Yesterday pdp from gnucitizen.org wrote once again a very interesting blog posting. He found out, that the widely used Firefox extension called Firebug has a vulnerability which allows an attacker to execute his own JavaScript code. Yes I know, we’ve talked about XSS and all that stuff many times but this vulnerability is much more dangerous than normal ones. This because Firefox extensions are running in a part of the webbrowser which’s called chrome. Because of being in the chrome, the Firefox extensions there have much more privileges and possibilities than normal JavaScript on a website has. For example such an extension can read/write files on the harddisk, open sockets, install malware and much more. Now in the case we have here with Firebug, an attacker can exactly do what I’ve just described.

The following line shows the problem in a very nice way:
console.log({'<script>alert("Evil Script")</script>':'exploit'})

For real POCs just visit the ones of pdp:
http://www.gnucitizen.org/projects/firebug-goes-evil/poc.htm

If you’re using Firebug you really should update to the latest version which’s online since today as soon as possible and you should also disable the whole extension at the time you aren’t using it.

I also spent a few minutes today, getting into the source code of Firebug and what should I say, in this short time I wasn’t able to find another vulnerability (which wasn’t my goal anyway) but I found some functions where I’ve to say that this definitely shouldn’t be the way it is.

I’m not really surprised at this story because it’s not that hard to exploit such stuff when we compare it for example with compiled C code but it’s a very attractive target for an attacker and I think we’ll see much more such nasty stuff in the near future; if we want or not.