Closed
Bug 295011
Opened 20 years ago
Closed 20 years ago
QueryInterface() allows arbitrary code execution
Categories
(Core :: XPConnect, defect)
Core
XPConnect
Tracking
()
RESOLVED
FIXED
People
(Reporter: sync2d, Assigned: jst)
References
Details
(Keywords: fixed-aviary1.0.5, fixed1.7.9, Whiteboard: [sg:fix] fixed by 294795. Bug details embargoed until August 1, 2005)
Attachments
(1 file)
2.72 KB,
text/html
|
Details |
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Build Identifier: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4
XPConnect wrapped native objects' "QueryInterface" method is a native
function which (erroneously) exposes the privileged Function constructor
as its constructor. Such privileged constructor can be accessed by an
expression such as "QueryInterface.constructor", and allows attackers
to construct and execute arbitrary privileged code.
Reproducible: Always
Steps to Reproduce:
1. load the testcase.
Actual Results:
The privileged Function constructor can be accessed by
QueryInterface.constructor and allows to execute arbitary code.
Expected Results:
The privileged Function constructor must not be accessable at all.
(QueryInterface.constructor == Function) is true.
oneliner testcase
javascript: alert(QueryInterface.constructor("return Components.classes;")());
Confirmed, trunk Linux build.
Status: UNCONFIRMED → NEW
Ever confirmed: true
That said, this may be a duplicate of bug 294795.
Updated•20 years ago
|
Assignee: dbradley → jst
Comment 5•20 years ago
|
||
My Firefox 1.0.4 on WinXP, returns false for the "(QueryInterface.constructor ==
Function)" test. When I load the testcase, I do not see an alert. Hmm...
The one liner from comment #2 triggers the following exception:
Error: uncaught exception: Permission denied to get property UnnamedClass.classes
Could my Firefox be configured funny?
Comment 6•20 years ago
|
||
confirming on linux - both 1.0.4 and today's cvs trunk.
Comment 7•20 years ago
|
||
This doesn't seem limited to QueryInterface.
javascript:alert(open.constructor("return
window.document.location.toString();")()); gives me
chrome://browser/content/hiddenWindow.xul in Firefox 1.0.4 on OS X, so it might
be related to
http://lxr.mozilla.org/seamonkey/source/js/src/xpconnect/src/xpcwrappednativeinfo.cpp#114
(In reply to comment #7)
> This doesn't seem limited to QueryInterface.
> javascript:alert(open.constructor("return
> window.document.location.toString();")()); gives me
> chrome://browser/content/hiddenWindow.xul in Firefox 1.0.4 on OS X
It gives me "about:blank" in Firefox 1.0.4 on Win98.
hiddenWindow.xul is described as Mac OS X thing in this page.
http://kb.mozillazine.org/About:config_entries
javascript: alert(open.constructor.__parent__);
==> [object ChromeWindow]
Severity: normal → blocker
I'm sorry. I changed Severity by mistake. Blame me...
Severity: blocker → normal
Updated•20 years ago
|
Severity: normal → critical
Flags: blocking1.8b3+
Flags: blocking1.7.9+
Flags: blocking-aviary1.0.5+
OS: Windows 98 → All
Hardware: PC → All
Whiteboard: [sg:fix]
Updated•20 years ago
|
Whiteboard: [sg:fix] → [sg:fix] -need patch
Updated•20 years ago
|
Whiteboard: [sg:fix] -need patch → [sg:fix] fixed by 294795
Assignee | ||
Comment 10•20 years ago
|
||
Marking FIXED now that bug 294795 is fixed.
Status: NEW → RESOLVED
Closed: 20 years ago
Keywords: fixed-aviary1.0.5,
fixed1.7.9
Resolution: --- → FIXED
Comment 11•20 years ago
|
||
v.fixed on aviary with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.9)
Gecko/20050706 Firefox/1.0.5 using attached testcase, all checks passed.
Comment 12•20 years ago
|
||
Adding distributors
Updated•20 years ago
|
Whiteboard: [sg:fix] fixed by 294795 → [sg:fix] fixed by 294795. Bug details embargoed until July 20, 2005
Updated•19 years ago
|
Whiteboard: [sg:fix] fixed by 294795. Bug details embargoed until July 20, 2005 → [sg:fix] fixed by 294795. Bug details embargoed until August 1, 2005
Updated•19 years ago
|
Group: security
Updated•19 years ago
|
Flags: testcase+
Updated•18 years ago
|
Flags: in-testsuite+ → in-testsuite?
You need to log in
before you can comment on or make changes to this bug.
Description
•