LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

LWN Weekly Edition

Front page
Security
Kernel development
Distributions
Development
Linux in the news
Announcements
->One big page

 

This page

Previous week
Following week

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Security

Firefox extension vulnerabilities

By Jake Edge
August 26, 2009

Browser extensions, or add-ons, typically provide extra functionality, beyond that which the browser provides, but that comes with a price: increased vulnerability potential. The recent disclosure of five separate vulnerabilities in Firefox extensions serves as a reminder that extensions occupy a privileged position within the browser. That position makes flaws in extensions particularly dangerous, as they generally will allow an attacker's code to run with all the privileges of the user running the browser.

The vulnerabilities were disclosed by Nick Freeman and Roberto Suggi Liverani of Security-Assessment.com, a New Zealand-based web and network security firm. In doing research for a DEFCON presentation [PDF], they found flaws in the following Firefox extensions: Feed Sidebar, ScribeFire, WizzRSS, CoolPreviews, and Update Scanner. The flaws were found between February and June of this year, and the presentation lists three more that have yet to be disclosed.

All five of the flaws have something in common: in one way or another, they take content from a remote site and handle it incorrectly within the privileged Mozilla "chrome" context. For example, the Feed Sidebar extension incorrectly handles the RSS <description> tags, such that a malicious site could do cross-site scripting (XSS) or HTML injection into the chrome trusted zone. That would allow the remote site to potentially perform any action the browser could: access the filesystem, retrieve web site passwords, execute programs, and so on.

The presentation has several proof-of-concept examples; the one associated with Feed Sidebar steals all of the login credentials and sends them off to a remote site. Another example using the ScribeFire extension sets up a reverse VNC session so that an attacker could view the desktop of the browser user. Yet another uses XSS to send a copy of /etc/passwd off to a remote site. These are all very potent exploits that could be used to seriously compromise users' privacy and security.

There are certainly more of these problems out there (beyond even the three undisclosed, thus presumably unpatched, vulnerabilities). Part of the problem is that the "Mozilla extension security model is nonexistent", according to Freeman and Liverani's presentation. All extensions are treated as completely trusted code by Firefox. In addition, there are no security boundaries between the extensions, so one can quietly modify another. They also note that other Mozilla applications that allow extensions (e.g. Thunderbird) are also susceptible to these kinds of vulnerabilities.

Many Firefox extensions are available through addons.mozilla.org (AMO), but the researchers point out that extension developers, and the AMO reviewers, are not necessarily security experts, so bugs like these may slip through. They also note that the NoScript extension, with its XSS protection, may be giving a false sense of security. NoScript whitelists chrome: URLs, which means that it provides no protection against malicious or buggy extensions.

In many ways, it should come as no surprise that there are bugs—and security holes—in Firefox extensions, but it is a problem that has largely flown under the radar. Malicious extensions, downloaded from sites other than AMO, are a fairly well-understood vector for attack—at least to users who are somewhat security-conscious. Extensions that have, or appear to have, the "blessing" of AMO are a bit of a different story. Many users, even those who pay attention to security issues, may well expect that those extensions are rigorously vetted, which seems not to be the case.

There is no reason to believe that these vulnerabilities were anything other than "standard" programming errors, but those with a malicious intent probably could sneak vulnerabilities into AMO extensions—perhaps they have already done so. The presentation lists two plausible scenarios for how malware authors might get vulnerabilities introduced into extensions, particularly popular or recommended extensions.

This research gives us yet another attack vector to be worried about, but there is also some useful information on what to look for in extensions that could lead to these kinds of flaws. With luck, that will help reduce the number of extensions with holes. That still leaves us with the worry about malicious extension authors. Without a more rigorous review of extensions—even that won't find every flaw—there is little that can be done. It is a problem that will likely be with us for quite some time.

Comments (3 posted)

Brief items

Walsh: Secure Virtualization Using SELinux (sVirt)

Red Hat SELinux hacker Dan Walsh writes about Secure Virtualization (sVirt) on his web log. The basic idea is to leverage SELinux to isolate virtual machines from each other and from the host. "After virtualization, we have multiple services running on the same host. If a virtual machine is broken into, the cracker just needs to break though the hypervisor. If a hypervisor vulnerability exists, the cracker can take over all of the virtual machines on the host. He can even write into any virtual host images that are accessible from the host machine. [...] This is very scary stuff. The question is not 'if', but 'when'. Hacker/cracker conventions are already examining hypervisor vulnerabilities. Crackers have already broken though the xen hypervisor, as I documented in one of my previous blogs."

Comments (37 posted)

New vulnerabilities

buildbot: cross-site scripting

Package(s):buildbot CVE #(s):
Created:August 24, 2009 Updated:August 26, 2009
Description:

From the buildbot advisory:

In addition to the XSS vulnerability announced on August 12, several other such vulnerabilities were discovered in other portions of the Buildbot web status, by Nicolas Sylvain and Nicolás Alvarez. The severity of these vulnerabilities is no different that that announced on August 12, except that the vulnerabilities are not limited to the waterfall view.

Alerts:
Fedora FEDORA-2009-8516 2009-08-15
Fedora FEDORA-2009-8577 2009-08-15

Comments (none posted)

expat: denial of service

Package(s):expat CVE #(s):CVE-2009-2625
Created:August 24, 2009 Updated:June 13, 2011
Description:

From the Gentoo bug report:

Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.

Alerts:
Mandriva MDVSA-2011:108 2011-06-13
Scientific Linux SL-xerc-20110608 2011-06-08
Slackware SSA:2011-041-02 2011-02-11
SUSE SUSE-SR:2010:015 2010-08-17
SUSE SUSE-SR:2010:014 2010-08-02
SuSE SUSE-SR:2010:012 2010-05-25
SuSE SUSE-SR:2010:011 2010-05-10
SuSE SUSE-SR:2010:013 2010-06-14
Ubuntu USN-890-6 2010-04-15
Ubuntu USN-890-4 2010-01-26
Ubuntu USN-890-3 2010-01-22
Ubuntu USN-890-2 2010-01-21
Ubuntu USN-890-1 2010-01-20
Mandriva MDVSA-2009:316-1 2010-01-08
Mandriva MDVSA-2009:220-1 2010-01-05
CentOS CESA-2009:1615 2009-12-17
Mandriva MDVSA-2009:212-1 2009-12-04
Mandriva MDVSA-2009:213-1 2009-12-04
Mandriva MDVSA-2009:211-1 2009-12-04
Mandriva MDVSA-2009:218-1 2009-12-04
Mandriva MDVSA-2009:217-3 2009-12-03
SuSE SUSE-SR:2010:005 2010-02-23
Ubuntu USN-890-5 2010-02-18
Red Hat RHSA-2009:1236-01 2009-08-28
Mandriva MDVSA-2009:220 2009-08-24
Mandriva MDVSA-2009:219 2009-08-24
Mandriva MDVSA-2009:218 2009-08-24
Mandriva MDVSA-2009:217 2009-08-23
Mandriva MDVSA-2009:216 2009-08-23
Mandriva MDVSA-2009:215 2009-08-23
Mandriva MDVSA-2009:214 2009-08-23
Mandriva MDVSA-2009:213 2009-08-23
Mandriva MDVSA-2009:212 2009-08-23
Mandriva MDVSA-2009:211 2009-08-23
SuSE SUSE-SA:2009:053 2009-11-04
Debian DSA-1984-1 2010-01-30
Debian DSA-1921-1 2009-10-28
Red Hat RHSA-2009:1615-01 2009-11-30

Comments (none posted)

gnutls: certificate spoofing vulnerability

Package(s):gnutls12, gnutls13, gnutls26 CVE #(s):CVE-2009-2730
Created:August 20, 2009 Updated:February 16, 2010
Description: From the National Vulnerability Database entry: "libgnutls in GnuTLS before 2.8.2 does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) or Subject Alternative Name (SAN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority."
Alerts:
Gentoo 201110-05 2011-10-10
Mandriva MDVSA-2009:308 2009-12-03
SuSE SUSE-SR:2010:004 2010-02-16
Fedora FEDORA-2009-8565 2009-08-15
Fedora FEDORA-2009-8622 2009-08-15
SuSE SUSE-SR:2009:015 2009-09-15
CentOS CESA-2009:1232 2009-08-26
CentOS CESA-2009:123 2009-08-26
Red Hat RHSA-2009:1232-01 2009-08-26
Mandriva MDVSA-2009:210 2009-08-20
Ubuntu USN-809-1 2009-08-19
Debian DSA-1935-1 2009-11-17
Slackware SSA:2009-290-01 2009-10-19
Gentoo 201206-18 2012-06-23

Comments (none posted)

kernel: privilege escalation

Package(s):kernel CVE #(s):CVE-2009-2698
Created:August 24, 2009 Updated:March 21, 2011
Description:

