This exploit gains remote code execution on Firefox 15-22 by abusing two separate Javascript-related vulnerabilities to ultimately inject malicious Javascript code into a context running with chrome:// privileges.

Module Name

exploit/multi/browser/firefox_tostring_console_injection

Authors

• moz_bug_r_a4
• Cody Crews
• joev <joev [at] metasploit.com>

References

• CVE-2013-1710

Targets

• Universal (Javascript XPCOM Shell)
• Native Payload

Platforms

• firefox
• java
• linux
• osx
• solaris
• windows

Architectures

• firefox
• x86, x86_64, x64, mips, mipsle, mipsbe, mips64, mips64le, ppc, ppce500v2, ppc64, ppc64le, cbea, cbea64, sparc, sparc64, armle, armbe, aarch64, cmd, php, tty, java, ruby, dalvik, python, nodejs, firefox, zarch, r

Reliability

• Excellent

Development

• Source Code
• History

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

Related Vulnerabilities

• DSA-2735-1 iceweasel -- several vulnerabilities
• DSA-2746-1 icedove -- several vulnerabilities
• FreeBSD: mozilla -- multiple vulnerabilities (Multiple CVEs)
• Gentoo Linux: CVE-2013-1710: Mozilla Products: Multiple vulnerabilities
• ELSA-2013-1140 Critical: Oracle Linux firefox security update
• ELSA-2013-1142 Important: Oracle Linux thunderbird security update
• RHSA-2013:1140: firefox security update
• RHSA-2013:1142: thunderbird security update
• MFSA2013-69 Firefox: CRMF requests allow for code execution and XSS attacks (CVE-2013-1710)
• MFSA2013-69 SeaMonkey: CRMF requests allow for code execution and XSS attacks (CVE-2013-1710)
• MFSA2013-69 Thunderbird: CRMF requests allow for code execution and XSS attacks (CVE-2013-1710)
• SUSE Linux Security Vulnerability: CVE-2013-1710
• SUSE Linux Security Advisory: SUSE-SU-2014:1100-1
• USN-1924-1: Firefox vulnerabilities
• USN-1925-1: Thunderbird vulnerabilities

Related Modules

• Firefox 5.0 - 15.0.1 __exposedProps__ XCS Code Execution