Closed Bug 783957 Opened 12 years ago Closed 12 years ago

Arbitrary code execution with Flash plugin using bug 783260

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Tracking Flags:
Tracking Status
firefox14 --- wontfix
firefox15 --- wontfix
firefox16 --- verified
firefox17 --- verified
firefox18 --- verified
firefox-esr10 16+ verified

People

(Reporter: moz_bug_r_a4, Assigned: bholley)

References

Details

(Keywords: sec-critical, Whiteboard: [sg:dupe 783260][advisory-tracking+]) 

Fx15,14,10 are exploitable as described in bug 783260 comment 6-8.
This uses bug 344495's trick.
This works on fx15,14,10.
This uses bug 344495's trick.
This works on fx15,14,10.
How is this a different bug than bug 783260?
(In reply to Benjamin Smedberg  [:bsmedberg] from comment #3)
> How is this a different bug than bug 783260?

Because it adds remote code execution exploits for it? I thought it was standard practice for moz_bug_r_a4 to put those in a separate bug.
(In reply to Bobby Holley (:bholley) from comment #4)
> (In reply to Benjamin Smedberg  [:bsmedberg] from comment #3)
> > How is this a different bug than bug 783260?
> 
> Because it adds remote code execution exploits for it? I thought it was
> standard practice for moz_bug_r_a4 to put those in a separate bug.

Er, yes. I filed this bug to attach the testcases.
Depends on: CVE-2012-3991
Whiteboard: [sg:dupe 783260]
Who can we assign this to in order to get traction?
bholley, although I'm pretty sure it's a straight dup. I don't understand the bit about the testcases.
Assignee: nobody → bobbyholley+bmo
(In reply to Benjamin Smedberg  [:bsmedberg] from comment #8)
> bholley, although I'm pretty sure it's a straight dup. I don't understand
> the bit about the testcases.

Yes, it's a dupe. moz_bug_r_a4 has various tricks that we don't like to reveal when bugs are made public, so we try to post the remote code execution testcases in a separate bug sometimes (this is my understanding, at least).
status-firefox18: --- → unaffected
tracking-firefox-esr10: --- → ?
Summary: Arbitrary code execution with Flash plugin → Arbitrary code execution with Flash plugin using bug 783260
Comment 9 is private: false
(In reply to Bobby Holley (:bholley) from comment #9)
> (In reply to Benjamin Smedberg  [:bsmedberg] from comment #8)
> > bholley, although I'm pretty sure it's a straight dup. I don't understand
> > the bit about the testcases.
> 
> Yes, it's a dupe. moz_bug_r_a4 has various tricks that we don't like to
> reveal when bugs are made public, so we try to post the remote code
> execution testcases in a separate bug sometimes (this is my understanding,
> at least).

When attaching remote code execution testcases to a bug, if persons in that bug seem to be Mozilla staff or seem to already know tricks used by the testcases, I attach the testcases to that bug.  Otherwise, I attach the testcases to a separate bug because I can't create private comments/attachments.
Resolving this fixed because bug 783260 is now fixed. I mentioned in that bug to verify the testcases here.
I'm confused by the flags on this bug. Bug 783260 is ESR only and doesn't affect anything else. This bug, based on it, says it is won't fix for Firefox 14 and 15 and comments 1 and 2 repeat that this is exploitable on 14 and 15.

How did 16 wind up unaffected and if 14 and 15 are affected, why doesn't bug 783260 say the same?
(In reply to Al Billings [:abillings] from comment #12)
> I'm confused by the flags on this bug. Bug 783260 is ESR only and doesn't
> affect anything else. This bug, based on it, says it is won't fix for
> Firefox 14 and 15 and comments 1 and 2 repeat that this is exploitable on 14
> and 15.
> 
> How did 16 wind up unaffected and if 14 and 15 are affected

Because bug 754202 landed for 16.

>  why doesn't bug 783260 say the same?

It did, modulo the fact that status-15 was blank. I just explicitly wontfixed this there.

Anyway, the point here is that this bug only affects 15 and esr10.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Whiteboard: [sg:dupe 783260] → [sg:dupe 783260][advisory-tracking+]
(In reply to Bobby Holley (:bholley) from comment #13)
> Anyway, the point here is that this bug only affects 15 and esr10.

Since this is a security bug we prefer marking it "fixed" rather than "unaffected" since we did check in code that fixed it (bug 754202) on mozilla-central
status-firefox16: unaffectedfixed
status-firefox17: unaffectedfixed
status-firefox18: unaffectedfixed
Depends on: 754202
Kamil, can you please test the testcases attached to this bug to verify it's fixed? It should be fixed in the latest Firefox 16, 17, 18, and esr10 builds. Thank you.
Went through the following builds to make sure that the reported issue is reproducible using Firefox 10,14,15:

Firefox 10(Issue Reproduced): http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/10.0.2/win32/en-US/
- Ran TestCase#1 and received the following prompt: "JS frame :: x :: <TOP_LEVEL> :: line 3"
- Ran TestCase#2 and received the following prompt: "JS frame :: x :: <TOP_LEVEL> :: line 3"
- For both TestCase#1 and TestCase#2, received no error messages in the error console

Firefox 14 (Issue Reproduced): http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/14.0.1/win32/en-US/
- Ran TestCase#1 and received the following prompt: "JS frame :: x :: <TOP_LEVEL> :: line 3"
- Ran TestCase#2 and received the following prompt: "JS frame :: x :: <TOP_LEVEL> :: line 3"
- For both TestCase#1 and TestCase#2, received no error messages in the error console

Firefox 15 (Issue Reproduced): http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/15.0.1/win32/en-US/
- Ran TestCase#1 and received the following prompt: "JS frame :: x :: <TOP_LEVEL> :: line 3"
- Ran TestCase#2 and received the following prompt: "JS frame :: x :: <TOP_LEVEL> :: line 3"
- For both TestCase#1 and TestCase#2, received the following in the error console:
"Error: Exposing chrome JS objects to content without __exposedProps__ is insecure and deprecated. See https://developer.mozilla.org/en/XPConnect_wrappers for more information."

Went through the following builds to ensure that the above issue has been fixed in Firefox 16,17,18,esr10:

Firefox 16 (No Issue): http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/16.0.2/win32/en-US/
- Ran TestCase#1 and didn't receive a prompt message as in Firefox 10,14,15
- Ran TestCase#2 and didn't receive a prompt message as in Firefox 10,14,15
- For both TestCase#1 and TestCase#2, received the following in the error console:
"Error: TypeError: can't redefine non-configurable property 'top'"

Firefox 17 (No Issue): http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/17.0/win32/en-US/
- Ran TestCase#1 and didn't receive a prompt message as in Firefox 10,14,15
- Ran TestCase#2 and didn't receive a prompt message as in Firefox 10,14,15
- Both TestCase#1 and TestCase#2 produced several syntax error related to the test cases (.html files)

Firefox 18 (No Issue): http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/18.0b1/win32/en-US/
- Ran TestCase#1 and didn't receive a prompt message as in Firefox 10,14,15
- Ran TestCase#2 and didn't receive a prompt message as in Firefox 10,14,15
- Both TestCase#1 and TestCase#2 produced several syntax error related to the test cases (.html files)

Firefox esr10 (No Issue): http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/latest-10.0esr/win32/en-US/
- Ran TestCase#1 and didn't receive a prompt message as in Firefox 10,14,15
- Ran TestCase#2 and didn't receive a prompt message as in Firefox 10,14,15
- Both TestCase#1 and TestCase#2 produced several syntax error related to the test cases (.html files)
Thanks a lot, Kamil!
Status: RESOLVED → VERIFIED
status-firefox-esr10: fixedverified
status-firefox16: fixedverified
status-firefox17: fixedverified
status-firefox18: fixedverified
Keywords: verifyme
Group: core-security
You need to log in before you can comment on or make changes to this bug.