Closed Bug 289075 Opened 19 years ago Closed 19 years ago

security hole in View Selection Source

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 289074

People

(Reporter: moz_bug_r_a4, Assigned: dveditz)

References

(
URL
)

Details

(Whiteboard: [sg:dupe 289074])

Attachments

(1 file)

testcase
841 bytes, text/html
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050319
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050319

Vulnerability: arbitrary code execution

Vulnerable code:
from nsContextMenu.prototype.viewPartialSource() in browser.js

if (context == "selection")
    reference = focusedWindow.__proto__.getSelection.call(focusedWindow);

window.openDialog("chrome://global/content/viewPartialSource.xul",
                  "_blank", "scrollbars,resizable,chrome,dialog=no",
                  docUrl, docCharset, reference, context);

 ->
from onLoadViewPartialSource() in viewPartialSource.js

if (window.arguments[3] == 'selection')
  viewPartialSourceForSelection(window.arguments[2]);

 ->
from viewPartialSourceForSelection() in viewPartialSource.js

function viewPartialSourceForSelection(selection)
{
  var range = selection.getRangeAt(0);
  var ancestorContainer = range.commonAncestorContainer;
  var doc = ancestorContainer.ownerDocument;

  var startContainer = range.startContainer;
  var endContainer = range.endContainer;
  var startOffset = range.startOffset;
  var endOffset = range.endOffset;


Exploit:

  reference = focusedWindow.__proto__.getSelection.call(focusedWindow);

This line should use |Components.lookupMethod| or |XPCNativeWrapper|, because
web pages can manipulate the prototype of the Window, such as the following.

  window.__proto__.getSelection = function() { ... };

Even if it use |Components.lookupMethod| instead of |__proto__.getSelection|,
the code in viewPartialSourceForSelection() is still exploitable, because web
pages can manipulate the prototype of Selection objects, such as the following.

  getSelection().__proto__.getRangeAt = function() { ... };

Also, web pages can manipulate the prototype of Range objects, such as the
following.

  document.createRange().__proto__
  .__defineGetter__("commonAncestorContainer", function() { ... });


I have confirmed that the following testcase works in:
[Firefox]
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317
Firefox/1.0.2
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050404
Firefox/1.0.3
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050404
Firefox/1.0+
[Mozilla Suite]
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050319
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050404
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050404


Reproducible: Always

Steps to Reproduce:
Attached file testcase 

    
  
Status: UNCONFIRMED → NEW
Ever confirmed: true

    
  
Blocks: sbb?

    
  
Flags: blocking1.7.7?
Flags: blocking-aviary1.0.3?

    
  
Blocks: 289187

    
    

    
  
Same eval problem as reported in bug 289074.

*** This bug has been marked as a duplicate of 289074 ***
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE

    
  
URL: [sg:dupe 289074]

    
  
Whiteboard: [sg:dupe 289074]

    
  
Flags: blocking1.7.7?
Flags: blocking-aviary1.0.3?

    
  
Group: security

    
  
Blocks: sbb+

    
  
No longer blocks: sbb?

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: