuza55 said...

Turns out I fail at testing things.

I *did* get the payload working, but since my main computer was out of commision at the time, I had tested it on a computer running without approx. 4 months of patches to tamper data + firefox; having tries the same payload in the latest version of tamper data it no longer seems to work.

One thing which seemed different between the old version of Tamper Data where this worked and the new version where this didn't was that the old version seemed to be writing the data directly to an about:blank window, whereas the newer version seems to be using a data: URI window to do something similar (not quite sure how though). I'll have a look at this in more detail when I get some time.