Closed
Bug 1431371
(CVE-2018-5135)
Opened 7 years ago
Closed 7 years ago
activeTab permission allows executing scripts on pages it shouldn't
Categories
(WebExtensions :: General, defect, P1)
Tracking
(firefox-esr52 unaffected, firefox59 fixed, firefox60 fixed)
RESOLVED
FIXED
mozilla60
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox59 | --- | fixed |
firefox60 | --- | fixed |
People
(Reporter: qab, Assigned: aswan)
References
Details
(Keywords: csectype-priv-escalation, reporter-external, sec-moderate, Whiteboard: [post-critsmash-triage][adv-main59+])
Attachments
(3 files, 1 obsolete file)
885 bytes,
application/x-zip-compressed
|
Details | |
3.11 KB,
patch
|
kmag
:
review+
RyanVM
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
2.54 KB,
patch
|
kmag
:
review+
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36 Steps to reproduce: -----Originally reported in bug 1429881#c2------- browser.tabs.executeScript is blocked from running in 'about:cache' IFF coming from extensions normal background script. However, I noticed that the same is not true if executeScript is called from a browserAction popup script. 1. Install attached PoC extension 2. Navigate to 'about:cache' (or just a new tab/home) 3. Click on browser action button (top right green widget) According to https://developer.mozilla.org/en-US/Add-ons/WebExtensions/API/tabs/executeScript "You can only inject code into pages whose URL can be expressed using a match pattern: meaning, its scheme must be one of "http", "https", "file", "ftp"" Though there is clearly an exception somewhere for browserAction popup scripts. Actual results: We can execute script on 'about:cache' as well as other extension pages. Scripts are _not_ executed on privileged pages. (such as about:addons) Expected results: Both instances should be blocked
Reporter | ||
Updated•7 years ago
|
Group: toolkit-core-security
Component: Untriaged → WebExtensions: General
Product: Firefox → Toolkit
Updated•7 years ago
|
Group: firefox-core-security
Updated•7 years ago
|
Summary: executeScript is not restricted when coming from browserAction popup script → activeTab permission allows executing scripts on pages it shouldn't
Updated•7 years ago
|
Assignee: nobody → aswan
Priority: -- → P1
Assignee | ||
Comment 1•7 years ago
|
||
MozReview-Commit-ID: ApnAwGsIOaG
Attachment #8945994 -
Flags: feedback?(kmaglione+bmo)
Assignee | ||
Comment 2•7 years ago
|
||
MozReview-Commit-ID: ApnAwGsIOaG
Attachment #8946541 -
Flags: review?(kmaglione+bmo)
Assignee | ||
Updated•7 years ago
|
Attachment #8945994 -
Attachment is obsolete: true
Attachment #8945994 -
Flags: feedback?(kmaglione+bmo)
Assignee | ||
Updated•7 years ago
|
status-firefox58:
--- → affected
status-firefox59:
--- → affected
status-firefox60:
--- → affected
status-firefox-esr52:
--- → unaffected
Assignee | ||
Comment 3•7 years ago
|
||
MozReview-Commit-ID: JxrDeE672sV
Attachment #8946542 -
Flags: review?(kmaglione+bmo)
Updated•7 years ago
|
Attachment #8946541 -
Flags: review?(kmaglione+bmo) → review+
Comment 4•7 years ago
|
||
Comment on attachment 8946542 [details] [diff] [review] Test for activeTab on an about: page Review of attachment 8946542 [details] [diff] [review]: ----------------------------------------------------------------- ::: toolkit/components/extensions/test/browser/browser_ext_activeTab_privileged.js @@ +10,5 @@ > + let tab; > + > + browser.test.onMessage.addListener(async () => { > + try { > + await browser.tabs.executeScript(tab.id, { Nit: assert.rejects(...) would be better.