From the Red Hat advisory:

a flaw was found in the udp_sendmsg() implementation in the Linux kernel when using the MSG_MORE flag on UDP sockets. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2698, Important)

Alerts:
Mandriva MDVSA-2011:051 2011-03-18
Red Hat RHSA-2009:1469-01 2009-09-30
Red Hat RHSA-2009:1457-01 2009-09-22
CentOS CESA-2009:1233 2009-08-29
SuSE SUSE-SA:2009:046 2009-08-28
Red Hat RHSA-2009:1233-01 2009-08-27
Debian DSA-1872-1 2009-08-24
CentOS CESA-2009:1222 2009-08-24
CentOS CESA-2009:1223 2009-08-24
Red Hat RHSA-2009:1222-02 2009-08-24
Red Hat RHSA-2009:1223-02 2009-08-24
Ubuntu USN-852-1 2009-10-22

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):linux-2.6 CVE #(s):CVE-2009-2846 CVE-2009-2847 CVE-2009-2848 CVE-2009-2849
Created:August 25, 2009 Updated:October 8, 2010
Description: From the Debian advisory:

Michael Buesch noticed a typing issue in the eisa-eeprom driver for the hppa architecture. Local users could exploit this issue to gain access to restricted memory. (CVE-2009-2846)

Ulrich Drepper noticed an issue in the do_sigalstack routine on 64-bit systems. This issue allows local users to gain access to potentially sensitive memory on the kernel stack. (CVE-2009-2847)

Eric Dumazet discovered an issue in the execve path, where the clear_child_tid variable was not being properly cleared. Local users could exploit this issue to cause a denial of service (memory corruption). (CVE-2009-2848)

Neil Brown discovered an issue in the sysfs interface to md devices. When md arrays are not active, local users can exploit this vulnerability to cause a denial of service (oops). (CVE-2009-2849)

Alerts:
Mandriva MDVSA-2010:188 2010-09-23
Mandriva MDVSA-2010:198 2010-10-07
SuSE SUSE-SA:2010:012 2010-02-15
Red Hat RHSA-2009:1455-01 2009-09-29
Red Hat RHSA-2009:1466-01 2009-09-29
CentOS CESA-2009:1243 2009-09-15
CentOS CESA-2009:1438 2009-09-15
Red Hat RHSA-2009:1438-01 2009-09-15
SuSE SUSE-SA:2009:056 2009-11-16
Red Hat RHSA-2009:1540-01 2009-11-03
Red Hat RHSA-2009:1243-02 2009-09-02
Red Hat RHSA-2009:1239-02 2009-09-01
Red Hat RHSA-2009:1239-01 2009-09-01
Fedora FEDORA-2009-9044 2009-08-27
Debian DSA-1872-1 2009-08-24
Ubuntu USN-852-1 2009-10-22
SuSE SUSE-SA:2009:054 2009-11-11
CentOS CESA-2009:1455 2009-10-30
Fedora FEDORA-2009-10639 2009-10-21
CentOS CESA-2009:1550 2009-11-04
Red Hat RHSA-2009:1550-01 2009-11-03
Debian DSA-1928-1 2009-11-05
Fedora FEDORA-2009-10165 2009-10-03

Comments (none posted)

libneon: man in the middle attack

Package(s):libneon0.27 CVE #(s):CVE-2009-2474
Created:August 25, 2009 Updated:December 4, 2009
Description: From the Mandriva advisory: neon before 0.28.6, when OpenSSL is used, does not properly handle a '\0' (NUL) character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408
Alerts:
Mandriva MDVSA-2009:315 2009-12-04
Ubuntu USN-835-1 2009-09-21
CentOS CESA-2009:1452 2009-09-22
Red Hat RHSA-2009:1452-01 2009-09-21
Mandriva MDVSA-2009:228 2009-09-10
Mandriva MDVSA-2009:221 2009-08-24
CentOS CESA-2009:1452 2009-10-30

Comments (none posted)

neon: denial of service, man in the middle attack

Package(s):neon CVE #(s):CVE-2009-2473
Created:August 21, 2009 Updated:January 17, 2013
Description: From the Fedora advisory: There are two security issues in neon: the "billion laughs" attack against expat could allow a Denial of Service attack by a malicious server. (CVE-2009-2473), and an embedded NUL byte in a certificate subject name could allow an undetected MITM attack against an SSL server if a trusted CA issues such a cert.
Alerts:
CentOS CESA-2009:1452 2009-09-22
Red Hat RHSA-2009:1452-01 2009-09-21
SuSE SUSE-SR:2009:018 2009-11-10
Mandriva MDVSA-2009:221 2009-08-24
Fedora FEDORA-2009-8815 2009-08-20
Fedora FEDORA-2009-8794 2009-08-20
CentOS CESA-2009:1452 2009-10-30
Oracle ELSA-2013-0131 2013-01-12
Scientific Linux SL-gnom-20130116 2013-01-16
CentOS CESA-2013:0131 2013-01-09

