Closed Bug 1587976 (CVE-2019-17001) Opened 1 year ago Closed 1 year ago

CSP script-src 'none'; allows <object> to execute javascript code in firefox (but firefox developer edition works fines)

Categories

(Core :: DOM: Security, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla71
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- unaffected
firefox67 --- unaffected
firefox68 --- unaffected
firefox69 --- wontfix
firefox70 + fixed
firefox71 + fixed

People

(Reporter: whoismath, Assigned: ckerschb)

References

(Regression, )

Details

(Whiteboard: [fixed by bug 1555043][reporter-external] [client-bounty-form] [verif?][adv-main70+])

Attachments

(4 files)

Attached file report.zip

The Mozilla developer docs say that:
"The HTTP Content-Security-Policy (CSP) script-src directive specifies valid sources for JavaScript. This includes not only URLs loaded directly into <script> elements, but also things like inline script event handlers (onclick) and XSLT stylesheets which can trigger script execution."
and:
"'none' Refers to the empty set; that is, no URLs match. The single quotes are required.", according to https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src

These days while I was playing a CTF, I was able to trigger arbitrary javascript in the page's context using the <object> tag and could even steal user cookies.

This wasn't the CTF expected solution and shouldn't have worked because of the script-src 'none' policy ( doesn't work on chrome and other browsers).

So I made a PoC page and the working payload is: http://38.240.18.75/csp/index.php?payload=<object data="javascript:alert(${document.cookie})"></object>

Code like: http://38.240.18.75/csp/index.php?payload=<object data="data:text/html,<script>alert(document.cookie)</script>"></object>
executes in a different context and doesn't affect the web page, but maybe should be blocked as well by the CSP policy. In the attachments I'm disposing the webpage source and some prints of a working PoC.

Flags: sec-bounty?

I think this is a dupe of bug 1457100, which has comments suggesting bug 965637 might be fixing this, but that's in 69 and comment #0 suggests that the exploit works there (ie it's still broken). It definitely seems fixed (exploit not working) in 70 beta for me. Christoph/Dan, can you confirm what's going on here?

Group: firefox-core-security → dom-core-security
Type: task → defect
Component: Security → DOM: Security
Flags: needinfo?(dveditz)
Flags: needinfo?(ckerschb)
Product: Firefox → Core
Attached file report-comment.zip

Comment on attachment 9100347 [details]
report-comment.zip

(this payload bypass all csp)

See Also: → 1441468

By commenting out the patch in Bug 1555043 I was able to reproduce this on 70; so I believe that patch fixed this in 70.

Within Bug 965637 we moved the CSP from the Principal into the Client, a new Data Structure which better reflects the security context for CSP within Firefox. Besides the benefits of doing so it seems this refactoring effort has caused the regression reported within this Bug. At least Bug 1555043 fixed the problem again to close that CSP bypass.

Flags: needinfo?(ckerschb)
Status: UNCONFIRMED → NEW
Ever confirmed: true
Regressed by: 965637
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [fixed by bug 1555043][reporter-external] [client-bounty-form] [verif?]
Flags: needinfo?(dveditz)

These two testcases can be used to test this bug and demonstrate the difference between this Fx69-only regression (the "none" case) and the less severe bug 1441468 that is an older regression (the "data:" case).

I have confirmed that the "none" case does not affect ESR68 or ESR60, does affect Firefox 69, and is fixed in Firefox 70.

The older "data:" problem affects ESR60, ESR68, and Firefox 69, but is also fixed in Firefox 70 (by the same underlying fix, bug 1555043). Our behavior now matches Chrome on these cases.

Group: dom-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 1 year ago
Depends on: 1555043
Resolution: --- → FIXED
Assignee: nobody → ckerschb
Target Milestone: --- → mozilla71
Whiteboard: [fixed by bug 1555043][reporter-external] [client-bounty-form] [verif?] → [fixed by bug 1555043][reporter-external] [client-bounty-form] [verif?][adv-main70+][adv-esr68.2+]
Whiteboard: [fixed by bug 1555043][reporter-external] [client-bounty-form] [verif?][adv-main70+][adv-esr68.2+] → [fixed by bug 1555043][reporter-external] [client-bounty-form] [verif?][adv-main70+]

Does not qualify for the bounty because we landed a fix before this was reported, and also because it was made public before we had a chance to deal with it. Please see our bounty guidelines.

Flags: sec-bounty? → sec-bounty-
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.