296449 - Error in string handling within <keygen>

Status: RESOLVED FIXED

(Core :: Security: PSM, defect)

Description

[Arkadiusz Goralski]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; pl-PL; rv:1.7.8) Gecko/20050511 Firefox/1.0.4
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; pl-PL; rv:1.7.8) Gecko/20050511 Firefox/1.0.4

When you put <keygen> tag into the form then it's transformed into a
simple <SELECT> tag with two <OPTIONS> - 2048 (High grade) and 1024
(Medium grade). But when looking in DOM inspector i've noticed that it
is possible to manipulate these objects (options, to be precise)
trough JavaScript.

After manipulation, KeygenHandler (source:
security/manager/ssl/src/nsKeygenHandler.cpp) is getting a different
string (other size) than it's expecting, causing a crash. Since
KeygenHandler is depending on string values rather than option ID's,
maybe it's possible to create a buffer overflow, and inject external
code? I'm not a CPP guru, so i don't know how to exploit this bug,
please check that.

Reproducible: Always

Steps to Reproduce:
Here's the code causing the crash (in the code i've changed the first
text value of Keygen options):

<html>
<body onload="testit()">
<script language="javascript">
function testit() {
   var s;
   s = document.getElementsByTagName("option");
   s[0].text='00000000000000000000000000000000000';
   document.crashform.submit();
}
</script>
<form name="crashform">
<keygen name="ffkey">
</form>
</body>
</html>

Actual Results:  
Mozilla Firefox 1.04 under Windows XP: crash
Mozilla Firefox 1.03 under Windows XP: crash
Mozilla Firefox 1.02 under Linux: crash
Mozilla Suite 1.6 under Windows 2000: crash
Deer Park Alpha 1 under Windows 2000: crash

Expected Results:  
Display error stopping the key generation process.

Comment 1

[Philip K. Warren]

I can reproduce the crash.

Comment 2

[Philip K. Warren]

Attachment: Patch v1

Fixes the crash. The code was looking for a match of one of the two strings,
and wasn't correctly exiting the loop when a match was not found.

Comment 3

[Daniel Veditz [:dveditz]]

I don't see a security issue here. The code just loops off into space comparing
the input string to chunks of random memory, eventually getting an access
violation trying to read something.

Comment 4

[Daniel Veditz [:dveditz]]

Comment on attachment 185215 [details] [diff] [review]
Patch v1

>-    while (choice) {
>+    while (choice && choice->name) {

You don't need to preserve the check for choice, there's really no way for it
to be null. Similar pattern of checking choice for null down in the
ProvideContent method, but that one has the correct check for choice->name in
addition.

sr=dveditz

a=dveditz for the trunk once you've got r=

Comment 5

[Philip K. Warren]

Is anyone else able to review this patch?

Comment 6

[Kai Engert [:KaiE:]]

Comment on attachment 185215 [details] [diff] [review]
Patch v1

Thanks for the patch

r=kaie

Comment 7

[Philip K. Warren]

Attachment: Patch for checkin

Patch addressing dveditz's comments. Requesting approval for current releases.

Comment 8

[Chase Phillips]

Comment on attachment 189430 [details] [diff] [review]
Patch for checkin

Per 1.0.6 meeting, minusing patch.

Comment 9

[Philip K. Warren]

Fixed on trunk.

Checking in nsKeygenHandler.cpp;
/cvsroot/mozilla/security/manager/ssl/src/nsKeygenHandler.cpp,v  <-- 
nsKeygenHandler.cpp
new revision: 1.36; previous revision: 1.35
done