Closed Bug 1124898 (CVE-2015-0802) Opened 10 years ago Closed 10 years ago

Privileged Window.webidl stuff is exposed based on the docshell type, not the principal of the actual page

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla38
Tracking Flags:
Tracking Status
firefox35 --- wontfix
firefox36 --- wontfix
firefox37 --- fixed
firefox38 --- fixed
firefox-esr31 38+ wontfix
b2g-v1.4 --- wontfix
b2g-v2.0 --- wontfix
b2g-v2.0M --- wontfix
b2g-v2.1 --- wontfix
b2g-v2.1S --- wontfix
b2g-v2.2 --- fixed
b2g-master --- fixed

People

(Reporter: bholley, Assigned: bholley)

References

Details

(Keywords: sec-high, sec-moderate, Whiteboard: [adv-main37+] Embargo until fixed on ESR31?)

Attachments

(2 files)

Stop exposing ex-nsIDOMChromeWindow things for random unprivileged things loaded in chrome docshells. v1
6.19 KB, patch
bzbarsky
: review+
lmandel
: approval-mozilla-aurora+
Details | Diff | Splinter Review
Tests. v1
3.14 KB, patch
bzbarsky
: review+
Details | Diff | Splinter Review
From bug 1120261. > setTimeout(function(){ > x.messageManager.loadFrameScript('data:,throw Components.utils', > false); This is the most egregious bit, IMO. it looks like Window.webidl puts all of the privileged stuff behind Func="nsGlobalWindow::IsChromeWindow", rather than making it ChromeOnly. This means that, if content can ever get a reference to a chrome window (which it shouldn't, but can happen when paired with another exploit as in this bug), it can navigate that window to its own page, and go wild on chrome-privileged stuff. Boris, is there any reason for the above? Seems like we should almost certainly fix it.
Flags: needinfo?(bzbarsky)
The initial deal with nsGlobalWindow::IsChromeWindow was to flag precisely the set of things that came from nsIDOMChromeWindow with it, to preserve the old behavior. There is no reason past that. I think "messageManager" should in fact also have a [ChromeOnly] flag, as should getGroupMessageManager and beginWindowMove. The constants I wouldn't necessarily worry about, or probably windowState. Not sure about browserDOMWindow or the various getAttention/setCursor/maximize/minimize/restore bits, or notifyDefaultButtonLoaded. It might be safe to just check for chrome caller in IsChromeWindow if we're sure that there are no cases of someone loading untrusted stuff in type="chrome" docshells and expecting it to use any of these bits. Which seems like an OK assumption.
Flags: needinfo?(bzbarsky)
Bobby, do you think this rises to the level of a sec-high or sec-critical that we should backport everywhere, or is this just more of a nice to have defense-in-depth thing? Assigning to Bobby because he has a patch for this issue. Adjust as needed.
Assignee: nobody → bobbyholley
(In reply to Andrew McCreight [:mccr8] from comment #3) > Bobby, do you think this rises to the level of a sec-high or sec-critical > that we should backport everywhere, or is this just more of a nice to have > defense-in-depth thing? The message manager thing is worrisome, though it's still not an exploit all on its own (since you still need a way to get your hands on a chrome window). sec-moderate, though I might still argue for at least backporting to aurora.
Keywords: sec-moderate
Comment on attachment 8553993 [details] [diff] [review] Stop exposing ex-nsIDOMChromeWindow things for random unprivileged things loaded in chrome docshells. v1 r=me Have I mentioned recently how much more pleasant this sort of thing is than working with xpconnect bindings? ;)
Attachment #8553993 - Flags: review?(bzbarsky) → review+
Attached patch Tests. v1Splinter Review
I realized this probably wants tests.
Attachment #8554200 - Flags: review?(bzbarsky)
Also, boris - do you think that landing this as sec-moderate on nightly and aurora (with tests) is safe enough?
Flags: needinfo?(bzbarsky)
Comment on attachment 8554200 [details] [diff] [review] Tests. v1 Might be better to setTimeout for 10ms or something instead of executeSoon while busy-waiting, so you don't starve the event loop too much. r=me if you add a comment to file_empty about other tests depending on the page title. And yes, landing on nightly+aurora seems ok.
Flags: needinfo?(bzbarsky)
Attachment #8554200 - Flags: review?(bzbarsky) → review+
(In reply to Boris Zbarsky [:bz] from comment #9) > Might be better to setTimeout for 10ms or something instead of executeSoon > while busy-waiting, so you don't starve the event loop too much. Yes, but setTimeouts are kinda banned these days. > r=me if you add a comment to file_empty about other tests depending on the > page title. Ok. > And yes, landing on nightly+aurora seems ok. Ok great - thanks.
> Yes, but setTimeouts are kinda banned these days. Sure, but we still have a way to do them, if there's good reason... and in this case I think there is. I don't feel super-strongly about it, though.
(In reply to Boris Zbarsky [:bz] from comment #11) > > Yes, but setTimeouts are kinda banned these days. > > Sure, but we still have a way to do them, if there's good reason... and in > this case I think there is. I don't feel super-strongly about it, though. Yeah I could go either way I guess - I was also concerned about requestFlakeyTimeout not being available on older branches that we may decide to backport this to. Anyway, I already pushed by the time your comment came in. remote: https://hg.mozilla.org/integration/mozilla-inbound/rev/adba768607dc remote: https://hg.mozilla.org/integration/mozilla-inbound/rev/bab6997a3bf8
Comment on attachment 8553993 [details] [diff] [review] Stop exposing ex-nsIDOMChromeWindow things for random unprivileged things loaded in chrome docshells. v1 Approval Request Comment [Feature/regressing bug #]: longstanding [User impact if declined]: potential vector for privilege escalation [Describe test coverage new/current, TreeHerder]: Checked in with tests [Risks and why]: Could theoretically break addons. I don't think we gain much testing there on Nightly/Aurora, which is why I'm proposing to accelerate this fix 6 weeks. Low potential for regressions unrelated to the intended behavior change. [String/UUID change made/needed]: None
Attachment #8553993 - Flags: approval-mozilla-aurora?
https://hg.mozilla.org/mozilla-central/rev/adba768607dc https://hg.mozilla.org/mozilla-central/rev/bab6997a3bf8
Status: NEW → RESOLVED
Closed: 10 years ago
status-b2g-v1.4: --- → wontfix
status-b2g-v2.0: --- → wontfix
status-b2g-v2.0M: --- → wontfix
status-b2g-v2.1: --- → wontfix
status-b2g-v2.1S: --- → wontfix
status-b2g-v2.2: --- → affected
status-b2g-master: --- → fixed
status-firefox38: affectedfixed
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
Depends on: 1126023
Comment on attachment 8553993 [details] [diff] [review] Stop exposing ex-nsIDOMChromeWindow things for random unprivileged things loaded in chrome docshells. v1 Agreed. Let's get this into 37 now and deal with any fallout early. Aurora+
Attachment #8553993 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Whiteboard: [adv-main37+]
Alias: CVE-2015-0802
(In reply to Bobby Holley (:bholley) from comment #4) > The message manager thing is worrisome, though it's still not an exploit all > on its own (since you still need a way to get your hands on a chrome window). > > sec-moderate, though I might still argue for at least backporting to aurora. That seems optimistic -- lots of moz_bug_r_a4 exploits (and more recently Mariusz) are all about finding a same-origin violation plus some way of getting a handle to a chrome window. So far they haven't run out of the latter. Since the resulting combination is sec-critical I'd argue that this is a particular dangerous rock hanging over our heads. Sec-high might better represent our level of worry. [Tracking Requested - why for this release]: I'm concerned sec-moderate undersells the risk. If there's any sec-high same-origin violations left on ESR-31 then this bug turns them into sec-critical remote code execution.
status-firefox-esr31: wontfixaffected
tracking-firefox-esr31: --- → ?
Keywords: sec-high
Whiteboard: [adv-main37+] → [adv-main37+] Embargo until fixed on ESR31?
Bobby, do you think we're going to get an ESR31 patch this cycle?
Flags: needinfo?(bobbyholley)
This won't be easy to fix without WebIDL window, which landed in 32 (bug 789261). I think we should embargo.
status-firefox-esr31: affectedwontfix
Flags: needinfo?(bobbyholley)
Group: core-security → core-security-release
Group: core-security-release
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: