Closed Bug 290036 Opened 20 years ago Closed 20 years ago

Link tag allows to execute arbitrary code without user interaction

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Version:
1.0 Branch
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: mikx, Assigned: dveditz)

References

(
URL
)

Details

(Keywords: fixed-aviary1.0.3, fixed1.7.7, Whiteboard: [sg:fix])

Attachments

(2 files, 2 obsolete files)

alternative patch
2.92 KB, patch
dveditz
: review+
brendan
: superreview+
chase
: approval-aviary1.0.3+
Details | Diff | Splinter Review
patch for 1.7 branch
3.78 KB, patch
dveditz
: review+
dveditz
: superreview+
chase
: approval1.7.7+
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050408 Firefox/1.0.3 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050408 Firefox/1.0.3 The link tag allows to load a custom image as the icon for a website, displayed in the location bar and in the tab title. By setting the href attribute of this tag to a javascript url, it is possible to call chrome functions and run arbitrary code without user interaction. Reproducible: Always Steps to Reproduce: 1. Open http://bugzilla:kN2P9wk@www.mikx.de/firelinking/ 2. Follow instructions The example is cross platform: On Windows this example creates the file c:\booom.bat and launches it (opens a dos box with a dir command). On Linux (tested Fedora Core) and MacOSX the example creates the file ~/booom.txt or /booom.txt. The non-windows examples are only roughly tested. Please don't complain if not working. The way i need to double encode the backslash on linux looks a little fishy and i doubt every Mac user can write to root by default. You get full user rights with UniversalXPConnect, so everything else is just a matter of implementation time.
Confirming. Looks like it would work in the Suite, too, with a little quote tweaking -- it got as far as the delayedOpenWindow() call so it's already running with chrome privs.
Assignee: firefox → dveditz
Status: UNCONFIRMED → NEW
Component: General → Security
Ever confirmed: true
Flags: blocking-aviary1.1+
Flags: blocking-aviary1.0.3+
Whiteboard: [sg:fix]
Attached patch possible patch (obsolete) — Splinter Review
I think this should fix it, but the testcase gives an error on Linux, and I think the error is very early in the process: Error: illegal character Source File: javascript:netscape.security.PrivilegeManager.enablePrivilege(\'UniversalXPConnect\');file=Components.classes[\'@mozilla.org/file/local;1\'].createInstance(Components.interfaces.nsILocalFile);file.initWithPath(\'~/booom.txt\');file.createUnique(Components.interfaces.nsIFile.NORMAL_FILE_TYPE,420);outputStream=Components.classes[\'@mozilla.org/network/file-output-stream;1\'].createInstance(Components.interfaces.nsIFileOutputStream);outputStream.init(file,0x04|0x08|0x20,420,0);output=\'booom!\';outputStream.write(output,output.length);outputStream.close(); Line: 1, Column: 51 Source Code: netscape.security.PrivilegeManager.enablePrivilege(\'UniversalXPConnect\');file=Components.classes[\'@mozilla.org/file/local;1\'].createInstance(Components.interfaces.nsILocalFile);file.initWithPath(\'~/booom.txt\');file.createUnique(Components.interfaces If somebody could try this on Windows that would be nice.
Comment on attachment 180499 [details] [diff] [review] possible patch This doesn't actually work; I fixed the testcase by making the Linux line look like the others (changing "\\\'" to "\'").
Attachment #180499 - Attachment is obsolete: true
I knew this \\\' was fishy. It turned out i tested linux on a really old 0.9 build that required that encoding (for whatever reason). Tested again with a 1.0 and it requires a \' only. Changed the PoC accordingly.
Comment on attachment 180499 [details] [diff] [review] possible patch I also had a zombie firefox process running earlier. This patch works fine.
Attachment #180499 - Attachment is obsolete: false
Attachment #180499 - Flags: superreview?(brendan)
Attachment #180499 - Flags: review?(dveditz)
We really shouldn't block data:, though, since it's useful for favicons.
Attachment #180499 - Attachment is obsolete: true
Attachment #180541 - Flags: superreview?(brendan)
Attachment #180541 - Flags: review?(dveditz)
Comment on attachment 180541 [details] [diff] [review] alternative patch sr=me if you can prove we're not vulnerable to data: URLs encoding script (in a data: text/html URL, or otherwise). /be
Attachment #180541 - Flags: superreview?(brendan) → superreview+
Comment on attachment 180499 [details] [diff] [review] possible patch Neither dveditz nor I have been able to write an exploit using data: URLs, so I think the alternative patch is ok.
Attachment #180499 - Flags: superreview?(brendan)
Attachment #180499 - Flags: review?(dveditz)
Attached patch patch for 1.7 branch (obsolete) — Splinter Review
A bunch of stuff wasn't on the 1.7 branch; this merges it.
Comment on attachment 180541 [details] [diff] [review] alternative patch a=chase pending dbaron's review
Attachment #180541 - Flags: approval-aviary1.0.3+
Moving to Core.
Flags: review?(dveditz)
Product: Firefox → Core
Version: unspecified → 1.0 Branch
blocking1.7.7+
Flags: blocking1.7.7+
Comment on attachment 180545 [details] [diff] [review] patch for 1.7 branch assuming this is the patch you want to go with, a=chase pending r/sr
Attachment #180545 - Flags: approval1.7.7+
Comment on attachment 180541 [details] [diff] [review] alternative patch r=dveditz I was worried about data: urls, but after a bunch of debugging it looks like this is never used in a context that would parse it as html and run scripts. I'm still a little nervous
Attachment #180541 - Flags: review?(dveditz) → review+
Comment on attachment 180545 [details] [diff] [review] patch for 1.7 branch r=dveditz carrying over sr on the grounds that this makes 1.7 match already-reviewed aviary.
Attachment #180545 - Flags: superreview+
Attachment #180545 - Flags: review+
Fixed on trunk.
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Fix released
Group: security
Blocks: sbb+
Flags: testcase+
Flags: in-testsuite+ → in-testsuite?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: