Link tag allows to execute arbitrary code without user interaction

RESOLVED FIXED

Status

()

Core
Security
--
major
RESOLVED FIXED
12 years ago
10 years ago

People

(Reporter: Michael Krax, Assigned: dveditz)

Tracking

({fixed-aviary1.0.3, fixed1.7.7})

1.0 Branch
fixed-aviary1.0.3, fixed1.7.7
Points:
---
Bug Flags:
blocking1.7.7 +
blocking-aviary1.0.3 +
blocking-aviary1.5 +
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:fix], URL)

Attachments

(2 attachments, 2 obsolete attachments)

(Reporter)

Description

12 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050408 Firefox/1.0.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050408 Firefox/1.0.3

The link tag allows to load a custom image as the icon for a website, displayed
in the location bar and in the tab title. By setting the href attribute of this
tag to a javascript url, it is possible to call chrome functions and run
arbitrary code without user interaction.



Reproducible: Always

Steps to Reproduce:
1. Open http://bugzilla:kN2P9wk@www.mikx.de/firelinking/
2. Follow instructions




The example is cross platform: On Windows this example creates the file
c:\booom.bat and launches it (opens a dos box with a dir command). On Linux
(tested Fedora Core) and MacOSX the example creates the file ~/booom.txt or
/booom.txt. 

The non-windows examples are only roughly tested. Please don't complain if not
working. The way i need to double encode the backslash on linux looks a little
fishy and i doubt every Mac user can write to root by default. You get full user
rights with UniversalXPConnect, so everything else is just a matter of
implementation time.
(Assignee)

Comment 1

12 years ago
Confirming. Looks like it would work in the Suite, too, with a little quote
tweaking -- it got as far as the delayedOpenWindow() call so it's already
running with chrome privs.
Assignee: firefox → dveditz
Status: UNCONFIRMED → NEW
Component: General → Security
Ever confirmed: true
Flags: blocking-aviary1.1+
Flags: blocking-aviary1.0.3+
Whiteboard: [sg:fix]
Created attachment 180499 [details] [diff] [review]
possible patch

I think this should fix it, but the testcase gives an error on Linux, and I
think the error is very early in the process:

Error: illegal character
Source File:
javascript:netscape.security.PrivilegeManager.enablePrivilege(\'UniversalXPConnect\');file=Components.classes[\'@mozilla.org/file/local;1\'].createInstance(Components.interfaces.nsILocalFile);file.initWithPath(\'~/booom.txt\');file.createUnique(Components.interfaces.nsIFile.NORMAL_FILE_TYPE,420);outputStream=Components.classes[\'@mozilla.org/network/file-output-stream;1\'].createInstance(Components.interfaces.nsIFileOutputStream);outputStream.init(file,0x04|0x08|0x20,420,0);output=\'booom!\';outputStream.write(output,output.length);outputStream.close();

Line: 1, Column: 51
Source Code:
netscape.security.PrivilegeManager.enablePrivilege(\'UniversalXPConnect\');file=Components.classes[\'@mozilla.org/file/local;1\'].createInstance(Components.interfaces.nsILocalFile);file.initWithPath(\'~/booom.txt\');file.createUnique(Components.interfaces



If somebody could try this on Windows that would be nice.
Comment on attachment 180499 [details] [diff] [review]
possible patch

This doesn't actually work; I fixed the testcase by making the Linux line look
like the others (changing "\\\'" to "\'").
Attachment #180499 - Attachment is obsolete: true
(Reporter)

Comment 4

12 years ago
I knew this \\\' was fishy. It turned out i tested linux on a really old 0.9
build that required that encoding (for whatever reason). Tested again with a 1.0
and it requires a \' only. Changed the PoC accordingly.
Comment on attachment 180499 [details] [diff] [review]
possible patch

I also had a zombie firefox process running earlier.  This patch works fine.
Attachment #180499 - Attachment is obsolete: false
Attachment #180499 - Flags: superreview?(brendan)
Attachment #180499 - Flags: review?(dveditz)
Created attachment 180541 [details] [diff] [review]
alternative patch

We really shouldn't block data:, though, since it's useful for favicons.
Attachment #180499 - Attachment is obsolete: true
Attachment #180541 - Flags: superreview?(brendan)
Attachment #180541 - Flags: review?(dveditz)
Comment on attachment 180541 [details] [diff] [review]
alternative patch

sr=me if you can prove we're not vulnerable to data: URLs encoding script (in a
data: text/html URL, or otherwise).

/be
Attachment #180541 - Flags: superreview?(brendan) → superreview+
Comment on attachment 180499 [details] [diff] [review]
possible patch

Neither dveditz nor I have been able to write an exploit using data: URLs, so I
think the alternative patch is ok.
Attachment #180499 - Flags: superreview?(brendan)
Attachment #180499 - Flags: review?(dveditz)
Created attachment 180544 [details] [diff] [review]
patch for 1.7 branch

A bunch of stuff wasn't on the 1.7 branch; this merges it.
Created attachment 180545 [details] [diff] [review]
patch for 1.7 branch

Better merge.
Attachment #180544 - Attachment is obsolete: true

Comment 11

12 years ago
Comment on attachment 180541 [details] [diff] [review]
alternative patch

a=chase pending dbaron's review
Attachment #180541 - Flags: approval-aviary1.0.3+

Comment 12

12 years ago
Moving to Core.
Component: Security → Security
Flags: review?(dveditz)
Product: Firefox → Core
Version: unspecified → 1.0 Branch

Comment 13

12 years ago
blocking1.7.7+
Flags: blocking1.7.7+

Comment 14

12 years ago
Comment on attachment 180545 [details] [diff] [review]
patch for 1.7 branch

assuming this is the patch you want to go with, a=chase pending r/sr
Attachment #180545 - Flags: approval1.7.7+
Attachment #180541 - Flags: review?(dveditz)
(Assignee)

Comment 15

12 years ago
Comment on attachment 180541 [details] [diff] [review]
alternative patch

r=dveditz
I was worried about data: urls, but after a bunch of debugging it looks like
this is never used in a context that would parse it as html and run scripts.
I'm still a little nervous
Attachment #180541 - Flags: review?(dveditz) → review+
(Assignee)

Comment 16

12 years ago
Comment on attachment 180545 [details] [diff] [review]
patch for 1.7 branch

r=dveditz
carrying over sr on the grounds that this makes 1.7 match already-reviewed
aviary.
Attachment #180545 - Flags: superreview+
Attachment #180545 - Flags: review+
Keywords: fixed-aviary1.0.3, fixed1.7.7
Fixed on trunk.
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED
(Assignee)

Comment 18

12 years ago
Fix released
Group: security
(Assignee)

Updated

12 years ago
Blocks: 256197

Updated

12 years ago
Flags: testcase+

Updated

10 years ago
Flags: in-testsuite+ → in-testsuite?
You need to log in before you can comment on or make changes to this bug.