Closed Bug 295011 Opened 19 years ago Closed 19 years ago

QueryInterface() allows arbitrary code execution

Categories

(Core :: XPConnect, defect)

Product:
Core
Component:
XPConnect
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: sync2d, Assigned: jst)

References

Details

(Keywords: fixed-aviary1.0.5, fixed1.7.9, Whiteboard: [sg:fix] fixed by 294795. Bug details embargoed until August 1, 2005)

Attachments

(1 file)

testcase
2.72 KB, text/html
Details 
User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Build Identifier: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4

XPConnect wrapped native objects' "QueryInterface" method is a native
function which (erroneously) exposes the privileged Function constructor
as its constructor. Such privileged constructor can be accessed by an
expression such as "QueryInterface.constructor", and allows attackers
to construct and execute arbitrary privileged code.


Reproducible: Always

Steps to Reproduce:
1. load the testcase.

Actual Results:  
The privileged Function constructor can be accessed by
QueryInterface.constructor and allows to execute arbitary code.


Expected Results:  
The privileged Function constructor must not be accessable at all.
(QueryInterface.constructor == Function) is true.
Attached file testcase 
testcase for the problem.
oneliner testcase
javascript: alert(QueryInterface.constructor("return Components.classes;")());
Confirmed, trunk Linux build.
Status: UNCONFIRMED → NEW
Ever confirmed: true
That said, this may be a duplicate of bug 294795.
Assignee: dbradley → jst
My Firefox 1.0.4 on WinXP, returns false for the "(QueryInterface.constructor ==
Function)" test.  When I load the testcase, I do not see an alert.  Hmm...

The one liner from comment #2 triggers the following exception:
Error: uncaught exception: Permission denied to get property UnnamedClass.classes

Could my Firefox be configured funny?
confirming on linux - both 1.0.4 and today's cvs trunk.
This doesn't seem limited to QueryInterface.
javascript:alert(open.constructor("return
window.document.location.toString();")()); gives me
chrome://browser/content/hiddenWindow.xul in Firefox 1.0.4 on OS X, so it might
be related to
http://lxr.mozilla.org/seamonkey/source/js/src/xpconnect/src/xpcwrappednativeinfo.cpp#114

(In reply to comment #7)
> This doesn't seem limited to QueryInterface.
> javascript:alert(open.constructor("return
> window.document.location.toString();")()); gives me
> chrome://browser/content/hiddenWindow.xul in Firefox 1.0.4 on OS X

It gives me "about:blank" in Firefox 1.0.4 on Win98.
hiddenWindow.xul is described as Mac OS X thing in this page.
http://kb.mozillazine.org/About:config_entries

javascript: alert(open.constructor.__parent__);
==> [object ChromeWindow]
Severity: normal → blocker
I'm sorry. I changed Severity by mistake. Blame me...
Severity: blocker → normal
Blocks: sbb?
Severity: normal → critical
Flags: blocking1.8b3+
Flags: blocking1.7.9+
Flags: blocking-aviary1.0.5+
OS: Windows 98 → All
Hardware: PC → All
Whiteboard: [sg:fix]
Depends on: 294795
Whiteboard: [sg:fix] → [sg:fix] -need patch
Whiteboard: [sg:fix] -need patch → [sg:fix] fixed by 294795
Marking FIXED now that bug 294795 is fixed.
Status: NEW → RESOLVED
Closed: 19 years ago
Keywords: fixed-aviary1.0.5, fixed1.7.9
Resolution: --- → FIXED
v.fixed on aviary with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.9)
Gecko/20050706 Firefox/1.0.5 using attached testcase, all checks passed.
Adding distributors
Whiteboard: [sg:fix] fixed by 294795 → [sg:fix] fixed by 294795. Bug details embargoed until July 20, 2005
Whiteboard: [sg:fix] fixed by 294795. Bug details embargoed until July 20, 2005 → [sg:fix] fixed by 294795. Bug details embargoed until August 1, 2005
Group: security
Flags: testcase+
Flags: in-testsuite+ → in-testsuite?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: