Copyright Security-Assessment.com 2009
www.security-assessment.com
Vulnerability Advisory
Name
CoolPreviews (Mozilla Firefox Extension) – Chrome Privileged Code Injection
Date Released
August 25, 2009
Affected Software
CoolPreviews 2.7.2, 2.7 and potentially also previous versions
Researcher
Roberto Suggi Liverani – roberto.suggi@security-assessment.com
Description
Security-Assessment.com discovered that the CoolPreviews stack feature is vulnerable to Cross-Site Scripting
injection. The CoolPreviews stack previews link content within a chrome window positioned on the right side of
the browser window. A malicious page is then able to pass arbitrary browser code, such as JavaScript, via a link
that points to a data URI which embeds the Cross-Site scripting payload. The injected browser code is rendered
and executed in the chrome privileged Firefox zone.
The code is automatically executed when the user adds the malicious link to the stack (by default, right click and
then Cool Previews – Add To Stack).
The following table shows an example of malicious link:
Malicious Link With Data URI
<a href="data:text/html;base64,base64encodedpayload">Example link to add to stack</a>
This vulnerability has been patched. See the Solution section of this document for more information.
Exploitation
This vulnerability can be exploited in several ways. As the injection point is in the chrome privileged browser
zone, it is possible to bypass Same Origin Policy (SOP) protections, and also access Mozilla built-in XPCOM
components. XPCOM components can be used to read and write from the file system, as well as execute
arbitrary commands, steal stored passwords, or modify other Firefox extensions.
Included below is an example exploit which is base64 encoded and included in the malicious link above. This
exploit demonstrates remote code execution by executing win.com with a parameter of cmd.exe. This will
spawn a command shell on the victim’s desktop.
Example Remote Code Exe