module

Firefox 5.0 - 15.0.1 __exposedProps__ XCS Code Execution

Try Surface Command
Back to search
Disclosed
Aug 6, 2013
Created
May 30, 2018

Description

On versions of Firefox from 5.0 to 15.0.1, the InstallTrigger global, when given
invalid input, would throw an exception that did not have an __exposedProps__
property set. By re-setting this property on the exception object's prototype,
the chrome-based defineProperty method is made available.

With the defineProperty method, functions belonging to window and document can be
overridden with a function that gets called from chrome-privileged context. From here,
another vulnerability in the crypto.generateCRMFRequest function is used to "peek"
into the context's private scope. Since the window does not have a chrome:// URL,
the insecure parts of Components.classes are not available, so instead the AddonManager
API is invoked to silently install a malicious plugin.

Authors

Mariusz Mlynski
moz_bug_r_a4
joev joev@metasploit.com

Platform

Java,Linux,OSX,Solaris,Windows

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':


    msf > use exploit/multi/browser/firefox_proto_crmfrequest
    msf exploit(firefox_proto_crmfrequest) > show targets
        ...targets...
    msf exploit(firefox_proto_crmfrequest) > set TARGET < target-id >
    msf exploit(firefox_proto_crmfrequest) > show options
        ...show and set options...
    msf exploit(firefox_proto_crmfrequest) > exploit
Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today