Closed Bug 298892 Opened 19 years ago Closed 19 years ago

Node spoofing (using e.g. XHTML) to bypass security checks

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: moz_bug_r_a4, Assigned: jst)

References

Details

(Keywords: fixed-aviary1.0.5, fixed1.7.9, Whiteboard: [sg:fix] ready for landing)

Attachments

(6 files)

Loading chrome via viewImage()
1.81 KB, application/xml
Details
Arbitrary code execution via setWallpaper()
2.03 KB, application/xml
Details
Check instanceof rather than spoofable localName
21.79 KB, patch
mconnor
: review+
neil
: superreview+
jay
: approval-aviary1.0.5+
jay
: approval1.7.9+
Details | Diff | Splinter Review
fix syntax error
1.23 KB, patch
neil
: review+
neil
: superreview+
Details | Diff | Splinter Review
Remove findParentNode (xpfe version)
2.17 KB, patch
timeless
: review+
dveditz
: superreview+
dveditz
: approval1.8b3+
Details | Diff | Splinter Review
Branches patch
5.83 KB, patch
dveditz
: review+
dveditz
: superreview+
dveditz
: approval-aviary1.0.5+
dveditz
: approval1.7.9+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.9) Gecko/20050626 Firefox/1.0.5

According to Bonsai, some url-checks of image.src have been added for bug 292774
and bug 292737 (I cannot see bug 292774 and bug 292737).  But, those can be
bypassed.

The following url-check has been added for bug 292774.

    viewImage : function (e) {
        urlSecurityCheck( this.imageURL, document )
        openUILink( this.imageURL, e );
    },

The following url-checks have been added for bug 292737.

 browser.js:
    else if (makeURL(this.target.src).scheme == "javascript")
        disableSetWallpaper = true;

 setWallpaper.xul:
    if (makeURL(window.arguments[0].src).scheme == "javascript")
      return false;


Vulnerable code from nsContextMenu.prototype.setTarget:

        if ( this.target.nodeType == Node.ELEMENT_NODE ) {
             if ( this.target.localName.toUpperCase() == "IMG" ) {
                this.onImage = true;
                this.imageURL = this.target.src;

Exploit:

1) In an XHTML document, since tags are case-sensitive, <IMG> element is not a
HTMLImageElement, it is a HTMLUnknownElement that does not have |src| property.
thus, content can make chrome access content-defined getter function of |src|
property of <IMG> element.

2) The approach for bypassing url-check is the same as Bug 249332 (Bypassing
CheckLoadURI using custom getters and changing toString returns).


Note: The trunk is not affected thanks to the fix for Bug 281988.


Reproducible: Always

Steps to Reproduce:
I've confirmed that this works on:
Firefox 1.0.5 2005-06-26-05
Mozilla 1.7.9 2005-06-24-08
I've confirmed that this works on:
Firefox 1.0.5 2005-06-26-05
This is more or less bug 290324 for Firefox itself, except using .xhtml instead
of creating dynamic XUL nodes.

http://lxr.mozilla.org/aviary101branch/search?string=localName.

Most or all of those places would be safer doing an instanceof check instead.
Patch coming up
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.8b3?
Flags: blocking1.7.9+
Flags: blocking-aviary1.0.5+
Summary: The fixes for bug 292774 and bug 292737 can be bypassed → Node spoofing (using e.g. XHTML) to bypass security checks
Whiteboard: [sg:fix]
Maybe another day or two to test and make sure we're ready to take a fix for this.
jst says, "remember to look for nodeName"
the patch in bug 290420 covers the same issues in browser.js, but misses the
actual contextMenu.js spot.

Some of these are fixed on the trunk. This xhtml <IMG> example in particular is
changed to use instanceof
Depends on: 290420
What exactly is left to do on trunk for this bug?
Flags: blocking1.8b3? → blocking1.8b3+

        Attachment #187685 -
        Flags: superreview?(neil.parkwaycc.co.uk)

        Attachment #187685 -
        Flags: review?(mconnor)
Whiteboard: [sg:fix] → [sg:fix] need review

        Attachment #187685 -
        Flags: review?(mconnor) → review+

    
    

    
  
Comment on attachment 187685 [details] [diff] [review]
Check instanceof rather than spoofable localName

Mostly ok, but if you've got time for a few tweaks then keep reading...

>                             if ( area.nodeType == Node.ELEMENT_NODE
>                                  &&
>-                                 area.localName.toUpperCase() == "AREA" ) {
>+                                 area instanceof HTMLAreaElement ) {
( area instanceof HTMLAreaElement ) implies area is an element node.

