Plus they sent me a bug bounty for discovering an RCE exploitation vector of an already-patched bug. Mar 23, 2015: Public disclosure in Pull Request 4985.Īll in all, I was impressed with Mozilla's response. Jan 20, 2015: RCE implications discovered and disclosed to Mozillaįeb 13, 2015: Mozilla updates their original security advisory, MFSA2015-09 to note possibility of RCE
Jan 13, 2015: Firefox 35.0 shipped with patch Jan 11, 2015: Originally reported to Mozilla as a low-severity DoS, which turned out to be already patched in trunk
This vulnerability was disclosed according to Rapid7's disclosure policy to Mozilla and CERT/CC. Note, that while the Tor Browser Bundle advertises itself as Firefox version 31, it does not appear exploitable in any reasonable setup. 5.6.7.8 firefox_proxy_prototype - Sending HTML response. For the impatient, here's what a command shell looks like in Metasploit Framework (tested against Firefox version 32 release): msf exploit(firefox_proxy_prototype) > 5.6.7.8 firefox_proxy_prototype - Gathering target information.
To see the full exploit source code, see today's disclosure Pull Request 4985. Proxy objects allow transparent interception of Javascript's normal get-/set-property pattern: var x = injectIntoChrome(de) | send_response_html(cli, "js") Proxies are a neat ECMAScript 6 feature that Firefox has had implemented for some time now. Adventures in Browser Exploitation: Firefox 31 - 34 RCEĪ few months ago, I was testing some Javascript code in Firefox involving Proxies. This blog post was originally written by Joe Vennix, and published here with his permission.