Cenzic 232 Patent
Paid Advertising
web application security lab

Fizzle Firefox Extension Vulnerability

It appears that the Firefox extention “Fizzle” is vulnerable to being taken over using HTML entities of all things. Because it converts HTML entities into their more dangerous equivalents CrYpTiC_MauleR found was able to create a proof of concept exploit that reads cookies, steals files, and so on. The proof of concept can be found here.

This really just another for of RSS hacking that we’ve all come to know and love, although this one is a little more tragic as it actually gives you much higher access that you can find through a normal HTML RSS feed aggregator. Although this may only affect a few thousand users, there are a few things to note about this. Firstly, there is no standard way to inform users that they are using dangerous plugins. Second, even if something is in an HTML entity, it can cause problems if you start converting the text. Lastly, this is not Firefox’s fault directly, but that doesn’t matter.

If you allow plugins to perform actions outside of the normal security model, you are taking big risks with your user’s security. Nice job, CrYpTiC_MauleR!

5 Responses to “Fizzle Firefox Extension Vulnerability”

  1. Wladimir Palant Says:

    Lol, that extension has entire 82 downloads per week :)
    Even https://addons.mozilla.org/firefox/1427/ has more downloads - here remote code execution (with full privileges) is the concept. See http://adblockplus.org/blog/no-good-deed-goes-unpunished - finding vulnerabilities like this one is easy. I wrote a few PoCs myself, some should be still working. Yet the popular extensions tend to be of better quality.

  2. zeno Says:

    In my blackhat talk I mentioned that HTML entities are converted, and that more readers were vulnerable to this than literal tag injection. There are still many vulns to be found here.

    Slides
    http://www.cgisecurity.com/papers/RSS-Security.ppt

    Paper on RSS Hacking
    http://www.cgisecurity.com/papers/HackingFeeds.pdf

  3. Wladimir Palant Says:

    Zeno, the problem here is not that the extension allows script injection - the problem is that this extension displays feeds in privileged context in the first place. Ideally an RSS extension for Firefox should show blog posts on data: URLs - these don’t have access to anything, even if you manage to inject scripts.

  4. zeno Says:

    RSS supports html/script intentionally (via entities) and companies such as Yahoo make a bundle doing JavaScript advertising within them Expect this functionality to not go away anytime soon.

    The HTML entity comment was more in response to the ‘is vulnerable to being taken over using HTML entities of all things’ comment:)

  5. Nueva vulnerabilidad en la extensión de Firefox Fizzle : Says:

    […] página web de ha.ckers.org reporta una nueva vulnerabilidad en la extensión Firefox Fizzle, un lector de noticias RSS. Debido […]