Copyright Security-Assessment.com 2009
CoolPreviews (Mozilla Firefox Extension) – Chrome Privileged Code Injection
August 25, 2009
CoolPreviews 2.7.2, 2.7 and potentially also previous versions
Roberto Suggi Liverani – firstname.lastname@example.org
Security-Assessment.com discovered that the CoolPreviews stack feature is vulnerable to Cross-Site Scripting
injection. The CoolPreviews stack previews link content within a chrome window positioned on the right side of
that points to a data URI which embeds the Cross-Site scripting payload. The injected browser code is rendered
and executed in the chrome privileged Firefox zone.
The code is automatically executed when the user adds the malicious link to the stack (by default, right click and
then Cool Previews – Add To Stack).
The following table shows an example of malicious link:
Malicious Link With Data URI
<a href="data:text/html;base64,base64encodedpayload">Example link to add to stack</a>
This vulnerability has been patched. See the Solution section of this document for more information.
This vulnerability can be exploited in several ways. As the injection point is in the chrome privileged browser
zone, it is possible to bypass Same Origin Policy (SOP) protections, and also access Mozilla built-in XPCOM
components. XPCOM components can be used to read and write from the file system, as well as execute
arbitrary commands, steal stored passwords, or modify other Firefox extensions.
Included below is an example exploit which is base64 encoded and included in the malicious link above. This
exploit demonstrates remote code execution by executing win.com with a parameter of cmd.exe. This will
spawn a command shell on the victim’s desktop.
Example Remote Code Exe