Closed
Bug 384750
Opened 17 years ago
Closed 17 years ago
Arbitrary code execution by polluting implicit XPCNativeWrapper (without using eval)
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: moz_bug_r_a4, Assigned: mrbkap)
References
Details
(Keywords: verified1.8.1.13, Whiteboard: [sg:critical] Need 1.8 patch, needs bug 387390 also)
Attachments
(1 file, 2 obsolete files)
(deleted),
patch
|
jst
:
review+
jst
:
superreview+
dveditz
:
approval1.8.1.13+
asac
:
approval1.8.0.next?
|
Details | Diff | Splinter Review |
Please see bug 369211.
Content can access implicit XPCNativeWrappers without using eval(), by abusing
tabbrowser.xml's |contentWindow| and |contentDocument| getter functions.
Reporter | ||
Comment 1•17 years ago
|
||
Assignee | ||
Comment 2•17 years ago
|
||
So, at this point, I think the easiest way to fix these is to ensure that the callee has access to the XPCNativeWrapper in the XPCNativeWrapper code itself. I'll come up with a POC patch tomorrow or Monday, but I was wondering if there were better ideas.
Updated•17 years ago
|
Assignee: dveditz → nobody
Component: Security → DOM
Flags: blocking1.8.1.5?
Flags: blocking1.8.0.13?
OS: Windows XP → All
QA Contact: toolkit → general
Hardware: PC → All
Whiteboard: [sg:critical]
Version: unspecified → 1.8 Branch
Updated•17 years ago
|
Assignee: nobody → mrbkap
Updated•17 years ago
|
Flags: blocking1.8.1.5?
Flags: blocking1.8.1.5+
Flags: blocking1.8.0.13?
Flags: blocking1.8.0.13+
Updated•17 years ago
|
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Assignee | ||
Comment 3•17 years ago
|
||
This stops the testcase, since any activity on an implicit native wrapper by non-system code is disallowed.
Attachment #270113 -
Flags: review?(jst)
Assignee | ||
Comment 4•17 years ago
|
||
The last patch didn't allow the browser to start. I'm not sure why I didn't see that before, though. This allows access to implicit wrappers with no JS on the stack (which happens when we seal the XPCNativeWrapper prototype on scope creation).
Attachment #270113 -
Attachment is obsolete: true
Attachment #270208 -
Flags: review?(jst)
Attachment #270113 -
Flags: review?(jst)
Updated•17 years ago
|
Attachment #270208 -
Flags: superreview+
Attachment #270208 -
Flags: review?(jst)
Attachment #270208 -
Flags: review+
Assignee | ||
Comment 5•17 years ago
|
||
Fix checked into trunk.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 6•17 years ago
|
||
I had to back this out (sigh), Ts doesn't work with it.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee | ||
Comment 7•17 years ago
|
||
The problem was that we were initializing classes with random JS on the stack. This fixes that problem by setting aside whatever JS is currently running while we initialize XPConnect classes. I don't think that there's a security problem with this, since we're controlling everything that happens during class initialization.
Attachment #270208 -
Attachment is obsolete: true
Attachment #270663 -
Flags: superreview?(jst)
Attachment #270663 -
Flags: review?(jst)
Updated•17 years ago
|
Attachment #270663 -
Flags: superreview?(jst)
Attachment #270663 -
Flags: superreview+
Attachment #270663 -
Flags: review?(jst)
Attachment #270663 -
Flags: review+
Assignee | ||
Comment 8•17 years ago
|
||
Fix checked into trunk.
Status: REOPENED → RESOLVED
Closed: 17 years ago → 17 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•17 years ago
|
Comment 9•17 years ago
|
||
Let's see if we can get a test in our test suite for this.
Flags: in-testsuite- → in-testsuite?
Updated•17 years ago
|
Flags: blocking1.8.1.5+ → blocking1.8.1.6+
Updated•17 years ago
|
Flags: blocking1.8.0.13+ → blocking1.8.0.14+
Comment 10•17 years ago
|
||
Do we still want this in 1.8.1.8, or should we wait until bug 387390 is also fixed (circumventing this fix)? If we land this we need to include the regression fixes, right?
Comment 11•17 years ago
|
||
Given this patch can be circumvented we'll wait for the real fix in the next update
Flags: blocking1.8.1.8+ → blocking1.8.1.9+
Updated•17 years ago
|
Whiteboard: [sg:critical] → [sg:critical] needs bug 387390 also
Updated•17 years ago
|
Flags: blocking1.8.0.14+ → blocking1.8.0.15+
Updated•17 years ago
|
Flags: blocking1.8.1.12+ → blocking1.8.1.13+
Whiteboard: [sg:critical] needs bug 387390 also → [sg:critical] Need 1.8 patch, needs bug 387390 also
Assignee | ||
Comment 12•17 years ago
|
||
Comment on attachment 270663 [details] [diff] [review]
Fixing Ts
This patch applies as-is.
Attachment #270663 -
Flags: approval1.8.1.13?
Comment 13•17 years ago
|
||
Comment on attachment 270663 [details] [diff] [review]
Fixing Ts
approved for 1.8.1.13, a=dveditz for release-drivers
Attachment #270663 -
Flags: approval1.8.1.13? → approval1.8.1.13+
Comment 15•17 years ago
|
||
I don't get an alert with this in Firefox 2.0.0.12 (windows) but I get the giant context menu that has shown up with these sorts of exploit test cases. In 2.0.0.13, I get no alert and a normal context menu. Was this partially fixed in 2.0.0.12 already?
Reporter | ||
Comment 16•17 years ago
|
||
This works on fx2.0.0.12 (and does not work on fx2.0.0.13). The reason that
the old testcase does not work is described in bug 387390 comment #9.
Comment 17•17 years ago
|
||
I tested with the new test case and repro'd the issue in 2.0.0.12. It is fixed in 2.0.0.13 (Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/2008031114 Firefox/2.0.0.13). Marking verified.
Thanks for the new testcase.
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.1.13 → verified1.8.1.13
Comment 18•17 years ago
|
||
Comment on attachment 270663 [details] [diff] [review]
Fixing Ts
applies cleanly on 1.8.0
Attachment #270663 -
Flags: approval1.8.0.15?
Updated•17 years ago
|
Attachment #268657 -
Attachment is private: true
Updated•17 years ago
|
Attachment #309614 -
Attachment is private: true
Updated•17 years ago
|
Group: security
Comment 19•17 years ago
|
||
It looks like this caused bug 384750, which was never addressed on branch (or linked to this bug). See the thread at http://groups.google.com/group/mozilla.dev.security/browse_frm/thread/200083a2d0cb1562#
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•