>+                    if ( ( elem instanceof HTMLQuoteElement && 'cite' in elem && elem.cite)  ||
>+                         ( elem instanceof HTMLTableElement && 'summary' in elem && elem.summary) ||
( elem instanceof HTMLQuoteElement ) implies 'cite' in elem (although not
elem.cite of course). Same goes for table summary.

>+                         ( ( elem instanceof HTMLInsElement || elem instanceof HTMLDelElement ) &&
>                            ( ( 'cite' in elem && elem.cite ) ||
>                              ( 'dateTime' in elem && elem.dateTime ) ) )               ||
>                          ( 'title' in elem && elem.title )                             
I discovered that we can use ( elem instanceof HTMLModElement ) which covers
both INS and DEL. Again, the 'cite' and 'dateTime' in elem are implied. ( elem
instanceof HTMLElement ) could be used instead of 'title' in elem.

>+      if (node instanceof HTMLInputElement)
>+        return (node.type == "text" || node.type =="password")
>+      else
>+        return (node instanceof HTMLTextAreaElement);
I like this fix but I would like it more if you added a space between == and
"password" and more still if you fixed the other two files in the same way ;-)

>+      if (e.type.toLowerCase() == "text" || e.type.toLowerCase() == "hidden" ||
>+          e instanceof HTMLTextAreaElement)
I don't think this is spoofable because we already know this is a form element.
That said, you could probably check e.type everywhere.

        Attachment #187685 -
        Flags: superreview?(neil.parkwaycc.co.uk) → superreview+

    
    

    
  
Comment on attachment 187685 [details] [diff] [review]
Check instanceof rather than spoofable localName

Let's get this in on the branches.  Leaving it up to dveditz to decide whether
or not we want the tweaks. a=jay

        Attachment #187685 -
        Flags: approval1.7.9+

        Attachment #187685 -
        Flags: approval-aviary1.0.5+

    
  
Whiteboard: [sg:fix] need review → [sg:fix] needs landing by dveditz

    
    

    
  
we do want the tweaks, waste of Neil's time if we don't use his effort to get
better.

    
    

    
  
Comment on attachment 187685 [details] [diff] [review]
Check instanceof rather than spoofable localName

>-      if (node.localName.toUpperCase() == "INPUT") {
>-        var attrib = "";
>-        var type = node.getAttribute("type");
>-
>-        if (type)
>-          attrib = type.toUpperCase();
>-
>-        return( (attrib != "IMAGE") &&
>-                (attrib != "CHECKBOX") &&
>-                (attrib != "RADIO") &&
>-                (attrib != "SUBMIT") &&
>-                (attrib != "RESET") &&
>-                (attrib != "FILE") &&
>-                (attrib != "HIDDEN") &&
>-                (attrib != "RESET") &&
>-                (attrib != "BUTTON") );
>-      } else  {
>-        return(node.localName.toUpperCase() == "TEXTAREA");
>-      }
>+      if (node instanceof HTMLInputElement)
>+        return (node.type == "text" || node.type =="password")
>+      else
>+        return (node instanceof HTMLTextAreaElement);

There's a reason that the old code here was checking that the type is not one
of a long list:  inputs with an unrecognized type attribute are treated as
type="text".  This behavior is important for future compatibility.  Any chance
this could be fixed?

    
    

    
  
Er, actually, never mind.  Now I see that the .type property (but not
getAttribute()) is normalized to "text" in those cases.

    
    

    
  
Fixed on trunk and branches
Status: NEW → RESOLVED
Closed: 19 years ago
Keywords: fixed-aviary1.0.5, 
          
            fixed1.7.9
Resolution: --- → FIXED
Whiteboard: [sg:fix] needs landing by dveditz → [sg:fix]

    
    

    
  
guys, this broke seamonkey's context menu due to a syntax error
Error: missing ) after condition
Source File: chrome://communicator/content/nsContextMenu.js
Line: 398, Column: 25
Source Code:
                         elem.getAttributeNS(XMLNS, "lang") ) {
Status: RESOLVED → REOPENED
Resolution: FIXED → ---

    
    

    
  
it would've been nice if the patch that was actaully checked in had been
attached here...

    
    

    
  

      
      
      
      

        Attached patch
          
          
        fix syntax errorSplinter Review
      

    


  

        Attachment #187837 -
        Flags: superreview?(dveditz)

        Attachment #187837 -
        Flags: review?(neil.parkwaycc.co.uk)

    
  

        Attachment #187837 -
        Flags: superreview?(dveditz)

        Attachment #187837 -
        Flags: superreview+

        Attachment #187837 -
        Flags: review?(neil.parkwaycc.co.uk)

        Attachment #187837 -
        Flags: review+

    
    

    
  
Sorry my earlier sr= submit didn't appear to go through, but looks like neil
covered it anyway.

