Last Comment Bug 284627 - arbitrary code execution via sidebar
: arbitrary code execution via sidebar
Status: VERIFIED FIXED
[sg:fix] CAN-2005-0402
: fixed-aviary1.0.2, testcase
Product: Firefox
Classification: Client Software
Component: Security (show other bugs)
: Trunk
: All All
: -- critical (vote)
: ---
Assigned To: Mike Connor [:mconnor]
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2005-03-03 08:25 PST by bugzilla
Modified: 2011-08-05 22:34 PDT (History)
17 users (show)
dveditz: blocking‑aviary1.0.2+
brendan: blocking‑aviary1.5+
bob: in‑testsuite?
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
testcase (679 bytes, text/html)
2005-03-03 08:26 PST, bugzilla
no flags Details
add sidebar panel page (519 bytes, text/html)
2005-03-03 08:29 PST, bugzilla
no flags Details
testcase 2 (892 bytes, text/html)
2005-03-04 02:53 PST, bugzilla
no flags Details
add sidebar panel page 2 (519 bytes, text/html)
2005-03-04 02:54 PST, bugzilla
no flags Details
add security check to web panel links (3.04 KB, patch)
2005-03-05 17:20 PST, Mike Connor [:mconnor]
bzbarsky: review-
brendan: approval‑aviary1.0.3+
Details | Diff | Review
testcase 3 - "Plug-ins Finder" (1.10 KB, text/html)
2005-03-05 23:44 PST, bugzilla
no flags Details
patch with more wrapper-fu (3.98 KB, patch)
2005-03-06 10:45 PST, Mike Connor [:mconnor]
bryner: review+
dveditz: superreview+
asa: approval‑aviary1.0.2+
Details | Diff | Review

Description bugzilla 2005-03-03 08:25:41 PST
User-Agent:       Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.6) Gecko/20050223 Firefox/1.0.1
Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b2) Gecko/20050302 Firefox/1.0+

Sidebar allows an attacker to link to the privileged content (such as
about:config) and run arbitrary code on the content.

Reproducible: Always

Steps to Reproduce:
1. Bookmark testcase as sidebar panel
2. Click links in order

Actual Results:  
about:config is loaded. "browser.startup.homepage" will be overwritten.
Further attacks can be done successfully.

Expected Results:  
Link to the privileged content should be blocked.
Comment 1 bugzilla 2005-03-03 08:26:49 PST
Created attachment 176152 [details]
testcase
Comment 2 bugzilla 2005-03-03 08:29:11 PST
Created attachment 176153 [details]
add sidebar panel page

Use this page to add the testcase to bookmark panel.
Comment 3 bugzilla 2005-03-03 09:00:23 PST
Sorry for spam...

Steps to Reproduce (corrected):
1. Bookmark testcase as sidebar panel
2. Select "Sidebar Attack Test" from your bookmark and load it in the sidebar
3. Click links in order
Comment 4 bugzilla 2005-03-04 02:53:04 PST
Created attachment 176250 [details]
testcase 2

This test case will erase localstore.rdf file in your profile directory.
Comment 5 bugzilla 2005-03-04 02:54:41 PST
Created attachment 176251 [details]
add sidebar panel page 2

Use this page to add the testcase 2 to bookmark panel.
Comment 6 Boris Zbarsky [:bz] 2005-03-04 23:37:40 PST
> 1. Bookmark testcase as sidebar panel

Is this a Firefox-specific feature?  I don't see a way to do this in Mozilla...
Comment 7 bugzilla 2005-03-05 00:26:58 PST
(In reply to comment #6)
>> 1. Bookmark testcase as sidebar panel
> 
> Is this a Firefox-specific feature?  I don't see a way to do this in Mozilla...

This "add sidebar tab" feature works in Mozilla Suite too. But to do so, you
have to open sidebar at least once with new profile. Maybe known bug.

In Mozilla Suite, the testcase failed to load about:config. Expected security
error appears in JavaScript Console. This is a Firefox-specific bug.
Comment 8 Boris Zbarsky [:bz] 2005-03-05 10:22:13 PST
There also seems to be no "security" component for Firefox, so putting in
General, I guess....

This sounds like a pretty critical issue to me, though.
Comment 9 Mike Connor [:mconnor] 2005-03-05 17:20:29 PST
Created attachment 176416 [details] [diff] [review]
add security check to web panel links

Because we special-cased web panel links here, we skipped any existing security
checks, and just loaded stuff directly.  Yay us.  This patch handles both
testcases properly, with proper errors in the JS console.

