Closed Bug 1721344 Opened 3 years ago Closed 3 years ago

Mozilla Firefox Sandbox Escape

Categories

(Firefox :: Untriaged, defect)

Firefox 89
defect

Tracking

()

RESOLVED DUPLICATE of bug 1718560

People

(Reporter: contact, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36

Steps to reproduce:

Mozilla Firefox allows to escape sb when u crash the tab using null deref bug (u can use public examples or just use it what u already have to do this) and then run script through setTimeout and javascript: URI after it.

But since u can repro it just by closing the tab without crashing, I created a simple PoC code below.

<script>setTimeout("alert('close this tab');window.location.href='javascript:alert(Escaped: running on Medium Integrity Level)';", 111);</script>

Tested on Firefox on Windows and mac x64 89.0.2

(In reply to SSD Secure Disclosure from comment #0)

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36

Steps to reproduce:

Mozilla Firefox allows to escape sb when u crash the tab using null deref bug (u can use public examples or just use it what u already have to do this)

It is not clear to me what you mean here. What public examples of null derefs that crash tabs?

and then run script through setTimeout and javascript: URI after it.

But since u can repro it just by closing the tab without crashing, I created a simple PoC code below.

<script>setTimeout("alert('close this tab');window.location.href='javascript:alert(Escaped: running on Medium Integrity Level)';", 111);</script>

Why do you think the javascript runs outside the sandbox? I do not believe this is the case. Just the fact that you put text in the alert that claims this doesn't make it true... I could run alert("Haha we stole all your files and gave them to the FBI") and that, sadly, would not be proof that it had happened. ;-)

Tested on Firefox on Windows and mac x64 89.0.2

We released Firefox 90 last week, and 90.0.1 is now also out. Do you believe those are vulnerable? Because off-hand, this seems like a duplicate of bug 1718560.

Flags: needinfo?(contact)

Hi,

  1. I will try to reconfirm that its still vulnerable in 90.x.x - I haven't tried

  2. The alert that poped up due to the timeout had a "different" feel to it - which suggested its not the firefox built-in alert, but rather its the one that resides in "Windows" - which means the alert being poped out is outside the sandbox

Flags: needinfo?(contact)

Looking at 1718560, it does look like a duplicate.

(In reply to SSD Secure Disclosure from comment #2)

  1. The alert that poped up due to the timeout had a "different" feel to it - which suggested its not the firefox built-in alert, but rather its the one that resides in "Windows" - which means the alert being poped out is outside the sandbox

Fortunately this is not actually the case. :-)

Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
Group: firefox-core-security
You need to log in before you can comment on or make changes to this bug.