QueryInterface() allows arbitrary code execution

RESOLVED FIXED

Status

()

defect
--
critical
RESOLVED FIXED
14 years ago
13 years ago

People

(Reporter: sync2d, Assigned: jst)

Tracking

({fixed-aviary1.0.5, fixed1.7.9})

Trunk
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.7.9 +
blocking-aviary1.0.5 +
blocking1.8b3 +
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:fix] fixed by 294795. Bug details embargoed until August 1, 2005)

Attachments

(1 attachment)

User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Build Identifier: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4

XPConnect wrapped native objects' "QueryInterface" method is a native
function which (erroneously) exposes the privileged Function constructor
as its constructor. Such privileged constructor can be accessed by an
expression such as "QueryInterface.constructor", and allows attackers
to construct and execute arbitrary privileged code.


Reproducible: Always

Steps to Reproduce:
1. load the testcase.

Actual Results:  
The privileged Function constructor can be accessed by
QueryInterface.constructor and allows to execute arbitary code.


Expected Results:  
The privileged Function constructor must not be accessable at all.
(QueryInterface.constructor == Function) is true.
Posted file testcase
testcase for the problem.
oneliner testcase
javascript: alert(QueryInterface.constructor("return Components.classes;")());
Confirmed, trunk Linux build.
Status: UNCONFIRMED → NEW
Ever confirmed: true
That said, this may be a duplicate of bug 294795.
Assignee: dbradley → jst
My Firefox 1.0.4 on WinXP, returns false for the "(QueryInterface.constructor ==
Function)" test.  When I load the testcase, I do not see an alert.  Hmm...

The one liner from comment #2 triggers the following exception:
Error: uncaught exception: Permission denied to get property UnnamedClass.classes

Could my Firefox be configured funny?
confirming on linux - both 1.0.4 and today's cvs trunk.
This doesn't seem limited to QueryInterface.
javascript:alert(open.constructor("return
window.document.location.toString();")()); gives me
chrome://browser/content/hiddenWindow.xul in Firefox 1.0.4 on OS X, so it might
be related to
http://lxr.mozilla.org/seamonkey/source/js/src/xpconnect/src/xpcwrappednativeinfo.cpp#114
(In reply to comment #7)
> This doesn't seem limited to QueryInterface.
> javascript:alert(open.constructor("return
> window.document.location.toString();")()); gives me
> chrome://browser/content/hiddenWindow.xul in Firefox 1.0.4 on OS X

It gives me "about:blank" in Firefox 1.0.4 on Win98.
hiddenWindow.xul is described as Mac OS X thing in this page.
http://kb.mozillazine.org/About:config_entries

javascript: alert(open.constructor.__parent__);
==> [object ChromeWindow]
Severity: normal → blocker
I'm sorry. I changed Severity by mistake. Blame me...
Severity: blocker → normal
Blocks: sbb?
Severity: normal → critical
Flags: blocking1.8b3+
Flags: blocking1.7.9+
Flags: blocking-aviary1.0.5+
OS: Windows 98 → All
Hardware: PC → All
Whiteboard: [sg:fix]
Whiteboard: [sg:fix] → [sg:fix] -need patch
Whiteboard: [sg:fix] -need patch → [sg:fix] fixed by 294795
Marking FIXED now that bug 294795 is fixed.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
v.fixed on aviary with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.9)
Gecko/20050706 Firefox/1.0.5 using attached testcase, all checks passed.
Adding distributors
Whiteboard: [sg:fix] fixed by 294795 → [sg:fix] fixed by 294795. Bug details embargoed until July 20, 2005
Whiteboard: [sg:fix] fixed by 294795. Bug details embargoed until July 20, 2005 → [sg:fix] fixed by 294795. Bug details embargoed until August 1, 2005
Group: security
Flags: testcase+
Flags: in-testsuite+ → in-testsuite?
You need to log in before you can comment on or make changes to this bug.