AOH :: HP Unsorted S :: BT-21554.HTM

ScribeFire Firefox Extension - Privileged Code Injection



ScribeFire Firefox Extension - Privileged Code Injection
ScribeFire Firefox Extension - Privileged Code Injection



     (    , )     (,
  .   `.' ) ('.    ',
   ). , ('.   ( ) (
  (_,) .`), ) _ _,
 /  _____/  / _  \    ____  ____   _____  
 \____  \==/ /_\  \ _/ ___\/  _ \ /     \
 /       \/   |    \\  \__(  <_> )  Y Y  \
/______  /\___|__  / \___  >____/|__|_|  /
        \/         \/.-.    \/         \/:wq
                    (x.0)
                  '=.|w|.='
                  _='`"``=.

        presents..

ScribeFire Firefox Extension Code Injection Vulnerability
Versions affected: < 3.4.2


+-----------+
|Description|
+-----------+

The ScribeFire Firefox extension provides an interface
 for users to post to their blogs from any website. It
 allows users to drag images from a website into the
editing pane, which publishes that image as part of
their blog post.

Security-Assessment.com discovered that ScribeFire is
vulnerable to multiple injection vulnerabilities which
 can be exploited through a malicious image.
Cross-Site Scripting and HTML injection
vulnerabilities were discovered within the DOM event
handlers of  tags.

ScribeFire directly evaluates remotely supplied
content, within the privileged chrome context. This
can allow an image on a website to exploit users who
share it, and may lead to the complete compromise of
the host.

    
+------------+
|Exploitation|
+------------+

This vulnerability can be exploited in several ways.
As the injection point is in the chrome privileged
browser zone, it is possible to bypass Same Origin
Policy (SOP) protections, and also access Mozilla
built-in XPCOM components. XPCOM components can be
used to read and write from the file system, as well
as execute arbitrary commands, steal stored passwords,
 or modify other Firefox extensions.


+--------+
|Solution|
+--------+

Security-Assessment.com follows responsible disclosure
and promptly contacted the developer after discovering
the issue. The developer was contacted on July 10,
2009, and a response was received on July 15. A fix
was released on July 20, 2009.  

The vendor supplied patch is available
from Mozilla (https://addons.mozilla.org/en-US/firefox/addon/1730)
or from the developer=E2=80=99s personal website,
http://www.scribefire.com. 


+------+
|Credit|
+------+

Discovered and advised to the ScribeFire developer
July 2009 by Nick Freeman of Security-Assessment.com.
Contact: Nick Freeman \\AT\\ security-assess\m/ent.com
Personal Page: http://atta.cked.me 


For full details regarding this vulnerability
(including a detailed proof of concept exploit)
download the PDF from our website:
http://security-assessment.com/files/advisories/ScribeFire_Firefox_Extension_Privileged_Code_Injection.pdf 

For more details regarding exploitation of Firefox
extensions, refer to our DEFCON 17 presentation at
http://security-assessment.com/files/presentations/liverani_freeman_abusing_firefox_extensions_defcon17.pdf. 

Security-Assessment.com is a New Zealand based world
leader in web application testing, network security
and penetration testing. Security-Assessment.com
services organisations across New Zealand, Australia,
Asia Pacific, the United States and the United
Kingdom.

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.