I double-checked what was checked in and this affects only trunk suite. The
initial patch was developed for the branches and xpfe moved things around a bit
on trunk, and I dropped the || during the conflict merge (but did remember to
add it in the browser.js version).

The thunderbird version mail/base/content/nsContextMenu.js didn't get the added
"|| elem.getAttributeNS(XMLNS, "lang")" from bug 207274 -- is that going to
matter? I guess I'll comment over there.

    
    

    
  
checked in biesi's fix.
Status: REOPENED → RESOLVED
Closed: 19 years ago19 years ago
Resolution: --- → FIXED

    
  
Status: RESOLVED → REOPENED
Resolution: FIXED → ---

    
    

    
  
findParentNode() is remaining.

Vulnerable code from contentAreaClick():
  linkNode = findParentNode(event.originalTarget, "a");

On the trunk, this can be combined with other bug to execute arbitrary code.


    
    

    
  
attachment 188087 [details] in Bug 299520 comment 1
A exploit testcase that is using xhtml <A>.


    
    

    
  


  
I changed the useful invocation of findParentNode into a while loop.

The other use is unnecessary because scrollbar.xml blocks clicks on scrollbars.

        Attachment #188089 -
        Flags: superreview?(dveditz)

        Attachment #188089 -
        Flags: review?(timeless)

    
    

    
  
Comment on attachment 188089 [details] [diff] [review]
Remove findParentNode (xpfe version)

sr=dveditz
This is Suite only, need mozilla/mail and mozilla/browser versions (yay
forking!)

        Attachment #188089 -
        Flags: superreview?(dveditz) → superreview+

    
  

        Attachment #188089 -
        Flags: review?(timeless) → review+

    
    

    
  
Can anyone jump in here and get patches ready for landing on the Aviary branch
for Firefox and Thunderbird?

    
    

    
  
Reassigning to jst to patch up browser and mail.  Dveditz can patch the 1.7
branch when those patches are ready.
Assignee: dveditz → jst
Status: REOPENED → NEW

    
  
Whiteboard: [sg:fix] → [sg:fix] need patches for browser and mail eta 7/5

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Branches patchSplinter Review
      

    


  
I just removed all references to findParentNode and replaced them with
something that I think should be equivalent although I haven't even checked my
typing.

    
  

        Attachment #188089 -
        Flags: approval1.8b3?

    
    

    
  
Comment on attachment 188372 [details] [diff] [review]
Branches patch

r/sr=dveditz for the branch/FE ports

        Attachment #188372 -
        Flags: superreview+

        Attachment #188372 -
        Flags: review+

    
    

    
  
Let's get those patches checked in the appropriate places asap. a=jay again. :-)
Whiteboard: [sg:fix] need patches for browser and mail eta 7/5 → [sg:fix] ready for landing

    
    

    
  
Dveditz: Do we need to get this on the Trunk as well?  If so, can you a= for
1.8b3 and get it checked in there as well?  

    
    

    
  
Comment on attachment 188089 [details] [diff] [review]
Remove findParentNode (xpfe version)

a=dveditz

        Attachment #188089 -
        Flags: approval1.8b3? → approval1.8b3+

    
    

    
  
Comment on attachment 188372 [details] [diff] [review]
Branches patch

a=dveditz for branches

        Attachment #188372 -
        Flags: approval1.7.9+

        Attachment #188372 -
        Flags: approval-aviary1.0.5+

    
    

    
  
Neil's patch checked into the aviary1.0.1 branch
Keywords: fixed-aviary1.0.5

    
    

    
  
Fixed on the 1.7 branch
Keywords: fixed1.7.9

    
    

    
  
xpfe patch checked in to trunk.

    
    

    
  
Checked neil's patch into the trunk.

Please open any variations or similar problems as new bugs
Status: NEW → RESOLVED
Closed: 19 years ago19 years ago
Resolution: --- → FIXED

    
    

    
  
v.fixed on aviary with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.9)
Gecko/20050706 Firefox/1.0.5
No longer depends on: 299901

    
    

    
  
Adding distributors

    
    

    
  
Security advisories published
Group: security

    
    

    
  
This is MFSA2005-55 and assigned as http://secunia.com/advisories/16043/ (issue
#8). Is it possible to update 'Alias' field to include SA16043 now?
Depends on: 301873

    
    

    
  
This fix caused bug 301873.
Flags: testcase+
Flags: in-testsuite+ → in-testsuite?

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: