1277475 - (CVE-2016-5262) XSS out of iframe sandbox, iframe disabled javascript. marquee

Status: VERIFIED FIXED

(Core :: DOM: Security, defect)

Description

[Nikita]

Attachment: security bug.zip

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36

Steps to reproduce:

1) create first file index.html with
<html>
<head></head>
<body>
<marquee loop=1 width=0 onfinish=alert(1)>
</body>
</html>
2) create second file iframe.html with
<html>
<body>
	<iframe frameborder="0" sandbox="allow-same-origin" src="./index.html">
	</iframe>
</body>
</html>
3) Open iframe.html at firefox last version 46.0.1


Actual results:

XSS. javascript executed.
At chrome and safari problem not occur.


Expected results:

XSS should not be executed

I think this issue is part of bug bounty program https://www.mozilla.org/en-US/security/client-bug-bounty/

Comment 1

[:Gijs (he/him)]

Bob, can you take a look or point to someone who can?

Comment 2

[Bob Owen (:bobowen)]

Yes it would appear this is not caught by whatever checks we have to prevent script running in the iframe sandbox.
I'll dig a bit further, might be tomorrow though now.

Comment 3

[Bob Owen (:bobowen)]

Attachment: Don't allow non-chrome/native event listeners when sandboxed without scripts

I need to write a test for this, but thought I'd get the patch up for review, because I'm slightly concerned this might break things other than marquee.

This blocks listeners similar to the check we have in SetEventHandler [1], but not when they are from chrome/native.

This in fact stops the marquee from working at all in the sandbox, because it uses onload to initialise itself [2].
This is probably no bad thing for marquee, but as I say, my concern is this will break other things as well.


[1] http://searchfox.org/mozilla-central/rev/cd94cb207b1109575211bc6681c164f5298689bb/dom/events/EventListenerManager.cpp#827
[2] http://searchfox.org/mozilla-central/rev/cd94cb207b1109575211bc6681c164f5298689bb/layout/style/xbl-marquee/xbl-marquee.xml#651

Comment 4

[Bob Owen (:bobowen)]

bz - any chance you could take a look at reviewing this, smaug has a comment that he has a really heavy load at the moment.

See comment 3 for details.

Comment 5

[Bob Owen (:bobowen)]

https://treeherder.mozilla.org/#/jobs?repo=try&revision=0cdace97658f

Comment 6

[Bob Owen (:bobowen)]

Damn, forgot about pushing to try on sec bugs again.

Comment 7

[Boris Zbarsky [:bzbarsky]]

This doesn't seem like the right fix...

The right fix would be to change the marquee binding to ignore the attribute event handlers if sandboxed without allow-scripts, I would think.  That probably requires an accessor for the sandbox state on Document (probably conditioned on IsChromeOrXBL).

Comment 8

[Bob Owen (:bobowen)]

Attachment: Part 1: Add a chrome and XBL accessor for the sandboxed scripts flag to Document WEBIDL

MozReview-Commit-ID: Cv0vJCdLH4D

Comment 9

[Bob Owen (:bobowen)]

Attachment: Part 2: Ignore marquee attribute event handlers when sandboxed scripts flag is set on its owning Document

MozReview-Commit-ID: IvUAvkEQcSW

Comment 10

[Bob Owen (:bobowen)]

Attachment: Part 3: Ensure marquee attribute event handlers don't run when sandboxed scripts flag is set on its owning Document

MozReview-Commit-ID: 4vWafBniv4R

Comment 11

[Boris Zbarsky [:bzbarsky]]

Comment on attachment 8760321 [details] [diff] [review]
Part 1: Add a chrome and XBL accessor for the sandboxed scripts flag to Document WEBIDL

It would make sense to use this new accessor in nsDocument::IsScriptEnabled, nsJSThunk::EvaluateScript, EventListenerManager::SetEventHandler, nsScriptLoader::StartLoad, and nsScriptLoader::ProcessScriptElement instead of directly poking the flags.

r=me with that.

Comment 12

[Boris Zbarsky [:bzbarsky]]

Comment on attachment 8760322 [details] [diff] [review]
Part 2: Ignore marquee attribute event handlers when sandboxed scripts flag is set on its owning Document

r=me

Comment 13

[Boris Zbarsky [:bzbarsky]]

Comment on attachment 8760323 [details] [diff] [review]
Part 3: Ensure marquee attribute event handlers don't run when sandboxed scripts flag is set on its owning Document

This is theoretically racy in the sense that it might pass if all the if2 messages show up before any of the if1 messages.

Could we address that by adding capturing listeners from the parent page for the relevant events on document.getElementById("if1").contentWindow before we start the load of "file_marquee_event_handlers.html" in that iframe?  Then we could end the test when we get 3 messages from if2 _and_ all three of those capturing listeners fired _and_ an event loop tick (e.g. executeSoon) passed since the firing of the last listener, _and_ a message we posted to if1 after the last listener fired was echoed back to us (to ensure that we wait for the async message events to come through)?

r=me either way, but I think doing something like that would make the test guaranteed non-racy.

Comment 14

[Bob Owen (:bobowen)]

Once I've addressed bz's comments is it OK for me to push this to try given that this is sec-moderate?

(I've already pushed an old patch, but it wasn't as obvious what the issue is with that one.)

Comment 15

[Al Billings [:abillings - ex-MoCo]]

Bob, yes, that is fine.

Comment 16

[Bob Owen (:bobowen)]

Attachment: Part 1: Add a chrome and XBL accessor for the sandboxed scripts flag to Document WEBIDL

Carrying r=bz from comment 11.

(In reply to Boris Zbarsky [:bz] from comment #11)
> Comment on attachment 8760321 [details] [diff] [review]
> Part 1: Add a chrome and XBL accessor for the sandboxed scripts flag to
> Document WEBIDL
> 
> It would make sense to use this new accessor in nsDocument::IsScriptEnabled,
> nsJSThunk::EvaluateScript, EventListenerManager::SetEventHandler,
> nsScriptLoader::StartLoad, and nsScriptLoader::ProcessScriptElement instead
> of directly poking the flags.
> 
> r=me with that.

Done, should have thought of that thanks.

Comment 17

[Bob Owen (:bobowen)]

Attachment: Part 3: Ensure marquee attribute event handlers don't run when sandboxed scripts flag is set on its owning Document

Carrying r=bz from comment 13.

(In reply to Boris Zbarsky [:bz] from comment #13)
> Comment on attachment 8760323 [details] [diff] [review]
> Part 3: Ensure marquee attribute event handlers don't run when sandboxed
> scripts flag is set on its owning Document
> 
> This is theoretically racy in the sense that it might pass if all the if2
> messages show up before any of the if1 messages.
> 
> Could we address that by adding capturing listeners from the parent page for
> the relevant events on document.getElementById("if1").contentWindow before
> we start the load of "file_marquee_event_handlers.html" in that iframe? 
> Then we could end the test when we get 3 messages from if2 _and_ all three
> of those capturing listeners fired _and_ an event loop tick (e.g.
> executeSoon) passed since the firing of the last listener, _and_ a message
> we posted to if1 after the last listener fired was echoed back to us (to
> ensure that we wait for the async message events to come through)?
> 
> r=me either way, but I think doing something like that would make the test
> guaranteed non-racy.

Once, I'd re-learnt how to do this stuff this worked like a dream.

