Closed Bug 143853 Opened 23 years ago Closed 23 years ago

Bypassing same-origin via Exception.prototype

Categories

(Core :: DOM: Core & HTML, defect, P1)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.0

People

(Reporter: murawaki, Assigned: jst)

Details

(Keywords: topembed)

Attachments

(1 file)

proposed fix
955 bytes, patch
dbradley
: review+
jst
: superreview+
endico
: approval+
Details | Diff | Splinter Review
The prototype of prototype of DOMException instance is a "persistent" object and arbitrary web pages can add a property to it. This bug allows circumventing same origin security policy. ----- a.html ----- try { document.documentElement.removeChild({}); // causes a DOMException } catch (e) { e.__proto__.__proto__.sd = "secret"; } ----- b.html ----- try { document.documentElement.appendChild({}); // causes a DOMException too } catch (e) { alert(e.__proto__.__proto__.sd); // "secret" }
confirming, and -> security group. Testing on RC2 with http://localhost/~bbaetz/foo/a.html and http://192.168.0.2/~bbaetz/foo/b.html Is this exploitable? Its a security bug, in any event, though.
Group: security?
Severity: normal → major
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: accessible to "persistent" object 2 → Bypassing same-origin via Exception.prototype
I think this is exploitable. This is essentially same with an old Communicator's bug: http://packetstormsecurity.nl/9911-exploits/netscape.4.x.java.txt
e.__proto__.__proto__ == window.Object.prototype as calculated by XPCWrappedNativeScope::SetGlobal. e.__proto__ == an instance of XPC_WN_ModsAllowed_Proto_JSClass created by XPCWrappedNativeProto::Init. btw jst: The reason you could not do alert(e.__proto__) is because XPC_WN_Shared_Proto_Convert is broken. It should at least handle the JSTYPE_STRING case. Anyway, I notice that this bug does not bite if the documents are openned in different windows. It looks like the problem is in how xpconnect deals with the DOM's calls to it that re-init xpconnect's info about the global object. nsJSContext::InitContext calls nsXPConnect::InitClasses which calls XPCWrappedNativeScope::GetNewOrUsed which finds an existing XPCWrappedNativeScope object which has already cached window.Object.prototype (which is now stale). I think that XPCWrappedNativeScope::GetNewOrUsed needs to call XPCWrappedNativeScope::SetGlobal whenever it is called and discovers an existing XPCWrappedNativeScope for the given global object. This will force it to reload its cache of the Object.prototype. I'll give this a try and post a patch if it seems to works right.
Attached patch proposed fixSplinter Review
This patch looks to be doing the right thing. It fixes the test case for me. I traced in the debugger and noted that I saw this new code getting called only on document loads into windows that previously had documents. So, no unexpected excessive calls that I could see. And, the mPrototypeJSObject really is getting replaced with a new value as expected. I have not run extensively with the patch to uncover any other possible problems. Please help test.
Comment on attachment 83478 [details] [diff] [review] proposed fix r=dbradley
Attachment #83478 - Flags: review+
Comment on attachment 83478 [details] [diff] [review] proposed fix sr=jst
Attachment #83478 - Flags: superreview+
I would think we'd want this for mozilla1.0/MachV, nominating. Jband, feel free to take this bug from me if you want to roll this in, if not I'll be happy to push your patch in...
Status: NEW → ASSIGNED
Keywords: mozilla1.0, nsbeta1, topembed
OS: other → All
Priority: -- → P1
Hardware: Other → All
Whiteboard: [HAVE FIX]
Target Milestone: --- → mozilla1.0
Keywords: nsbeta1nsbeta1+
Whiteboard: [HAVE FIX] → [HAVE FIX][ADT1 RTM]
Fix checked in on the trunk.
Whiteboard: [HAVE FIX][ADT1 RTM] → [FIXED ON TRUNK][ADT1 RTM]
Comment on attachment 83478 [details] [diff] [review] proposed fix a=chofmann,brendan,shaver
Attachment #83478 - Flags: approval+
adding adt1.0.0+. Please checkin to the 1.0 branch.
Keywords: adt1.0.0+
Fixed on branch.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Keywords: fixed1.0.0
Resolution: --- → FIXED
verified1.0.0 on 05-22-18-1.0.0 & also Verified on trunk on 05-23-08-trunk.
Status: RESOLVED → VERIFIED
Keywords: verified1.0.0
Group: security?
Keywords: adt1.0.0+, fixed1.0.0, mozilla1.0
Whiteboard: [FIXED ON TRUNK][ADT1 RTM]
Component: DOM: Core → DOM: Core & HTML
QA Contact: desale → general
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: