ProxyAutoConfig runs network provided javascript code in unsandboxed parent process

NEW
Unassigned

Status

()

enhancement
P3
normal
10 months ago
9 months ago

People

(Reporter: Alex_Gaynor, Unassigned)

Tracking

(Depends on 1 bug, {sec-want})

Trunk
Points:
---

Firefox Tracking Flags

(firefox63 affected)

Details

(Whiteboard: [necko-triaged], URL)

(Reporter)

Description

10 months ago
PAC files are javascript files, which are run to get proxy configuration automatically, as obtained via the network. The code for this runs in the parent process: https://searchfox.org/mozilla-central/source/netwerk/base/ProxyAutoConfig.cpp#754-756

As a result of this, someone able to exploit a vulnerability in the Javascript VM (not including the DOM, and with limited globals I believe) can, given a position on the network, exploit this vulnerability directly in the unsandboxed parent process -- not the sandboxed content process where we usually run JS.

We should endeavor to move PAC files into a sandboxed process. I imagine this could be happen either via (1) the upcoming network process, (2) spinning up a temporary child process to run the PAC file.

(This may not need to be s-s, since it's not a specific vulnerability, but I figured better safe than sorry to get the conversation started)
Group: core-security → network-core-security
(Reporter)

Comment 1

9 months ago
https://googleprojectzero.blogspot.com/2017/12/apacolypse-now-exploiting-windows-10-in_18.html has some good background on the issues around PAC.

When I filed this, I had forgotten that WPAD was a distinct spec from PAC; do we support WPAD? It looks like yes, but I'm not sure if it's on by default or not.
Group: network-core-security
Keywords: sec-want
Depends on: socket-proc
Priority: -- → P3
Whiteboard: [necko-triaged]
(In reply to Alex Gaynor [:Alex_Gaynor] from comment #1)
> https://googleprojectzero.blogspot.com/2017/12/apacolypse-now-exploiting-
> windows-10-in_18.html has some good background on the issues around PAC.
> 
> When I filed this, I had forgotten that WPAD was a distinct spec from PAC;
> do we support WPAD? It looks like yes, but I'm not sure if it's on by
> default or not.

We do support WPAD, but not by default. The user has to manually enable it in the proxy settings.
You need to log in before you can comment on or make changes to this bug.