Last Comment Bug 295011 - QueryInterface() allows arbitrary code execution
: QueryInterface() allows arbitrary code execution
Status: RESOLVED FIXED
[sg:fix] fixed by 294795. Bug details...
: fixed-aviary1.0.5, fixed1.7.9
Product: Core
Classification: Components
Component: XPConnect (show other bugs)
: Trunk
: All All
: -- critical (vote)
: ---
Assigned To: Johnny Stenback (:jst, jst@mozilla.com)
: Phil Schwartau
Mentors:
Depends on: 294795
Blocks: sbb?
  Show dependency treegraph
 
Reported: 2005-05-20 22:20 PDT by shutdown
Modified: 2007-04-01 20:11 PDT (History)
14 users (show)
asa: blocking1.7.9+
asa: blocking‑aviary1.0.5+
asa: blocking1.8b3+
bob: in‑testsuite?
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
testcase (2.72 KB, text/html)
2005-05-20 22:22 PDT, shutdown
no flags Details

Description shutdown 2005-05-20 22:20:22 PDT
User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Build Identifier: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4

XPConnect wrapped native objects' "QueryInterface" method is a native
function which (erroneously) exposes the privileged Function constructor
as its constructor. Such privileged constructor can be accessed by an
expression such as "QueryInterface.constructor", and allows attackers
to construct and execute arbitrary privileged code.


Reproducible: Always

Steps to Reproduce:
1. load the testcase.

Actual Results:  
The privileged Function constructor can be accessed by
QueryInterface.constructor and allows to execute arbitary code.


Expected Results:  
The privileged Function constructor must not be accessable at all.
(QueryInterface.constructor == Function) is true.
Comment 1 shutdown 2005-05-20 22:22:19 PDT
Created attachment 184163 [details]
testcase

testcase for the problem.
Comment 2 shutdown 2005-05-20 22:32:49 PDT
oneliner testcase
javascript: alert(QueryInterface.constructor("return Components.classes;")());
Comment 3 David Baron :dbaron: ⌚️UTC+2 (mostly busy through August 4; review requests must explain patch) 2005-05-21 19:51:15 PDT
Confirmed, trunk Linux build.
Comment 4 David Baron :dbaron: ⌚️UTC+2 (mostly busy through August 4; review requests must explain patch) 2005-05-21 19:52:12 PDT
That said, this may be a duplicate of bug 294795.
Comment 5 Darin Fisher 2005-05-21 22:07:26 PDT
My Firefox 1.0.4 on WinXP, returns false for the "(QueryInterface.constructor ==
Function)" test.  When I load the testcase, I do not see an alert.  Hmm...

The one liner from comment #2 triggers the following exception:
Error: uncaught exception: Permission denied to get property UnnamedClass.classes

Could my Firefox be configured funny?
Comment 6 georgi - hopefully not receiving bugspam 2005-05-22 03:50:38 PDT
confirming on linux - both 1.0.4 and today's cvs trunk.
Comment 7 Peter Van der Beken [:peterv] - away till Aug 1st 2005-05-22 04:04:14 PDT
This doesn't seem limited to QueryInterface.
javascript:alert(open.constructor("return
window.document.location.toString();")()); gives me
chrome://browser/content/hiddenWindow.xul in Firefox 1.0.4 on OS X, so it might
be related to
http://lxr.mozilla.org/seamonkey/source/js/src/xpconnect/src/xpcwrappednativeinfo.cpp#114
Comment 8 shutdown 2005-05-22 07:22:22 PDT
(In reply to comment #7)
> This doesn't seem limited to QueryInterface.
> javascript:alert(open.constructor("return
> window.document.location.toString();")()); gives me
> chrome://browser/content/hiddenWindow.xul in Firefox 1.0.4 on OS X

It gives me "about:blank" in Firefox 1.0.4 on Win98.
hiddenWindow.xul is described as Mac OS X thing in this page.
http://kb.mozillazine.org/About:config_entries

javascript: alert(open.constructor.__parent__);
==> [object ChromeWindow]
Comment 9 shutdown 2005-05-22 07:36:46 PDT
I'm sorry. I changed Severity by mistake. Blame me...
Comment 10 Johnny Stenback (:jst, jst@mozilla.com) 2005-06-15 23:20:41 PDT
Marking FIXED now that bug 294795 is fixed.
Comment 11 Jay Patel [:jay] 2005-07-06 18:21:09 PDT
v.fixed on aviary with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.9)
Gecko/20050706 Firefox/1.0.5 using attached testcase, all checks passed.
Comment 12 Daniel Veditz [:dveditz] 2005-07-12 11:34:16 PDT
Adding distributors

Note You need to log in before you can comment on or make changes to this bug.