The default bug view has changed. See this FAQ.

QueryInterface() allows arbitrary code execution

RESOLVED FIXED

Status

()

Core
XPConnect
--
critical
RESOLVED FIXED
12 years ago
10 years ago

People

(Reporter: shutdown, Assigned: jst)

Tracking

({fixed-aviary1.0.5, fixed1.7.9})

Trunk
fixed-aviary1.0.5, fixed1.7.9
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.7.9 +
blocking-aviary1.0.5 +
blocking1.8b3 +
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:fix] fixed by 294795. Bug details embargoed until August 1, 2005)

Attachments

(1 attachment)

(Reporter)

Description

12 years ago
User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Build Identifier: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4

XPConnect wrapped native objects' "QueryInterface" method is a native
function which (erroneously) exposes the privileged Function constructor
as its constructor. Such privileged constructor can be accessed by an
expression such as "QueryInterface.constructor", and allows attackers
to construct and execute arbitrary privileged code.


Reproducible: Always

Steps to Reproduce:
1. load the testcase.

Actual Results:  
The privileged Function constructor can be accessed by
QueryInterface.constructor and allows to execute arbitary code.


Expected Results:  
The privileged Function constructor must not be accessable at all.
(QueryInterface.constructor == Function) is true.
(Reporter)

Comment 1

12 years ago
Created attachment 184163 [details]
testcase

testcase for the problem.
(Reporter)

Comment 2

12 years ago
oneliner testcase
javascript: alert(QueryInterface.constructor("return Components.classes;")());
Confirmed, trunk Linux build.
Status: UNCONFIRMED → NEW
Ever confirmed: true
That said, this may be a duplicate of bug 294795.

Updated

12 years ago
Assignee: dbradley → jst

Comment 5

12 years ago
My Firefox 1.0.4 on WinXP, returns false for the "(QueryInterface.constructor ==
Function)" test.  When I load the testcase, I do not see an alert.  Hmm...

The one liner from comment #2 triggers the following exception:
Error: uncaught exception: Permission denied to get property UnnamedClass.classes

Could my Firefox be configured funny?
confirming on linux - both 1.0.4 and today's cvs trunk.
This doesn't seem limited to QueryInterface.
javascript:alert(open.constructor("return
window.document.location.toString();")()); gives me
chrome://browser/content/hiddenWindow.xul in Firefox 1.0.4 on OS X, so it might
be related to
http://lxr.mozilla.org/seamonkey/source/js/src/xpconnect/src/xpcwrappednativeinfo.cpp#114
(Reporter)

Comment 8

12 years ago
(In reply to comment #7)
> This doesn't seem limited to QueryInterface.
> javascript:alert(open.constructor("return
> window.document.location.toString();")()); gives me
> chrome://browser/content/hiddenWindow.xul in Firefox 1.0.4 on OS X

It gives me "about:blank" in Firefox 1.0.4 on Win98.
hiddenWindow.xul is described as Mac OS X thing in this page.
http://kb.mozillazine.org/About:config_entries

javascript: alert(open.constructor.__parent__);
==> [object ChromeWindow]
Severity: normal → blocker
(Reporter)

Comment 9

12 years ago
I'm sorry. I changed Severity by mistake. Blame me...
Severity: blocker → normal
Blocks: 256195

Updated

12 years ago
Severity: normal → critical
Flags: blocking1.8b3+
Flags: blocking1.7.9+
Flags: blocking-aviary1.0.5+
OS: Windows 98 → All
Hardware: PC → All
Whiteboard: [sg:fix]
Depends on: 294795

Updated

12 years ago
Whiteboard: [sg:fix] → [sg:fix] -need patch

Updated

12 years ago
Whiteboard: [sg:fix] -need patch → [sg:fix] fixed by 294795
(Assignee)

Comment 10

12 years ago
Marking FIXED now that bug 294795 is fixed.
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Keywords: fixed-aviary1.0.5, fixed1.7.9
Resolution: --- → FIXED

Comment 11

12 years ago
v.fixed on aviary with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.9)
Gecko/20050706 Firefox/1.0.5 using attached testcase, all checks passed.
Adding distributors
Whiteboard: [sg:fix] fixed by 294795 → [sg:fix] fixed by 294795. Bug details embargoed until July 20, 2005
Whiteboard: [sg:fix] fixed by 294795. Bug details embargoed until July 20, 2005 → [sg:fix] fixed by 294795. Bug details embargoed until August 1, 2005
Group: security

Updated

11 years ago
Flags: testcase+

Updated

10 years ago
Flags: in-testsuite+ → in-testsuite?
You need to log in before you can comment on or make changes to this bug.