Fizzle Firefox Extension Vulnerability
It appears that the Firefox extention “Fizzle” is vulnerable to being taken over using HTML entities of all things. Because it converts HTML entities into their more dangerous equivalents CrYpTiC_MauleR found was able to create a proof of concept exploit that reads cookies, steals files, and so on. The proof of concept can be found here.
This really just another for of RSS hacking that we’ve all come to know and love, although this one is a little more tragic as it actually gives you much higher access that you can find through a normal HTML RSS feed aggregator. Although this may only affect a few thousand users, there are a few things to note about this. Firstly, there is no standard way to inform users that they are using dangerous plugins. Second, even if something is in an HTML entity, it can cause problems if you start converting the text. Lastly, this is not Firefox’s fault directly, but that doesn’t matter.
If you allow plugins to perform actions outside of the normal security model, you are taking big risks with your user’s security. Nice job, CrYpTiC_MauleR!
March 24th, 2007 at 2:43 pm
Lol, that extension has entire 82 downloads per week
Even https://addons.mozilla.org/firefox/1427/ has more downloads - here remote code execution (with full privileges) is the concept. See http://adblockplus.org/blog/no-good-deed-goes-unpunished - finding vulnerabilities like this one is easy. I wrote a few PoCs myself, some should be still working. Yet the popular extensions tend to be of better quality.
March 24th, 2007 at 3:29 pm
In my blackhat talk I mentioned that HTML entities are converted, and that more readers were vulnerable to this than literal tag injection. There are still many vulns to be found here.
Slides
http://www.cgisecurity.com/papers/RSS-Security.ppt
Paper on RSS Hacking
http://www.cgisecurity.com/papers/HackingFeeds.pdf
March 24th, 2007 at 5:28 pm
Zeno, the problem here is not that the extension allows script injection - the problem is that this extension displays feeds in privileged context in the first place. Ideally an RSS extension for Firefox should show blog posts on data: URLs - these don’t have access to anything, even if you manage to inject scripts.
March 24th, 2007 at 7:28 pm
RSS supports html/script intentionally (via entities) and companies such as Yahoo make a bundle doing JavaScript advertising within them Expect this functionality to not go away anytime soon.
The HTML entity comment was more in response to the ‘is vulnerable to being taken over using HTML entities of all things’ comment:)
March 26th, 2007 at 5:04 pm
[…] página web de ha.ckers.org reporta una nueva vulnerabilidad en la extensión Firefox Fizzle, un lector de noticias RSS. Debido […]