Closed Bug 297877 Opened 19 years ago Closed 18 years ago

PAC scripts can reach out of sandbox via myIpAddress.__parent__ and such

Categories

(Core :: Networking, defect)

Product:
Core
Component:
Networking
Platform:
PowerPC
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: shaver, Assigned: darin.moz)

References

(
URL
)

Details

(Keywords: fixed1.8.0.4, fixed1.8.1, Whiteboard: [sg:moderate] sg:critical for PAC users) 

I'm not sure this is exploitable in either the trunk or the branch, so it might
be a false alarm, but they can certainly reach up and mutate objects in Deer
Park 1.1a1.  I'll try to put a test case together tomorrow, but there's
definitely some  testing we should add to our repertoire.  (I don't think my
evalInSandbox changes will make a difference here either way, but the beefed-up
checkAccess calling pattern that just landed might.)
So, I don't think this is a security concern.  The PAC script can already direct
your browser to violate many of its security restrictions.  We implicitly trust
the PAC script because it is configured by the user (or a sys-admin).  There's
no need to mark this security sensitive in my opinion.
With WPAD, it's only implicitly configured by the user (or his delegate); if you
end up on the wrong wireless network you can get some random PAC loaded pretty
quickly.  That's why I thought we might consider it sensitive, but I'm happy for
it to not be.
Right, I mean... a PAC script can re-route all of your network requests to
whatever server it likes pretending to be the server you requested.  Granted,
this doesn't apply to HTTPS traffic, but it still assumes a great amount of
trust on the part of the PAC origin.
Right, though I might be surprised to discover that I'm trusting the PAC site to
"not execute arbitrary code" vs. "not snoop on traffic that travels in the
clear".    In fact, I think I would be quite surprised.
Whiteboard: [sg:fix]
Not blocking beta or 1.5
Flags: blocking1.8b4-
Whiteboard: [sg:fix] → [sg:critical?] see comment 2 for why this might be critical
What is the impact of the problem w/ myIpAddress?
How do you mean?  The impact is as described in this bug: the script can manipulate objects outside the prescribed "sandbox" environment.

I suspect it's also fixed by one of mrbkap's patches for 1.5.0.4, but I forget which.  He'll know and mark the dep, I have faith!
With the checkin for bug 319263, there are no known ways to reach out of the sandbox into the calling chrome code. In particular, <foo>.__proto__, <foo>.__parent__, and (the troublesome) foo.valueOf.call(null) paths are access checked. I'll open a new bug on the underlying problem (unsound security practices while using evalInSandbox), but I believe this bug, as filed, is either FIXED or INVALID.

It's also worth noting, for posterity that dnsResolve and alert were also paths, just as myIpAddress was.

I'll mark this bug as FIXED.
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Keywords: fixed1.8.0.4, fixed1.8.1
Whiteboard: [sg:critical?] see comment 2 for why this might be critical → [sg:moderate] sg:critical for PAC users
Flags: in-testsuite-
Group: security
You need to log in before you can comment on or make changes to this bug.