Comments (none posted)

ocsinventory: SQL injection

Package(s):ocsinventory CVE #(s):
Created:August 21, 2009 Updated:August 26, 2009
Description: SQL injection vulnerabiltiy found in GUI V.1.02
Alerts:
Fedora FEDORA-2009-8819 2009-08-20
Fedora FEDORA-2009-8799 2009-08-20

Comments (none posted)

php5: remote denial of service

Package(s):php5 CVE #(s):CVE-2009-2687
Created:August 25, 2009 Updated:February 23, 2010
Description: From the Ubuntu advisory: It was discovered that PHP did not properly handle certain malformed JPEG images when being parsed by the Exif module. A remote attacker could exploit this flaw and cause the PHP server to crash, resulting in a denial of service.
Alerts:
SuSE SUSE-SR:2010:005 2010-02-23
CentOS CESA-2010:0040 2010-01-15
Red Hat RHSA-2010:0040-01 2010-01-13
CentOS CESA-2010:0040 2010-01-13
Gentoo 201001-03 2010-01-05
Mandriva MDVSA-2009:324 2009-12-07
Red Hat RHSA-2009:1461-01 2009-09-23
Ubuntu USN-824-1 2009-08-24
SuSE SUSE-SR:2009:017 2009-10-26
Debian DSA-1940-1 2009-11-25

Comments (none posted)

pidgin: "crash" from crafted URL

Package(s):pidgin CVE #(s):
Created:August 24, 2009 Updated:August 26, 2009
Description:

From the Fedora advisory:

2.6.1 fixes an issue where pidgin can crash if you are sent a certain type of URL over Yahoo.

Alerts:
Fedora FEDORA-2009-8874 2009-08-22
Fedora FEDORA-2009-8826 2009-08-22

Comments (none posted)

squirrelmail: cross-site request forgery

Package(s):squirrelmail CVE #(s):
Created:August 21, 2009 Updated:August 26, 2009
Description: From the Red Hat bugzilla: It was reported that SquirrelMail did not implement protections against cross-site request forgery (CSRF) attacks. This can be exploited to e.g. change user preferences, delete emails, and potentially send emails when a logged-in user visits a malicious web page.
Alerts:
Fedora FEDORA-2009-8822 2009-08-20
Fedora FEDORA-2009-8797 2009-08-20

Comments (none posted)

wordpress: multiple vulnerabilities

Package(s):wordpress CVE #(s):CVE-2009-2854 CVE-2009-2851 CVE-2009-2853
Created:August 24, 2009 Updated:August 28, 2009
Description:

From the Debian advisory:

CVE-2009-2854: It was discovered that wordpress lacks authentication checks in various actions, thus allowing remote attackers to produce unauthorised edits or additions.

CVE-2009-2851: It was discovered that the administrator interface is prone to a cross-site scripting attack.

CVE-2009-2853: It was discovered that remote attackers can gain privileges via certain direct requests.

Alerts:
Debian DSA-1871-2 2009-08-27
Debian DSA-1871-1 2009-08-23

Comments (9 posted)

xerces-c27: stack consumption vulnerability

Package(s):xerces-c27 CVE #(s):CVE-2009-1885
Created:August 25, 2009 Updated:December 4, 2009
Description: From the CVE entry: Stack consumption vulnerability in validators/DTD/DTDScanner.cpp in Apache Xerces C++ 2.7.0 and 2.8.0 allows context-dependent attackers to cause a denial of service (application crash) via vectors involving nested parentheses and invalid byte values in "simply nested DTD structures," as demonstrated by the Codenomicon XML fuzzing framework.
Alerts:
Mandriva MDVSA-2009:223-1 2009-12-04
SuSE SUSE-SR:2009:014 2009-09-01
Mandriva MDVSA-2009:223 2009-08-30
Fedora FEDORA-2009-8345 2009-08-07
Fedora FEDORA-2009-8350 2009-08-07
Fedora FEDORA-2009-8332 2009-08-07
Fedora FEDORA-2009-8305 2009-08-07

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds