All users were logged out of Bugzilla on October 13th, 2018

Access to components object using video tag

RESOLVED INVALID

Status

()

RESOLVED INVALID
3 years ago
2 years ago

People

(Reporter: qab, Unassigned)

Tracking

43 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

3 years ago
Created attachment 8734950 [details]
q.html

User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36

Steps to reproduce:

View attached PoC file and follow instructions


Actual results:

Seems like the data uri is opened in unexpected context and within this context a Componenets object is exposed. Not sure if this is the same object that could lead to RCE, but from my brief googling its possible these functions have elevated privileges (ref: https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsIXMLHttpRequest ) 


Expected results:

Best course of action would be to open the data uri with the context of the website you opened from (similar to when you open a data uri using an anchor tag). Alternatively, disallow video html tag from hosting non-video data uris.

side note:
If you choose 'save video' the debugger shows the following error, thought no actual crash exists:

(7c4.4064): Unknown exception - code 8001010e (first chance)
I'm not sure I understand what this POC is supposed to be doing. When I right-click on the video element and choose "View video", I get a blank page and |data:text/html,<script>console.dir(Components.interfaces)</script>| in the location bar. Both on a current nightly build and the Fx45 release build. I tried opening the POC both from bugzilla after saving it locally.
Flags: needinfo?(qab)
Doesn't

  document.location = "data:text/html,<script>console.dir(Components.interfaces)</script>"

do the same thing? We are deprecating the non-standard Components object, but the version available to a non-privileged context is quite different from the full-powered one in privileged contexts.

Seems like a bug that we're offering "video" menu items for an element with a non-video content-type, but it doesn't seem to be a security bug.
Ryan: the test case dumps the Components.interfaces object on the console, so you have to open dev tools to see anything.
> but the version available to a non-privileged context is quite different from the full-powered one in privileged contexts

Indeed.  The test is whether Components.utils is present.  Components.interfaces in a non-privileged context is just a mapping of some random (well, not totally random, but having nothing to do with any specs) strings to DOM interface objects.

Comment 5

3 years ago
(In reply to Daniel Veditz [:dveditz] from comment #2)
> Seems like a bug that we're offering "video" menu items for an element with
> a non-video content-type, but it doesn't seem to be a security bug.

I don't know that we can detect this from the context menu... Jared, do you?
Flags: needinfo?(jaws)
(In reply to :Gijs Kruitbosch from comment #5)
> (In reply to Daniel Veditz [:dveditz] from comment #2)
> > Seems like a bug that we're offering "video" menu items for an element with
> > a non-video content-type, but it doesn't seem to be a security bug.
> 
> I don't know that we can detect this from the context menu... Jared, do you?

We can't really trust content-types, in fact we explicitly ignore them since https://bugzilla.mozilla.org/show_bug.cgi?id=1048579 and https://www.w3.org/Bugs/Public/show_bug.cgi?id=11984.
Flags: needinfo?(jaws)
Summary: Access to componenets object using video tag → Access to components object using video tag
Component.utils does not appear to be present, so based on comment 4, this does not appear to be an issue.

Abdulrahman, do you agree?
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → WORKSFORME
(Reporter)

Comment 8

2 years ago
(In reply to Matt Wobensmith [:mwobensmith][:matt:] from comment #7)
> Component.utils does not appear to be present, so based on comment 4, this
> does not appear to be an issue.
> 
> Abdulrahman, do you agree?

Yes, after more testing it seems like the Components object which was discussed here sort of exists everywhere.

For example, open the console here and just type in Components and hit enter. Suddenly the object appears, but no utils.

Think its safe to say this is Invalid, apologies for the mistake.
Flags: needinfo?(qab)

Updated

2 years ago
Group: firefox-core-security
Resolution: WORKSFORME → INVALID
You need to log in before you can comment on or make changes to this bug.