Closed Bug 1005636 Opened 12 years ago Closed 7 years ago

XPI install can be covered by a window.showmodaldialog

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Version:
28 Branch
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: jordi.chancel, Unassigned)

References

(
URL
)

Details

(Keywords: csectype-spoof, reporter-external, sec-low)

Attachments

(3 files, 3 obsolete files)

POC (remote version).html
802 bytes, text/html
Details
POC (local version).html
832 bytes, text/html
Details
TestCase n°4 ( local vuln - download this file ).html
833 bytes, application/html
Details
Attached file POC.html (obsolete) —
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:29.0) Gecko/20100101 Firefox/29.0 (Beta/Release) Build ID: 20140421221237 Steps to reproduce: when you load localy a windows that lead to an XPI install and you load after a window.showmodaldialog that cover it you can install it with just press ENTER. steps: 1 : click on the button into the poc 2 : PRESS ENTER DIRECTLY. Actual results: XPI is Installed Expected results: cover XPI install by window.showmodaldialog is wrong.
TESTED ON MAC ONLY.
Attached file POC.zip (obsolete) —
Attachment #8417030 - Attachment is obsolete: true
Summary: (local attack) XPI Install cover by window.showmodaldialog , just need press ENTER for install it. → (MAC OS X)(local attack) XPI Install cover by window.showmodaldialog , just need press ENTER for install it.
this issue don't works on WINDOWS.
Component: General → Security
Attachment #8417031 - Attachment mime type: application/zip → application/java-archive
Whiteboard: (local attack) you must open it localy.
As Jordi says in the whiteboard, this only works locally on Mac, as far as we know. Seems that keyboard input is not directed to the foremost spawned window, but to the XPI install dialog behind it.
Status: UNCONFIRMED → NEW
Ever confirmed: true
- I have reported a new bug more or less similar to this bug : https://bugzilla.mozilla.org/show_bug.cgi?id=1008652 but with this new vulnerability it's possible to make a spoofing remotely. - Please View Bug1008652 .
I am going to close 1008652 as a dupe of this bug and merge the info, these are so similar in scope that there is no point in 2 bugs Notes from Bug 1008652 of relevance * youtube private video => https://www.youtube.com/watch?v=xGeF8d18oiQ&feature=youtu.be
Keywords: csectype-spoof
Summary: (MAC OS X)(local attack) XPI Install cover by window.showmodaldialog , just need press ENTER for install it. → Auth Dialog can be covered by a window.showmodaldialog
Whiteboard: (local attack) you must open it localy.
per https://wiki.mozilla.org/Security_Severity_Ratings > sec-low > Minor security vulnerabilities such as leaks or spoofs of non-sensitive information. Missing best > practice security controls I am rating this bug as a low
Keywords: sec-low
Summary: Auth Dialog can be covered by a window.showmodaldialog → (local attack) XPI install can be covered by a window.showmodaldialog
I think it's not low , localy this attack can execute arbitrary code with just one click and press ENTER.
While that may be the case first you have to get the user to go to the arbitrary site, then get them to download the file then run it locally and then get them to follow the proper steps to be exploited. Given all that user interaction I think the rating of low is appropriate, however, as always others will weigh in. We'd also appreciate it if you would stop editing the fields of the bug after we do, this affects our workflow and bug handling and will only delay any necessary work we need to accomplish. We appreciate your comments and input and we do consider them when we make changes to ratings and other sections.
Summary: (local attack) XPI install can be covered by a window.showmodaldialog → XPI install can be covered by a window.showmodaldialog
- Sorry for trouble. I have found a more critical (sg:moderate i think) attack using this bug. it's very similar to bug884488 in all point. I think that the new appropriate severity is Moderate now. I will make a private video and post the new testcase for show the real severity of this bug. Can you reply quickly for say if i have reason or not please? Thank you very much.
Attached file TESTCASE N°3.zip (obsolete) —
New Testcase!
(In reply to Jordi Chancel from comment #13) > - Sorry for trouble. > > I have found a more critical (sg:moderate i think) attack using this bug. > it's very similar to bug884488 in all point. > > I think that the new appropriate severity is Moderate now. > > I will make a private video and post the new testcase for show the real > severity of this bug. > > Can you reply quickly for say if i have reason or not please? > > Thank you very much. Look this video : https://www.youtube.com/watch?v=7YVAuDe1Lkc&feature=youtu.be
It's still a local only attack on mac only, while the elements here look a bit more real you can still see the window controls and drop shading of the covering box. But the reality of this rating is that it's dependent on the first part mentioned in comment 12. You have to get the user to take a good number of steps before you can even start the attack and for that reason this rating should not change.
We know these dialogs need work, and we're going to be removing/changing them. Reporting variations based on known-to-be-broken UI isn't going to be severe enough to earn more bounties unless there's something novel.
Flags: sec-bounty? → sec-bounty-
I've sent a mail today about the severity of this testcase.
Attachment #8426851 - Attachment is obsolete: true
Group: core-security → dom-core-security

bug 1374460 documents showModalDialog as having been disabled by default in 56 and code removed later on, so this is WFM.

Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WORKSFORME
Group: dom-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: