FireBug跨站脚本执行漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1191104 漏洞类型 访问验证错误
发布时间 2007-04-05 更新时间 2007-04-12
CVE编号 CVE-2007-1878 CNNVD-ID CNNVD-200704-082
漏洞平台 N/A CVSS评分 6.8
|漏洞来源
https://cxsecurity.com/issue/WLB-2007040032
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200704-082
|漏洞详情
FireBug是一个非常实用的JavaScript以及DOM查看调试工具,是Firefox的一个插件。FireBug的对脚本代码的处理实现上存在漏洞,远程攻击者可能利用此漏洞在用户机器上执行恶意脚本代码。在浏览器中远程脚本是受到沙盒限制的,也就是任何http:或https:前缀的URL都是安全的。浏览器扩展使用chrome:protocol,这个协议不受任何限制,因此浏览器扩展都是受信任的。如果远程脚本诱骗浏览器对chrome:执行JavaScript表达式的话,这个脚本就可以完全控制整个chrome及操作系统,因为命令执行和读写访问都是允许的。如果要导致Firebug执行跨站脚本,可执行以下操作:console.log({'':'exploit'})如果将这段JavaScript表达式嵌入到页面并使用安装了Firebug的浏览器打开,用户就会得到一个警告窗,这时攻击者可以向浏览器chrome中注入以下函数:functionrunFile(f){varfile=Components.classes["@mozilla.org/file/local;1"].createInstance(Components.interfaces.nsILocalFile);file.initWithPath(f);varprocess=Components.classes["@mozilla.org/process/util;1"].createInstance(Components.interfaces.nsIProcess);process.init(file);varargv=Array.prototype.slice.call(arguments,1);process.run(true,argv,argv.length);}runFile函数允许执行文件。通过浏览器chrome中的函数声明,攻击者就可以多次调用console.log以生成任意文件,甚至暗中安装浏览器扩展,以及读写文件。
|漏洞EXP
http://www.gnucitizen.org/blog/firebug-goes-evil

There is critical vulnerability in Firefox/Firebug which allows
attackers to inject code inside the browser chrome. This can lead to a
lot of problems. Theoretically everything is possible, from modifying
the user file system to launching processes, installing ROOTKITs, you
name it.

I recommend to disable Firebug for now until the issue is fixed. The
issues is a bit critical since Firebug is one of the most popular
extensions for Firefox. Given the fact that a lot of the Firefox users
are geeks, the chances to have Firebug installed in a random Firefox
client are quite high.

I wrote two POC to demonstrate the issue. You can find them from the
page on the top of this message. The first POC runs calc.exe and
cmd.exe on windows systems. The second POC does a count down from 10
to 0 and executes calc.exe to prove that automatic execution is
possible.

-- 
pdp (architect) | petko d. petkov
http://www.gnucitizen.org
|参考资料

来源:www.getfirebug.com
链接:http://www.getfirebug.com/blog/2007/04/04/security-update/
来源:XF
名称:firefox-firebug-console-security-bypass(33451)
链接:http://xforce.iss.net/xforce/xfdb/33451
来源:BID
名称:23315
链接:http://www.securityfocus.com/bid/23315
来源:BUGTRAQ
名称:20070404Re:[WEBSECURITY]FirefoxextensionsgoEvil-CriticalVulnerabilitiesinFirefox/Firebug
链接:http://www.securityfocus.com/archive/1/archive/1/464786/100/0/threaded
来源:BUGTRAQ
名称:20070404FirefoxextensionsgoEvil-CriticalVulnerabilitiesinFirefox/Firebug
链接:http://www.securityfocus.com/archive/1/archive/1/464740/100/0/threaded
来源:MISC
链接:http://www.gnucitizen.org/blog/firebug-goes-evil
来源:VUPEN
名称:ADV-2007-1272
链接:http://www.frsirt.com/english/advisories/2007/1272
来源:SECUNIA
名称:24743
链接:http://secunia.com/advisories/24743
来源:MISC
链接:http://larholm.com/2007/04/06/0day-vulnerability-in-firebug/
来源:SREASON
名称:2525
链接:http://securityreason.com/securityalert/2525