Closed Bug 362103 Opened 19 years ago Closed 17 years ago

Remote code execution through Conduit toolbars (incl. BBC and Digg toolbars)

Categories

(addons.mozilla.org Graveyard :: Administration, defect)

Product:
addons.mozilla.org Graveyard
Component:
Administration
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jwkbugzilla, Assigned: rbango)

References

(
URL
)

Details

Attachments

(1 file)

Testcase
645 bytes, text/html
Details
This is a bug the file ebtoolbar.js used by a few dozen toolbar extensions, e.g. BBC Bar or Australio Radio Toolbar. The toolbars inject a JavaScript object EBToolbarApi into the web pages that has a method ExecuteFunction accepting a string. This method will evaluate the passed string in chrome context. Testcase coming.
Attached file Testcase
Install one of the toolbar extensions e.g. BBC Bar and open this testcase. You will be presented a list of your cookies, the page could do anything else as well - with the privileges of your browser.
I don't have all the extensions on my harddisk but from the ones I have affected are: * Abandonia Toolbar * All Yours Chats Toolbar * Anderson Tech Club Toolbar * Atom Sounds Toolbar * Australia-Radio Toolbar * BBC Bar * Bob Dawg's Pad Toolbar * BX Toolbar * Careforkids Toolbar * Casino Free Money Toolbar * Celebar * Cengoo.de Toolbar * CG Toolbar * Cowgirl Image Toolbar * Cowgird Model Toolbar * Deutschland Radio * Digg.com extension toolbar * DVDEmpire Toolbar * EZPharmacyFinder Toolbar
Summary: Remote code execution through several toolbar extensions → Remote code execution through several toolbar extensions (incl. BBC and Digg toolbars)
Since these extensions are no longer hosted at AMO, I looked at conduit.com, clicking on Community I saw that they feature Gotuit Toolbar. Downloaded, it still has exactly the same backdoor in it. Well, actually I see a whole bunch of Conduit toolbars in the sandbox but none of them seem to have an install box. I downloaded the TexasBar from the URL in the description - and sure enough, this backdoor is there.
Summary: Remote code execution through several toolbar extensions (incl. BBC and Digg toolbars) → Remote code execution through Conduit toolbars (incl. BBC and Digg toolbars)
Not a lot we can do about it here, since doing a blocklist entry for all of the generated toolbars is basically a non-starter, but I can try to find someone at Conduit to whom to report the bug if you haven't already. Thanks for the report, it's a pretty serious bug!
No, I didn't contact them.
That's fair -- contacting the listed authors isn't very helpful, likely, given their usually significant inability to fix anything or even know what's going on. I'll see what I can do, and we should disable the conduit ones from the sandbox too.
Mike: any updates on this?
I sent mail to people at Conduit, haven't heard back. Not much more we can do on this end. :/
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee: nobody → basil
Status: REOPENED → NEW
Assignee: bhashem → rbango
Component: Add-ons → Administration
QA Contact: add-ons → administration
I'm emailing my contact at Conduit. They'd like to get back onto AMO so I'm sure they'll look into this immediately.
Supposedly they already fixed that issue in July last year but I didn't verify.
Ok. I've pinged them and asked for confirmation. This recently showed up on my bug list so I was following up.
I confirmed that it's fixed. Closing this.
Status: NEW → RESOLVED
Closed: 19 years ago17 years ago
Resolution: --- → FIXED
Product: addons.mozilla.org → addons.mozilla.org Graveyard
I think that this should be made public by now.
Flags: needinfo?(jorge)
Group: client-services-security
Flags: needinfo?(jorge)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: