CVE-2013-6853: Stored XSS in Y! Toolbar DOM for FireFox on MAC V3.1 + Windows V2.5 Resolved

CVE-2013-6853: Stored XSS via Code Injection in Y! Toolbar DOM for FireFox on MAC Version 3.1.0.20130813024103 and Windows Version 2.5.9.2013418100420. Resolved

Published January 14, 2014 on XSS.Cx by Hoyt LLC
Date: November 11, 2013                                                Author: Hoyt LLC http://xss.cx/

A local Stored XSS via Code Injection in Y! Toolbar DOM for FireFox on MAC Version 3.1.0.20130813024103 and Windows Version 2.5.9.2013418100420 allows remote attackers to inject arbitrary Javascript into the Yahoo Toolbar for Firefox via AddBMToolbar : function(domBuilder).

Keywords

CVE-2013-6853, Stored XSS, Reflected XSS, DOM XSS, Y! ToolBar DOM, function(domBuilder), clickstream.js, Code Injection, CWE-79, CWE-94, CAPEC-86

CVE-2013-6853 Overview

This Article provides details with respect to a Vulnerability our Researchers identified in the Yahoo Toolbars for Windows and Mac during Q4/2013 (CVE-2013-6853). The Reader is expect to know how to abuse Firefox Extensions.

Y! Toolbar Overview

The Yahoo Toolbar is a FireFox Plugin which is Downloadable from either Yahoo or Mozilla. The stated purpose of the Y! Toolbar is “Web at your fingertips”.. “Get Facebook, email, news, weather and more – right from your toolbar”.

Tools Used
Burp Suite Pro – Must Have
JS Prime – Static Javascript Analysis – jQuery + YUI!
DOM XSS Wiki – RTFM for your Brain
Safari Developer Tools – Web Inspector
FireBug – Element Inspection, CLI
SpiderMonkey – JS Testing
JSBeautify – JS Helper
Selenium –  Recon, Session Replay
User Agents – IE 8-11, Chrome, Safari/WebKit, Mozilla
DOMinator – Useless for YUI3 debugging, use Safari

CVE-2013-6853 – Stored DOM XSS via Code Injection in Y! Toolbar DOM – REPRO
1. Using Firefox, open URL http://beta.data.toolbar.yahoo.com/
2. Install the Y! Toolbar
3. Open a new Tab in FireFox, Click this PoC:
4. ADD (store) the URL (XSS) in the Y! Toolbar Version 3.1.0.20130813024103 by Clicking on the + “Add to Yahoo Toolbar” Icon at Right on Toolbar.
5. Click on the Y! Icon reproducing the XSS.
6. On a MAC, verify the STORED XSS written to File:
~/Library/Application Support/Firefox/Profiles/xxxxxxxxxxx
$ more lb_us_data_toolbar_yahoo_com_*
The Y! Toolbar Config File contents with the complete javascript injection, unsanitized:
The above Code executes the Stored XSS in the Y! Toolbar DOM.
Additional Functionality of the Y! Toolbar for MAC Version 3.1.0.20130813024103 allows for accessing the Saved URL Feature (Stored XSS PoC) from any Computer (Windows included) as seen below:
CVE-2013-6853 has been assigned for Stored DOM XSS via Code Injection in Y! Toolbar DOM for FireFox on MAC Version 3.1.0.20130813024103 and Windows Version 2.5.9.2013418100420.

DOM XSS – chrome://content/ytoolbar/clickstream.js

Line 100: beforeNavigateTime = new Date().getTime();DOM XSS in Y! Toolbar - Clickstream.js 

Y! Toolbar Version Identification

Stored XSS in Y! Toolbar 3.1.0.20130813024103 

CVE-2013-6853 Movie: Stored XSS via Code Injection in Y! Toolbar DOM for FireFox on MAC Version 3.1.0.20130813024103 and Windows Version 2.5.9.2013418100420 Report generated by XSS.Cx at Sat Nov 16 14:54:02 EST 2013.