Bonus: By forcing javascript: links to execute in the sidebar, sidebars like 
http://sidebar.cnn.com/browsers/ns6/cnn.com.expanded.html will now work.
Comment 10 Ben Goodger (use ben at mozilla dot org for email) 2005-03-05 17:49:29 PST
Comment on attachment 176416 [details] [diff] [review]
add security check to web panel links

r=ben@mozilla.org
Comment 11 Brendan Eich [:brendan] 2005-03-05 18:53:56 PST
Comment on attachment 176416 [details] [diff] [review]
add security check to web panel links

Any way to fix this via an update to the two .js files, not a full app update?

/be
Comment 12 Brendan Eich [:brendan] 2005-03-05 19:22:50 PST
mconnor, thanks for patching.

/be
Comment 13 Mike Connor [:mconnor] 2005-03-05 19:30:41 PST
Not specifically the two js files, but both are contained in browser.jar and we
can just install a new copy over top with an XPI.  Zipped, the current
browser.jar is 261k on Windows.
Comment 14 Darin Fisher 2005-03-05 19:47:58 PST
yeah, that sounds like a reasonable solution provided the firefox user has write
permission to the installation directory.
Comment 15 bugzilla 2005-03-05 23:44:53 PST
Created attachment 176441 [details]
testcase 3 - "Plug-ins Finder"

"data:" URL example.
Comment 16 Mike Connor [:mconnor] 2005-03-06 07:54:52 PST
Hmm, the downside of the XPI route is the old "running 'sudo firefox' nukes
bookmarks and friends" problem that hit people the last time we issued an XPI
security release.  If we go down that route, we need to have a significant
warning in the instructions for *nix boxes.
Comment 17 Boris Zbarsky [:bz] 2005-03-06 09:30:03 PST
Comment on attachment 176416 [details] [diff] [review]
add security check to web panel links

Er... Can't sites change what document.location returns by setting up Js object
setters, etc?  As in, don't you need a sprinkling of XPCNativeWrapper in this
code?  Specifically:

1)  You want to get the ownerDocument from a wrapper (say change |wrapper| to
    also expose ownerDocument).
2)  You then want to wrap the document before getting .location.
3)  You probably also want to wrap the location object itself...

Marking review-, since this patch doesn't actually prevent a sufficiently
malicious site from exploiting this code...
Comment 18 Mike Connor [:mconnor] 2005-03-06 10:45:35 PST
Created attachment 176487 [details] [diff] [review]
patch with more wrapper-fu
Comment 19 Daniel Veditz [:dveditz] 2005-03-10 17:52:37 PST
I assume these flags were group-moved to 1.0.3, we really want this in 1.0.2 I
think.
Comment 20 Asa Dotzler [:asa] 2005-03-14 11:51:35 PST
Yes, we want this in 1.0.2
Comment 21 Asa Dotzler [:asa] 2005-03-15 08:22:21 PST
Comment on attachment 176487 [details] [diff] [review]
patch with more wrapper-fu

a=asa for 1.0.2 landing.
Comment 22 Daniel Veditz [:dveditz] 2005-03-15 15:09:05 PST
Comment on attachment 176487 [details] [diff] [review]
patch with more wrapper-fu

setting review flags
Comment 23 Daniel Veditz [:dveditz] 2005-03-15 17:56:55 PST
Comment on attachment 176487 [details] [diff] [review]
patch with more wrapper-fu

sr=dveditz
bz says he gave a verbal r= to this patch when it was first posted, just never
made it into the bug.
Comment 24 Daniel Veditz [:dveditz] 2005-03-15 18:38:15 PST
Fix checked in to trunk and aviary-1.0.1 branch
Comment 25 bugzilla 2005-03-17 11:15:32 PST
Verified on Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b2)
Gecko/20050317 Firefox/1.0+

JavaScript Console says "Security Error: Content at
https://bugzilla.mozilla.org/attachment.cgi?id=176250 may not load or link to
about:config."
Comment 26 sairuh (rarely reading bugmail) 2005-03-17 11:22:00 PST
this also looks good using 2005031707-1.0.2 firefox bits on linux fc3 with the 2
test cases.
Comment 27 Tracy Walker [:tracy] 2005-03-17 12:31:46 PST
looks good on Windows 2005-03-17-06-aviary1.0.1
Comment 28 Daniel Veditz [:dveditz] 2005-03-21 13:20:56 PST
Reference id: CAN-2005-0402
Comment 29 Daniel Veditz [:dveditz] 2005-03-23 13:39:52 PST
Advisory published: http://www.mozilla.org/security/announce/mfsa2005-31.html
Comment 30 Hiro 2005-03-24 22:24:16 PST
(In reply to comment #2)
> Created an attachment (id=176153) [edit]
> add sidebar panel page

The following errors go out to JavaScrip Console when this test case is executed. 

Error: makeURI is not defined
Source File: chrome://browser/content/contentAreaUtils.js
Line: 108

Windows XP SP1
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317
Firefox/1.0.2

Note You need to log in before you can comment on or make changes to this bug.