Closed
Bug 1457491
Opened 7 years ago
Closed 7 years ago
PSM IPC allows compromised child process to install new root certificates
Categories
(Core :: Security: PSM, enhancement)
Core
Security: PSM
Tracking
()
RESOLVED
INVALID
| Tracking | Status | |
|---|---|---|
| firefox61 | --- | affected |
People
(Reporter: Alex_Gaynor, Unassigned)
Details
Given a compromised child process (aka the threat model for the parent process :-)), the following sequence of IPC methods allows the hostile actor to achieve persistence via inserting new root certificates into the trust store:
- Create a new PSMContentDownloader from the ContentParent: https://searchfox.org/mozilla-central/source/dom/ipc/ContentParent.cpp#3446-3452 the attacker can control aCertType
- Pass data to the PSMContentDownloader with OnStartRequest + OnDataAvailable: https://searchfox.org/mozilla-central/source/security/manager/ssl/PSMContentListener.cpp#224-238
- Finally complete the request https://searchfox.org/mozilla-central/source/security/manager/ssl/PSMContentListener.cpp#240-249
- https://searchfox.org/mozilla-central/source/security/manager/ssl/PSMContentListener.cpp#164-191
I'm not sure what the goal for this code is, but it's a pretty serious violation of the sandbox's threat model.
|
Reporter | |
Comment 1•7 years ago
|
||
Hmmm, it looks like there's actually some UI associated with this that the parent unconditionally displays. Perhaps this isn't an issue after all... would appreciate some other folks thoughts.
|
|
Reporter | |
Comment 2•7 years ago
|
||
After spending some more time with this, all the IPC functionality here is directly web accessible, so while it scares me, it's not an ipc-sec issue.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → INVALID
|
||
Updated•5 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•