June 15, 2009

Security advisory

Update Scanner Chrome Privileged Code Injection

+-----------+
|Description|
+-----------+

Security-Assessment.com discovered that Update Scanner is vulnerable to Cross Site Scripting injection.
Update Scanner renders scanned site content within a chrome window located at chrome://updatescan/content/diffPage.xul. A malicious web page is then able to pass arbitrary browser code, such as JavaScript, following a scan performed by Update Scanner. The browser code is directly rendered and executed in the chrome privileged Firefox zone related to Update Scanner.
Update Scanner performs input data filtering by stripping <script> tags but this is not enough to
prevent JavaScript code execution. For example, it is possible to trigger JavaScript code execution by using event handlers such as “onerror”.

+------------+
|Exploitation|
+------------+

This vulnerability can be exploited in several ways.
As the injection point is in the chrome privileged browser zone, it is possible to bypass Same Origin
Policy (SOP) protections, and also access Mozilla built-in XPCOM components. XPCOM components can be used to read and write from the file system, as well as execute arbitrary commands, steal stored passwords, or modify other Firefox extensions.

+--------+
|Solution|
+--------+

Security-Assessment.com follows responsible disclosure and promptly contacted the developer after discovering the issue. The developer was contacted on June 8, 2009, and a response was received on the June 11. A fix was released on June 15, 2009.

Install latest Update Scanner version. This is available from Mozilla Add-ons web site
(https://addons.mozilla.org/en-US/firefox/addon/3362).

+------+
|Credit|
+------+

Discovered and advised to the Update Scanner developer June 2009 by Roberto Suggi Liverani of Security-
Assessment.com. Personal Page: http://malerisch.net/

For full details regarding this vulnerability
(including a detailed proof of concept exploit)
download the PDF from our website:
http://www.security-assessment.com/files/advisories/Update_Scanner_Firefox_Extension_Security_Advisory.pdf

For more details regarding exploitation of Firefox extensions, refer to our DEFCON 17 presentation at
http://www.security-assessment.com/files/presentations/liverani_freeman_abusing_firefox_extensions_defcon17.pdf

Share - permalink - Comment/Contact me