Closed Bug 1202234 Opened 9 years ago Closed 6 years ago

Combinations of keys pressed on the keyboard into New Tab Page(about:newtab) which is into a very small window leads to Arbitrary Code execution.

Categories

(DevTools :: General, defect)

40 Branch
defect
Not set
normal

Tracking

(Not tracked)

RESOLVED INVALID

People

(Reporter: jordi.chancel, Unassigned)

References

()

Details

(Keywords: reporter-external, sec-moderate)

Attachments

(2 files, 4 obsolete files)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0 Build ID: 20150826023504 Steps to reproduce: (My exploit is exploitable only on MAC OS X but can be adapted for Windows, Linux, and others web browser). When you have convinced a lambda user to press multiple keys on the keyboard on "about:newtab" which is into a very small window popup leads to Remote Code execution. With a specific webpage it's possible to insert data into the clipboard using a webpage specialy crafted. Step 1 : Go to : http://www.alternativ-testing.fr/~f98g4hfh8bugsalternativtesting1fg56j8y9f46~/index.html --- Step 2 : Realize the instructions on this web page (which consist to press multiple keys on the keyboard after that the steps 1 and 2 have been effected) Actual results: A malicious arbitrary code is executed like the TestCase demonstrates that [/Applications/Calculator.app/Contents/MacOS/Calculator] is executed . Explanation: Malicious JavaScript Code : [javascript:file=Components.classes["@mozilla.org/file/local;1"].createInstance(Components.interfaces.nsILocalFile);file.initWithPath("/Applications/Calculator.app/Contents/MacOS/Calculator");process=Components.classes["@mozilla.org/process/util;1"].createInstance(Components.interfaces.nsIProcess);process.init(file);args=[];process.run(false,args,args.length);] is executed into "about:newtab" using web console which is not visible and leads to execute : [/Applications/Calculator.app/Contents/MacOS/Calculator]. This vulnerability can be also used for use a XSS attack type on all website where an attacker wants steal sensitive informations (cookie / saved password & login / webpage content / register all key pressed / ... ). Expected results: The browser page "About:newtab" shouldn't be able to execute arbitrary code by the Firefox web console for security reason. Vulnerability found by security researcher Jordi Chancel
In my view, when a Firefox window is too small ,web console shouldn't be activated for security reason, because this one isn't visible and like my TestCase demonstrates the potential dangerosity concerned, this possibility is unsecure for Firefox users.
Summary: Convince a lambda user to press multiple keys on the keyboard on "about:newtab" which is into a very small window popup leads to Code execution → Press multiple keys on the keyboard on "about:newtab" which is into a very small window popup leads to Code execution
Summary: Press multiple keys on the keyboard on "about:newtab" which is into a very small window popup leads to Code execution → Combinations of keys pressed on the keyboard in "about:newtab" which is into a very small window popup leads to Code execution
Summary: Combinations of keys pressed on the keyboard in "about:newtab" which is into a very small window popup leads to Code execution → Combinations of keys pressed on the keyboard into "about:newtab" which is into a very small window leads to Arbitrary Code execution.
Attachment #8657567 - Attachment filename: ltiple keys on the keyboard on "about-newtab" into a very small window, leads to Code execution.html
Attachment #8657567 - Attachment description: Bug 1202234 - Demonstration Video n°1 (Video of TestCase).html → Bug 1202234 - Demonstration Video n°1 (Video of Arbitrary Code Execution TestCase).html
Attachment #8657567 - Attachment filename: ltiple keys on the keyboard on "about-newtab" into a very small window, leads to Code execution.html → ss multiple keys on the keyboard on "about-newtab" into a very small window, leads to Code execution
Attachment #8657567 - Attachment filename: ss multiple keys on the keyboard on "about-newtab" into a very small window, leads to Code execution → press multiple keys on the keyboard on about:newtab into a very small window leads to Code execution
Attachment #8657622 - Attachment is obsolete: true
Attachment #8657624 - Attachment is obsolete: true
Testcase n°1 demonstrates the possibility to execute arbitrary code on about:newtab : https://bugzilla.mozilla.org/attachment.cgi?id=8657625 . Testcase n°2 demonstrates the possibility to execute JavaScript code (XSS) on targeted website : https://bugzilla.mozilla.org/attachment.cgi?id=8657626 .
Attachment #8657626 - Attachment is obsolete: true
Summary: Combinations of keys pressed on the keyboard into "about:newtab" which is into a very small window leads to Arbitrary Code execution. → Combinations of keys pressed on the keyboard into New Tab Page(about:newtab) which is into a very small window leads to Arbitrary Code execution.
I have add some people in the CC list for confirm this report. Matt Wobensmith , can define the sec-severity please? Thanks.
Flags: needinfo?(mwobensmith)
Group: core-security → firefox-core-security
Status: UNCONFIRMED → NEW
Component: General → Developer Tools
Ever confirmed: true
Flags: needinfo?(mwobensmith)
Keywords: sec-moderate
Product: Core → Firefox
Flags: sec-bounty?
One (hard) option would be to re-write the page as unprivileged like about:home, and implement the powerful features it needs via a postMessage() API. That's probably not worth the work. 2) Another mitigation would be to not allow devTools on privileged pages by default, instead showing some kind of warning. Probably a door-hanger since those float and would be visible no matter the size of the window, with a scary-ish warning about powerful features and an "Allow" (once) button. Power users will want a "Allow Always" option, but that could perhaps be enabled through devtools settings rather than on the in-your-face door hanger. 3) And lastly, Jordi's suggestion in comment 2 is a good idea. Either don't open devtools if they can't be shown, or automatically trigger the existing "Show in separate window" functionality. My preference would be to do both 2 and 3, which should be split off into separate bugs that this one can depend on.
We are currently working on option 1. However, it won't be ready immediately and needs to ride the release trains.
See Also: → 1208703
Flags: sec-bounty? → sec-bounty+
Blocks: 1208703
Attachment #8657625 - Attachment is obsolete: true
I've moved the repertory of my testcase in my server, the testcase is available in the new URL address.
The Bug 1208703 (similar to this first vulnerability reported) is defined as duplicate on its comment 7 ( https://bugzilla.mozilla.org/show_bug.cgi?id=1208703#c7 ). I think that the "Keywords" category which defined multiple informations for this vulnerability must have a new keyword to define this vulnerability : [sec-moderate] => [csectype-priv-escalation", sec-moderate]
Product: Firefox → DevTools
about:newtab does not allow the privileged code to be run anymore, which makes this not a vulnerability anymore. I am not sure whether there are other privileged pages left where this could happen still. In any case, some form of protection against self-XSS was implemented in the console a while back. It now prevents you from pasting and executing any code in the console the first time you try it, and you have to type "allow pasting" and Enter before you can paste code. So I'm going to go ahead and close this bug. Feel free to re-open if you think the vulnerability still exists somehow.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → INVALID
Group: firefox-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: