Update Scanner - Firefox Extension - Chrome Privileged Code Injection

   (    , )     (,
  .   `. ) (.    ,
   ). , (.   ( ) (
  (_,) .`), ) _ _,
 /  _____/  / _      ____  ____   _____ =20
 \____  =3D=3D/ /_   _/ ___/  _  /     =20
 /       /   |    \  \__(  <_> )  Y Y  
/______  /\___|__  / \___  >____/|__|_|  /
        /         /.-.    /         /:wq=20
                    (x.0)
                  =3D.|w|.=3D
                  _=3D`"``=3D.

		presents..

Update Scanner Chrome Privileged Code Injection

+-----------+
|Description|
+-----------+

Security-Assessment.com discovered that Update Scanner
is vulnerable to Cross Site Scripting injection.
Update
Scanner renders scanned site content within a chrome
window located at
chrome://updatescan/content/diffPage.xul. A malicious
web page is then able to pass arbitrary browser code,
such as JavaScript, following a scan performed by
Update Scanner. The browser code is directly rendered
and
executed in the chrome privileged Firefox zone related
to Update Scanner.
Update Scanner performs input data filtering by
stripping <script> tags but this is not enough to
prevent
JavaScript code execution. For example, it is possible
to trigger JavaScript code execution by using event
handlers such as =E2=80=9Conerror=E2=80=9D.


+------------+
|Exploitation|
+------------+

This vulnerability can be exploited in several ways.
As the injection point is in the chrome privileged
browser zone, it is possible to bypass Same Origin
Policy (SOP) protections, and also access Mozilla
built-in XPCOM components. XPCOM components can be
used to read and write from the file system, as well
as execute arbitrary commands, steal stored passwords,
 or modify other Firefox extensions.


+--------+
|Solution|
+--------+

Security-Assessment.com follows responsible disclosure
and promptly contacted the developer after discovering
the issue. The developer was contacted on June 8,
2009, and a response was received on the June 11. A
fix was
released on June 15, 2009.

Install latest Update Scanner version. This is
available from Mozilla Add-ons web site
(https://addons.mozilla.org/en-US/firefox/addon/3362).


+------+
|Credit|
+------+

Discovered and advised to the Update Scanner developer
June 2009 by Roberto Suggi Liverani of Security-
Assessment.com. Personal Page: http://malerisch.net/

For full details regarding this vulnerability
(including a detailed proof of concept exploit)
download the PDF from our website:
http://www.security-assessment.com/files/advisories/Update_Scanner_Firefox_=
Extension_Security_Advisory.pdf

For more details regarding exploitation of Firefox
extensions, refer to our DEFCON 17 presentation at
http://www.security-assessment.com/files/presentations/liverani_freeman_abu=
sing_firefox_extensions_defcon17.pdf

Security-Assessment.com is a New Zealand based world
leader in web application testing, network security
and penetration testing. Security-Assessment.com
services organisations across New Zealand, Australia,
Asia Pacific, the United States and the United
Kingdom.=20

Roberto Suggi Liverani