Rapid7 VulnDB

Firefox 17.0.1 Flash Privileged Code Injection

Back to Search

Firefox 17.0.1 Flash Privileged Code Injection

Disclosed
01/08/2013
Created
05/30/2018

Description

This exploit gains remote code execution on Firefox 17 and 17.0.1, provided the user has installed Flash. No memory corruption is used. First, a Flash object is cloned into the anonymous content of the SVG "use" element in the (CVE-2013-0758). From there, the Flash object can navigate a child frame to a URL in the chrome:// scheme. Then a separate exploit (CVE-2013-0757) is used to bypass the security wrapper around the child frame's window reference and inject code into the chrome:// context. Once we have injection into the chrome execution context, we can write the payload to disk, chmod it (if posix), and then execute. Note: Flash is used here to trigger the exploit but any Firefox plugin with script access should be able to trigger it.

Author(s)

  • Marius Mlynski
  • joev <joev@metasploit.com>
  • sinn3r <sinn3r@metasploit.com>

Development

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/multi/browser/firefox_svg_plugin
msf exploit(firefox_svg_plugin) > show targets
    ...targets...
msf exploit(firefox_svg_plugin) > set TARGET < target-id >
msf exploit(firefox_svg_plugin) > show options
    ...show and set options...
msf exploit(firefox_svg_plugin) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security

;