Comment 18

[Bob Owen (:bobowen)]

https://treeherder.mozilla.org/#/jobs?repo=try&revision=42e55e00e716b3f690310aa068e8dcf3809ec68a

Comment 19

[Bob Owen (:bobowen)]

https://hg.mozilla.org/integration/mozilla-inbound/rev/af451fc9572a
https://hg.mozilla.org/integration/mozilla-inbound/rev/4a0706b3d080
https://hg.mozilla.org/integration/mozilla-inbound/rev/963e5b62da1b

Comment 20

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/af451fc9572a
https://hg.mozilla.org/mozilla-central/rev/4a0706b3d080
https://hg.mozilla.org/mozilla-central/rev/963e5b62da1b

Comment 21

[Bob Owen (:bobowen)]

Comment on attachment 8761163 [details] [diff] [review]
Part 1: Add a chrome and XBL accessor for the sandboxed scripts flag to Document WEBIDL

Approval Request Comment
[Feature/regressing bug #]:
This would have been an issue in the original iframe sandbox implementation.

[User impact if declined]:
iframes sandboxed from script can be bypassed to run script. 

[Describe test coverage new/current, TreeHerder]:
There are some in tree marquee tests.
New tests added to ensure that the attribute handlers are now blocked, but work with allow-scripts keyword on the iframe sandbox attribute.

[Risks and why]:
Low - the fix is relatively simple. Just exposing whether the document is sandboxed from running scripts to XBL and chrome and then adding a check for this in the marquee XBL when the attribute event handlers would normally be added.

[String/UUID change made/needed]:
None

Comment 22

[Bob Owen (:bobowen)]

Comment on attachment 8760322 [details] [diff] [review]
Part 2: Ignore marquee attribute event handlers when sandboxed scripts flag is set on its owning Document

See comment 21.

Comment 23

[Bob Owen (:bobowen)]

Comment on attachment 8761164 [details] [diff] [review]
Part 3: Ensure marquee attribute event handlers don't run when sandboxed scripts flag is set on its owning Document

See comment 21.

Comment 24

[Bob Owen (:bobowen)]

Just as a follow up to this, bz said the only other element implemented in XBL that could in theory have the same issue would be <video>.
He was pretty sure it would be fine, but we should check.

I've checked the spec for this on MDN and there are no similar attribute event handlers.
I've also looked through the XBL and can't find any issues, all the calls to addEventListener are for internal Listeners within the XBL.

Comment 25

[Boris Zbarsky [:bzbarsky]]

It's just the video controls that use XBL, not <video> itself, iirc.

Comment 26

[Bob Owen (:bobowen)]

(In reply to Boris Zbarsky [:bz] from comment #25)
> It's just the video controls that use XBL, not <video> itself, iirc.

Yes, this is just me confusing the terminology.

The file I checked was toolkit\content\widgets\videocontrols.xml

Comment 27

[Sylvestre Ledru [:Sylvestre]]

Comment on attachment 8761163 [details] [diff] [review]
Part 1: Add a chrome and XBL accessor for the sandboxed scripts flag to Document WEBIDL

Improve the security, taking it. Should be in 48 beta 3


Bob, I guess ESR 45 is impacted, right?

Comment 28

[Bob Owen (:bobowen)]

(In reply to Sylvestre Ledru [:sylvestre] from comment #27)

> Bob, I guess ESR 45 is impacted, right?

I haven't tested it, but yes it must be.

Comment 29

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/releases/mozilla-aurora/rev/c40ae6d6fb99
https://hg.mozilla.org/releases/mozilla-aurora/rev/528cd3ea51b9
https://hg.mozilla.org/releases/mozilla-aurora/rev/df1161c9fc74

Comment 30

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/releases/mozilla-beta/rev/095ef4935f26
https://hg.mozilla.org/releases/mozilla-beta/rev/ab01099ea2a5
https://hg.mozilla.org/releases/mozilla-beta/rev/3ce597865e49

Comment 31

[Ada [:adalucinet]]

Reproduced with Firefox 47.0.1 on Windows 10 64-bit → the alert pops up as soon as iframe.html is loaded.
Verified fixed with Firefox 48.0 build 1, latest Dev Edition 49.0a2 and Nightly 50.0a1 under Windows 10 64-bit, Mac OS X 10.11.1 and Ubuntu 16.04 64-bit