Closed Bug 1431371 (CVE-2018-5135) Opened 6 years ago Closed 6 years ago

activeTab permission allows executing scripts on pages it shouldn't

Categories

(WebExtensions :: General, defect, P1)

Product:
WebExtensions
Component:
General
Version:
58 Branch
Type:
defect

Tracking

(firefox-esr52 unaffected, firefox59 fixed, firefox60 fixed)

Status:
RESOLVED FIXED
Milestone:
mozilla60
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox59 --- fixed
firefox60 --- fixed

People

(Reporter: qab, Assigned: aswan)

References

Details

(Keywords: csectype-priv-escalation, sec-moderate, Whiteboard: [post-critsmash-triage][adv-main59+])

Attachments

(3 files, 1 obsolete file)

POC.zip
885 bytes, application/x-zip-compressed
Details
Only grant activeTab to urls that match <all_urls>
3.11 KB, patch
kmag
: review+
RyanVM
: approval-mozilla-beta+
Details | Diff | Splinter Review
Test for activeTab on an about: page
2.54 KB, patch
kmag
: review+
Details | Diff | Splinter Review
Attached file POC.zip 
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36

Steps to reproduce:

-----Originally reported in bug 1429881#c2-------

browser.tabs.executeScript is blocked from running in 'about:cache' IFF coming from extensions normal background script. However, I noticed that the same is not true if executeScript is called from a browserAction popup script.

1. Install attached PoC extension
2. Navigate to 'about:cache' (or just a new tab/home)
3. Click on browser action button (top right green widget)

According to https://developer.mozilla.org/en-US/Add-ons/WebExtensions/API/tabs/executeScript 
"You can only inject code into pages whose URL can be expressed using a match pattern: meaning, its scheme must be one of "http", "https", "file", "ftp""

Though there is clearly an exception somewhere for browserAction popup scripts.


Actual results:

We can execute script on 'about:cache' as well as other extension pages. Scripts are _not_ executed on privileged pages. (such as about:addons)


Expected results:

Both instances should be blocked
Group: toolkit-core-security
Component: Untriaged → WebExtensions: General
Product: Firefox → Toolkit
Group: firefox-core-security
Summary: executeScript is not restricted when coming from browserAction popup script → activeTab permission allows executing scripts on pages it shouldn't
Assignee: nobody → aswan
Priority: -- → P1
Attached patch wip (obsolete) — Splinter Review 
MozReview-Commit-ID: ApnAwGsIOaG
Attachment #8945994 - Flags: feedback?(kmaglione+bmo)
MozReview-Commit-ID: ApnAwGsIOaG
Attachment #8946541 - Flags: review?(kmaglione+bmo)
Attachment #8945994 - Attachment is obsolete: true
Attachment #8945994 - Flags: feedback?(kmaglione+bmo)
MozReview-Commit-ID: JxrDeE672sV
Attachment #8946542 - Flags: review?(kmaglione+bmo)
Attachment #8946541 - Flags: review?(kmaglione+bmo) → review+
Comment on attachment 8946542 [details] [diff] [review]
Test for activeTab on an about: page

Review of attachment 8946542 [details] [diff] [review]:
-----------------------------------------------------------------

::: toolkit/components/extensions/test/browser/browser_ext_activeTab_privileged.js
@@ +10,5 @@
> +      let tab;
> +
> +      browser.test.onMessage.addListener(async () => {
> +        try {
> +          await browser.tabs.executeScript(tab.id, {

Nit: assert.rejects(...) would be better.
Attachment #8946542 - Flags: review?(kmaglione+bmo) → review+
Comment on attachment 8946541 [details] [diff] [review]
Only grant activeTab to urls that match <all_urls>

[Security approval request comment]
How easily could an exploit be constructed based on the patch?
Moderately easily.  However we don't have a sec rating on this bug yet, I don't think it is especially dangerous since we already guard against injecting content scripts into pages with system principals:
https://searchfox.org/mozilla-central/rev/97cb0aa64ae51adcabff76fb3b5eb18368f5f8ab/toolkit/components/extensions/WebExtensionPolicy.cpp#396-398

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
The check-in comment suggests what the problem is but I'm not sure how to obfuscate it without making it completely opaque.

Which older supported branches are affected by this flaw?
The regressing patch was uplifted to 58 (which was beta at the time of uplift, and is release at the time of this comment)

If not all supported branches, which bug introduced the flaw?
bug 1396399

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
this should backport trivially to all affected branches

How likely is this patch to cause regressions; how much testing does it need?
It seems unlikely to cause regressions, our existing automation should catch any major regressions.
Attachment #8946541 - Flags: sec-approval?
Blocks: CVE-2018-5116
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: csectype-priv-escalation, sec-moderate
Comment on attachment 8946541 [details] [diff] [review]
Only grant activeTab to urls that match <all_urls>

As a sec-moderate, this can just go into trunk.
Attachment #8946541 - Flags: sec-approval?
(In reply to Al Billings [:abillings] from comment #6)
> As a sec-moderate, this can just go into trunk.

I just want to make sure I've got this right -- this should land in central (60) and ride the trains even though the bug is present in 58 and 59?  And should the test be withheld for some time or is that just for sec-high and higher?
Flags: needinfo?(abillings)
Ideally, the tests would wait until the fix ships. You can nominate this for beta but moderates normally ride the release trains from trunk.
status-firefox58: affectedwontfix
Flags: needinfo?(abillings)
Can this land?
Flags: needinfo?(aswan)
(In reply to :Gijs from comment #10)
> Can this land?

Yeah, sorry for the delay, I'll land it today.
https://hg.mozilla.org/mozilla-central/rev/7fe5144564bc
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox60: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla60
Comment on attachment 8946541 [details] [diff] [review]
Only grant activeTab to urls that match <all_urls>

Approval Request Comment
[Feature/Bug causing the regression]:
Bug 1396399

[User impact if declined]:
sec-moderate vulnerability on webextensions

[Is this code covered by automated tests?]:
yes

[Has the fix been verified in Nightly?]:
via the automated test, yes

[Needs manual test from QE? If yes, steps to reproduce]: 
i don't believe additional manual testing is needed

[List of other uplifts needed for the feature/fix]:
none

[Is the change risky?]:
no

[Why is the change risky/not risky?]:
The actual code change is quite small, and it just narrows the set of pages that extensions may access.

[String changes made/needed]:
none
Flags: needinfo?(aswan)
Attachment #8946541 - Flags: approval-mozilla-beta?
Group: toolkit-core-security → core-security-release
Comment on attachment 8946541 [details] [diff] [review]
Only grant activeTab to urls that match <all_urls>

Fix a webextension sec issue. Approved for 59b12.
Attachment #8946541 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main59+]
Alias: CVE-2018-5135
Product: Toolkit → WebExtensions
Group: core-security-release
status-firefox58: wontfix → ---

Requesting bounty consideration on behalf of the reporter.

Flags: sec-bounty?
Flags: sec-bounty? → sec-bounty+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: