Compromised content process can generate gamepad events via PGamepadTestChannelChild::SendGamepadTestEvent
Categories
(Core :: DOM: Device Interfaces, defect, P1)
Tracking
()
People
(Reporter: mccr8, Assigned: cmartin)
Details
(Keywords: csectype-sandbox-escape, sec-moderate, Whiteboard: [post-critsmash-triage][adv-main101+r][adv-esr91.10+r])
Attachments
(1 file)
|
48 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-esr91+
|
Details | Review |
I haven't tried this myself, but it looks like a compromised content process could generate fake events via the PGamepadTestChannelChild::SendGamepadTestEvent message. This will make the parent end up in GamepadTestChannelParent::RecvGamepadTestEvent, where it generates some kind of event. It looks like this would require that GamepadPlatformService is initialized first, but presumably that's something you can do from even a regular web page (gamepad is on by default).
I'd imagine the exploitability of this is rather low, as presumably browser UI doesn't listen for these events, nor do most webpages. Maybe you could make somebody run off a cliff in a game or something...
|
||
Updated•3 years ago
|
|
|
||
Updated•3 years ago
|
|
Assignee | |
Comment 1•3 years ago
|
||
I'll set to P3 and UNCONFIRMED because we don't have JS showing that this is possible, and IIUC this shouldn't be possible because requestGamepadServiceTest() is behind a pref that is false by default and only enabled by the gamepad testing.
Of course, it's possible there is some logic problem in our code that may lead to that actor being available when it shouldn't be, but just on quick inspection I don't see a code path that leads to that.
|
Reporter | |
Comment 2•3 years ago
|
||
(In reply to Chris Martin [:cmartin] from comment #1)
I'll set to P3 and UNCONFIRMED because we don't have JS showing that this is possible, and IIUC this shouldn't be possible because
requestGamepadServiceTest()is behind a pref that isfalseby default and only enabled by the gamepad testing.
Right, this is not directly possible from content JS. The scenario here is that the attacker has found some other vulnerability, say in the JS JIT, in a content process, which after some series of complex steps has enabled them to run arbitrary code in a content process. Once they've done this, the pref guards in WebIDL in the content process are irrelevant, and they can just send whatever IPC message they want to the parent process. It is like they are able to write whatever C++ code they want in the content process.
The danger is that the parent process runs at a higher level of privilege than the content process. Almost every modern browser exploit (including the recent Firefox zero day) works like this. This specific case seems fairly benign, but maybe an imaginative attacker could do something with it.
I'm going to re-reset the flags. Let me know if you want some more explanation of the attack scenario. Thanks.
|
||
Updated•3 years ago
|
|
|
Assignee | |
Comment 3•3 years ago
|
||
|
||
Comment 4•3 years ago
|
||
Add missing check of gamepad testing pref r=dveditz,mccr8
https://hg.mozilla.org/integration/autoland/rev/728b8cc59bc515973e7a015186d1fb622a4c4da1
https://hg.mozilla.org/mozilla-central/rev/728b8cc59bc5
|
||
Comment 5•3 years ago
|
||
Please nominate this for Beta and ESR approval when you get a chance. It grafts cleanly as-landed.
|
|
Assignee | |
Comment 6•3 years ago
•
|
||
Comment on attachment 9275536 [details]
Bug 1765610 - Add missing check of gamepad testing pref
Beta/Release Uplift Approval Request
- User impact if declined: Machines may be targeted by an exploit that uses GamepadServiceTest to simulate fake gamepad actions and possibly may be used creatively to escape sandboxing, since this API was never designed to be hardened against attack
- Is this code covered by automated tests?: No
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): It only affects a testing API, and it changes nothing if the content process is not compromised by an attacker
- String changes made/needed:
- Is Android affected?: Yes
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: It is very low risk and disables an IPC actor that was never designed to be hardened against attack
- User impact if declined: Machines may be targetted by an exploit that uses the GamepadServiceTest to simulate fake gamepad actions
- Fix Landed on Version: 103
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): It only affects a testing API, and it changes nothing if the content process is not compromised by an attacker
|
|
||
Comment 7•3 years ago
|
||
Comment on attachment 9275536 [details]
Bug 1765610 - Add missing check of gamepad testing pref
Approved for 101.0b6 and 91.10esr.
|
|
||
Comment 8•3 years ago
|
||
| uplift | ||
|
||
Updated•3 years ago
|
|
|
||
Comment 9•3 years ago
|
||
| uplift | ||
|
||
Updated•3 years ago
|
|
|
||
Updated•3 years ago
|
|
|
Reporter | |
Updated•3 years ago
|
|
|
||
Updated•3 years ago
|
Description
•