Possible remote code execution in blueorganizer



addons.mozilla.org Graveyard
12 years ago
2 years ago


(Reporter: Wladimir Palant, Unassigned)






12 years ago
The blueorganizer extension stores most of its configuration as XML files that are converted into JavaScript objects at run-time. The code is obfuscated so that it is difficult to prove that some of these XML files are loaded remotely but I am pretty sure they are. For example, the file BlueDocLookup.js loads and processes a file sites.xml. This file doesn't come with the extension and it isn't created by it either, so the base address must be remote.

There are two issues with the processing of XML files (method gBlue_BeanUtils.fromXml in BeanUtils.js). First is the processing of the type attribute of a node, it will create an object of this type with this call:

  eval("new "+type+"();")

Then there is processing of the script attribute, here is what happens with it:

  var lib=gBlue_Utils.split(script,".");

Note that JSAN.use will eval its parameter first to check whether a module is already loaded. This issue might not be exploitable however, writing malicious code without using a dot should be difficult.

This code hasn't been changed in blueorganizer 3.0 available from the adaptiveblue.com (I guess this version is in AMO's review queue).

Comment 1

12 years ago
Mail sent:


I was looking for typical patterns of security holes in extensions on addons.mozilla.org and I stumbled upon something in your extension that might be one. Unfortunately your source code is obfuscated so that verifying it would take too much time.

You have a method gBlue_BeanUtils.fromXml that is used to convert XML into JavaScript objects. It looks like you sometimes apply it to XML files you get from the internet and here lies the problem. Processing for two of the attributes allows the XML file to execute JavaScript code with chrome privileges.

There is the code handling type attribute:

  eval("new "+type+"();")

If the type happens to contain "Object();alert('Hi!');" an alert will be shown. Similarly any other JavaScript code could be executed. This should be easy to fix, I think you intended to do this:

  new window[type]()

The other problem is the script attribute. Right now you do something like this:

  var lib=gBlue_Utils.split(script,".")[0];

JSAN.use will call eval() on its parameter to check whether the module is already loaded. It is difficult to imagine malicious code that isn't using the dot character but still - it would be better to make sure that lib doesn't contain anything but letters and digits:

  lib = lib.replace(/\W/, "");

Could you fix these issues?


Comment 2

11 years ago
Current version of blueorganizer validates the type parameter. Resolving FIXED.
Last Resolved: 11 years ago
Resolution: --- → FIXED
Component: Add-ons → Administration
QA Contact: add-ons → administration


2 years ago
Product: addons.mozilla.org → addons.mozilla.org Graveyard

Comment 3

2 years ago
I think that this should be public by now.
Flags: needinfo?(jorge)
Group: client-services-security
Flags: needinfo?(jorge)
You need to log in before you can comment on or make changes to this bug.