Closed
Bug 461743
Opened 16 years ago
Closed 16 years ago
A chrome function runs on content can cause arbitrary code execution hole
Categories
(Core :: Security, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: moz_bug_r_a4, Assigned: zeniko)
Details
(Keywords: verified1.8.1.19, verified1.9.0.5, verified1.9.1, Whiteboard: [sg:critical][fixed in bug 464620])
Attachments
(3 files, 1 obsolete file)
(deleted),
patch
|
dveditz
:
approval1.8.1.19+
dveditz
:
approval1.9.0.5+
|
Details | Diff | Splinter Review |
(deleted),
patch
|
mrbkap
:
review+
|
Details | Diff | Splinter Review |
(deleted),
patch
|
Details | Diff | Splinter Review |
A chrome function executed by content.setTimeout(chromeFun, ...) or
content.addEvenetListener(type, chromeFun, ...) runs on the content JS context.
Thus, if the chrome function modifies the content DOM, and a content-registered
mutation event listener is called, the listener's scripted caller is the chrome
function. This is a similar problem to bug 360529.
Reporter | ||
Comment 1•16 years ago
|
||
There is an exploitable code in nsSessionStore.js.
http://mxr.mozilla.org/mozilla-central/source/browser/components/sessionstore/src/nsSessionStore.js#1927
1927 if (aData.innerHTML) {
1928 aContent.setTimeout(
1929 function(aHTML) {
1930 if (aContent.document.designMode == "on") {
1931 aContent.document.body.innerHTML = aHTML;
1932 }
1933 }, 0, aData.innerHTML);
1934 }
Reporter | ||
Comment 2•16 years ago
|
||
This works in trunk/fx3 on Windows/Linux, and in fx2 on Windows.
Reporter | ||
Comment 3•16 years ago
|
||
This works in fx2 on Windows/Linux.
Updated•16 years ago
|
Flags: wanted1.9.0.x+
Flags: wanted1.8.1.x+
Flags: blocking1.9.0.5+
Flags: blocking1.8.1.19+
Comment 4•16 years ago
|
||
testcase 1, unsurprisingly, works on mac trunk as well.
Updated•16 years ago
|
Flags: blocking1.9.1?
Updated•16 years ago
|
Whiteboard: [sg:critical]
Assignee | ||
Comment 6•16 years ago
|
||
In this case, sanitizing innerHTML wouldn't have helped at all.
Attachment #344952 -
Flags: review?(mrbkap)
Assignee | ||
Comment 7•16 years ago
|
||
Comment on attachment 344952 [details] [diff] [review]
use the chrome window's setTimeout
BTW: |this| is a <xul:browser>, so correctly we'd even rather use
> let window = this.ownerDocument.defaultView;
Comment 8•16 years ago
|
||
Comment on attachment 344952 [details] [diff] [review]
use the chrome window's setTimeout
>diff -r 1622ca12ba25 browser/components/sessionstore/src/nsSessionStore.js
>+ window.setTimeout(function(aHTML) {
>+ if (aContent.document.designMode == "on")
>+ aContent.document.body.innerHTML = aData.innerHTML;
>+ }, 0);
You don't need to take an aHTML parameter anymore.
r=mrbkap with that. Thanks.
Attachment #344952 -
Flags: review?(mrbkap) → review+
Updated•16 years ago
|
Assignee: mrbkap → zeniko
Assignee | ||
Comment 9•16 years ago
|
||
Attachment #344952 -
Attachment is obsolete: true
Assignee | ||
Comment 10•16 years ago
|
||
Does bug 460882 cover the actual core issue as well?
Keywords: checkin-needed
Comment 11•16 years ago
|
||
Can you create an automated testcase (but not checkin until after we ship the fix)?
Flags: in-testsuite?
Assignee | ||
Comment 12•16 years ago
|
||
I'll look into writing tests for this bug and bug 459906 once I've got some time (probably next weekend).
Comment 13•16 years ago
|
||
(In reply to comment #10)
> Does bug 460882 cover the actual core issue as well?
No, I'll file a followup on it.
Comment 14•16 years ago
|
||
Actually, is it possible to use this event in combination with the exploit from bug 360529 to get around the proper use of XPCNativeWrappers? Sanitation might be the only way to fix that bug for real, if so...
Comment 15•16 years ago
|
||
Reporter | ||
Comment 16•16 years ago
|
||
(In reply to comment #14)
> Actually, is it possible to use this event in combination with the exploit from
> bug 360529 to get around the proper use of XPCNativeWrappers?
Yes, the exploit for bug 360529 can use mutation events (see bug 360529 comment
#23 and bug 430658).
Comment 17•16 years ago
|
||
Whoops, I meant bug 459906.
Assignee | ||
Comment 18•16 years ago
|
||
I've adapted the testcases from these bugs for our browser tests. These fail both without the patches and pass with them.
Attachment #345197 -
Flags: review?(mrbkap)
Updated•16 years ago
|
Flags: blocking1.9.1? → blocking1.9.1+
Updated•16 years ago
|
Attachment #345197 -
Flags: review?(mrbkap) → review+
Assignee | ||
Updated•16 years ago
|
Whiteboard: [sg:critical] → [sg:critical][DONT land tests before Firefox 1.9.0.5 ships!]
Assignee | ||
Updated•16 years ago
|
Attachment #344964 -
Flags: approval1.9.0.5?
Attachment #344964 -
Flags: approval1.8.1.19?
Comment 19•16 years ago
|
||
Comment on attachment 344964 [details] [diff] [review]
updated to comment #7 and comment #8
approved for 1.9.0.5 and 1.8.1.19, a=dveditz for release-drivers
(please watch tinderbox for the tree to open before landing)
Attachment #344964 -
Flags: approval1.9.0.5?
Attachment #344964 -
Flags: approval1.9.0.5+
Attachment #344964 -
Flags: approval1.8.1.19?
Attachment #344964 -
Flags: approval1.8.1.19+
Comment 20•16 years ago
|
||
This patch does not apply cleanly to 1.9.0, and I don't know the code enough to make the change myself (code around this block is different, and I'm not sure if that changes the fix).
Assignee | ||
Comment 21•16 years ago
|
||
Shawn: Thanks for the check-in!
Comment 22•16 years ago
|
||
Checking in browser/components/sessionstore/src/nsSessionStore.js;
new revision: 1.104; previous revision: 1.103
Not sure when this will be able to land on trunk, and I don't have a tree to land it on 1.8.1 (maybe mrbkap can do that since I think he has other patches to land there as well?).
Keywords: fixed1.9.0.5
Assignee | ||
Comment 23•16 years ago
|
||
This bug was FIXED in bug 464620 where patches hadn't been checked in already. Tests will land in bug 464620 as well.
Status: NEW → RESOLVED
Closed: 16 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Whiteboard: [sg:critical][DONT land tests before Firefox 1.9.0.5 ships!] → [sg:critical][fixed in bug 464620]
Updated•16 years ago
|
Keywords: fixed1.8.1.19
Comment 24•16 years ago
|
||
Verified for 1.8.1.19 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.19pre) Gecko/2008112503 BonEcho/2.0.0.19pre.
Verified for 1.9.0.5 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5pre) Gecko/2008112505 GranParadiso/3.0.5pr.
Doesn't reproduce in current trunk. Marking as verified.
Status: RESOLVED → VERIFIED
Updated•16 years ago
|
Keywords: fixed1.9.1
Updated•16 years ago
|
Flags: wanted1.8.0.x-
Updated•16 years ago
|
Keywords: verified1.9.1
Updated•16 years ago
|
Keywords: fixed1.9.1
Updated•15 years ago
|
Attachment #344853 -
Attachment is private: true
Updated•15 years ago
|
Attachment #344854 -
Attachment is private: true
Updated•15 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•