「Firefox OS Advent Calendar 2014」と「脆弱性"&'<<>\ Advent Calendar 2014」の12月20日の記事です。
先月報告したFirefox OSのHTMLインジェクションバグ(Bug 1101158 )について紹介します。このバグはFirefox OS Simulatorを含む一部の環境ではまだ修正されていませんが、リスク評価の上、Mozillaよりちょうど本日(!!)、公開の許可を頂き掲載しております。
Firefox OS v2.1/v2.2には、端末のホームボタンを長押ししたときに表示されるカードビューに、HTMLインジェクションの可能な箇所がありました。カードビューとはアクティブなウィンドウの一覧を表示する機能なのですが、ウィンドウのタイトルにHTMLタグが含まれることが考慮されていませんでした。
| package sample; | |
| import java.util.*; | |
| public class ArrayTools | |
| { | |
| public static Integer[] Range(final int n, final int n2) { | |
| final Integer[] array = new Integer[n2 - n]; | |
| for (int i = 0; i < array.length; ++i) { | |
| array[i] = n + i; | |
| } |
| <!DOCTYPE HTML> | |
| <html> | |
| <script> | |
| function t() | |
| { | |
| var s="\n"; | |
| var elements=new Array("a","abbr","acronym","address","applet","area","article","aside","audio","b","base","basefont","bdi","bdo","big","blockquote","body","br","button","canvas","caption","center","cite","code","col","colgroup","command","datalist","dd","del","details","dfn","dir","div","dl","dt","em","embed","fieldset","figcaption","figure","font","footer","form","frame","frameset","h1","h2","h6","head","header","hgroup","hr","html","i","iframe","img","input","ins","kbd","keygen","label","layer","legend","li","link","listing","main","map","mark","marquee","menu","meta","meter","nav","nobr","noembed","noframes","nolayer","noscript","object","ol","optgroup","option","output","p","param","plaintext","pre","progress","q","rp","ruby","rt","s","samp","script","section","select","small","source","span","strike","strong","style","sub","summary","sup","table","tbody","td","textarea","tfoot","th","thead","title","tr","track","tt","u","ul","v |
$ git clone https://chromium.googlesource.com/chromium/tools/depot_tools.git$ nano ~/.zshrcpath=('/path/to/depot_tools' $path)
| #!/usr/bin/env python2 | |
| """ | |
| Author: takeshix <takeshix@adversec.com> | |
| PoC code for CVE-2014-0160. Original PoC by Jared Stafford (jspenguin@jspenguin.org). | |
| Supportes all versions of TLS and has STARTTLS support for SMTP,POP3,IMAP,FTP and XMPP. | |
| """ | |
| import sys,struct,socket | |
| from argparse import ArgumentParser |
| /* | |
| * Naive hit tracer implementation using DynamoRIO. | |
| * | |
| * Author: axt | |
| * | |
| * Build it with the following commands: | |
| * gcc -Dbbhit_EXPORTS -DSHOW_RESULTS -DSHOW_SYMBOLS -fPIC -I../include -I../ext/include -DX86_64 -DLINUX -O2 -fno-stack-protector -o bbhit.c.o -c bbhit.c | |
| * gcc -fPIC -O2 -DX86_64 -DLINUX -fno-stack-protector -fPIC -shared -lgcc -Wl,--hash-style=both -shared -Wl,-soname,libbbhit.so -o libbbhit.so bbhit.c.o ../lib64/debug/libdynamorio.so.4.2 ../ext/lib64/debug/libdrsyms.so | |
| */ | |
| #include <stddef.h> |
| #!/usr/bin/env ruby | |
| # | |
| ## Brute code stolen form: https://gist.github.com/petehamilton/4755855 | |
| # | |
| @domain = 'contoso.com' | |
| def result?(sub) | |
| results = %x(dig +noall #{sub}.#{@domain} +answer) |
これはFirefox OS Advent Calendar 2013 12/14の記事です。
こんにちは、にしむねあです。 この記事ではGeckoのlocalStorageの実装を紹介します。 私はセキュリティの分野に興味があるので、データのアクセス制御がどのように実装されているかを掘り下げてみたいと思います。
| #!/usr/bin/env python2 | |
| import os | |
| import sys | |
| import time | |
| import subprocess | |
| try: | |
| from pyvirtualdisplay import Display | |
| except ImportError: |
| Either put into a plugin or open error console to test: (Ctrl+Shift+J) -> paste -> click 'Evaluate' | |
| Enjoy, | |
| @_wirepair | |
| linux: | |
| var file=Components.classes["@mozilla.org/file/local;1"].createInstance(Components.interfaces.nsILocalFile);file.initWithPath("/usr/bin/gcalctool");var process=Components.classes["@mozilla.org/process/util;1"].createInstance(Components.interfaces.nsIProcess);process.init(file);process.run(false, null, 0); | |
| Windows: | |
| var file=Components.classes["@mozilla.org/file/local;1"].createInstance(Components.interfaces.nsIFile);file.initWithPath("C:\\windows\\system32\\calc.exe");file.launch(); | |
| or |
