ProxyAutoConfig runs network provided javascript code in unsandboxed parent process

NEW
Unassigned

Status

()

enhancement
P3
normal
Last year
3 months ago

People

(Reporter: Alex_Gaynor, Unassigned)

Tracking

(Depends on 1 bug, {sec-want})

Trunk
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox63 affected)

Details

(Whiteboard: [necko-triaged][webcompat-sci-exclude], )

PAC files are javascript files, which are run to get proxy configuration automatically, as obtained via the network. The code for this runs in the parent process: https://searchfox.org/mozilla-central/source/netwerk/base/ProxyAutoConfig.cpp#754-756

As a result of this, someone able to exploit a vulnerability in the Javascript VM (not including the DOM, and with limited globals I believe) can, given a position on the network, exploit this vulnerability directly in the unsandboxed parent process -- not the sandboxed content process where we usually run JS.

We should endeavor to move PAC files into a sandboxed process. I imagine this could be happen either via (1) the upcoming network process, (2) spinning up a temporary child process to run the PAC file.

(This may not need to be s-s, since it's not a specific vulnerability, but I figured better safe than sorry to get the conversation started)
Group: core-security → network-core-security
https://googleprojectzero.blogspot.com/2017/12/apacolypse-now-exploiting-windows-10-in_18.html has some good background on the issues around PAC.

When I filed this, I had forgotten that WPAD was a distinct spec from PAC; do we support WPAD? It looks like yes, but I'm not sure if it's on by default or not.
Group: network-core-security
Keywords: sec-want
Depends on: socket-proc
Priority: -- → P3
Whiteboard: [necko-triaged]
(In reply to Alex Gaynor [:Alex_Gaynor] from comment #1)
> https://googleprojectzero.blogspot.com/2017/12/apacolypse-now-exploiting-
> windows-10-in_18.html has some good background on the issues around PAC.
> 
> When I filed this, I had forgotten that WPAD was a distinct spec from PAC;
> do we support WPAD? It looks like yes, but I'm not sure if it's on by
> default or not.

We do support WPAD, but not by default. The user has to manually enable it in the proxy settings.
Whiteboard: [necko-triaged] → [necko-triaged][webcompat-sci-exclude]
You need to log in before you can comment on or make changes to this bug.