Attachment #8946542 -
Flags: review?(kmaglione+bmo) → review+
Assignee | ||
Comment 5•7 years ago
|
||
Comment on attachment 8946541 [details] [diff] [review] Only grant activeTab to urls that match <all_urls> [Security approval request comment] How easily could an exploit be constructed based on the patch? Moderately easily. However we don't have a sec rating on this bug yet, I don't think it is especially dangerous since we already guard against injecting content scripts into pages with system principals: https://searchfox.org/mozilla-central/rev/97cb0aa64ae51adcabff76fb3b5eb18368f5f8ab/toolkit/components/extensions/WebExtensionPolicy.cpp#396-398 Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? The check-in comment suggests what the problem is but I'm not sure how to obfuscate it without making it completely opaque. Which older supported branches are affected by this flaw? The regressing patch was uplifted to 58 (which was beta at the time of uplift, and is release at the time of this comment) If not all supported branches, which bug introduced the flaw? bug 1396399 Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? this should backport trivially to all affected branches How likely is this patch to cause regressions; how much testing does it need? It seems unlikely to cause regressions, our existing automation should catch any major regressions.
Attachment #8946541 -
Flags: sec-approval?
Updated•7 years ago
|
Blocks: CVE-2018-5116
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: csectype-priv-escalation,
sec-moderate
Comment 6•7 years ago
|
||
Comment on attachment 8946541 [details] [diff] [review] Only grant activeTab to urls that match <all_urls> As a sec-moderate, this can just go into trunk.
Attachment #8946541 -
Flags: sec-approval?
Assignee | ||
Comment 7•7 years ago
|
||
(In reply to Al Billings [:abillings] from comment #6) > As a sec-moderate, this can just go into trunk. I just want to make sure I've got this right -- this should land in central (60) and ride the trains even though the bug is present in 58 and 59? And should the test be withheld for some time or is that just for sec-high and higher?
Flags: needinfo?(abillings)
Comment 8•7 years ago
|
||
Ideally, the tests would wait until the fix ships. You can nominate this for beta but moderates normally ride the release trains from trunk.
Flags: needinfo?(abillings)
Assignee | ||
Comment 11•7 years ago
|
||
(In reply to :Gijs from comment #10) > Can this land? Yeah, sorry for the delay, I'll land it today.
Assignee | ||
Comment 12•7 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/7fe5144564bcd624e42128f6545a790650620d6d Bug 1431371 Only grant activeTab to urls that match <all_urls> r=kmag
Comment 13•7 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/7fe5144564bc
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla60
Assignee | ||
Comment 14•7 years ago
|
||
Comment on attachment 8946541 [details] [diff] [review] Only grant activeTab to urls that match <all_urls> Approval Request Comment [Feature/Bug causing the regression]: Bug 1396399 [User impact if declined]: sec-moderate vulnerability on webextensions [Is this code covered by automated tests?]: yes [Has the fix been verified in Nightly?]: via the automated test, yes [Needs manual test from QE? If yes, steps to reproduce]: i don't believe additional manual testing is needed [List of other uplifts needed for the feature/fix]: none [Is the change risky?]: no [Why is the change risky/not risky?]: The actual code change is quite small, and it just narrows the set of pages that extensions may access. [String changes made/needed]: none
Flags: needinfo?(aswan)
Attachment #8946541 -
Flags: approval-mozilla-beta?
Updated•7 years ago
|
Group: toolkit-core-security → core-security-release
Comment 15•7 years ago
|
||
Comment on attachment 8946541 [details] [diff] [review] Only grant activeTab to urls that match <all_urls> Fix a webextension sec issue. Approved for 59b12.
Attachment #8946541 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
Updated•7 years ago
|
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Updated•7 years ago
|
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main59+]
Updated•7 years ago
|
Alias: CVE-2018-5135
Updated•6 years ago
|
Product: Toolkit → WebExtensions
Updated•6 years ago
|
Group: core-security-release
status-firefox58:
wontfix → ---
Comment 18•6 years ago
|
||
Requesting bounty consideration on behalf of the reporter.
Flags: sec-bounty?
Updated•6 years ago
|
Flags: sec-bounty? → sec-bounty+
Updated•3 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•