Closed
Bug 299520
Opened 19 years ago
Closed 19 years ago
Bypassing XPCNativeWrapper by using Object.prototype
Categories
(Core :: Security, defect, P1)
Core
Security
Tracking
()
RESOLVED
FIXED
mozilla1.8beta3
People
(Reporter: moz_bug_r_a4, Assigned: bzbarsky)
Details
(Whiteboard: [sg:fix] not ff1.0/moz1.7)
Attachments
(5 files, 2 obsolete files)
|
1.23 KB,
application/xml
|
Details | |
|
2.43 KB,
application/xml
|
Details | |
|
1.24 KB,
application/xml
|
Details | |
|
1.25 KB,
application/xml
|
Details | |
|
3.90 KB,
patch
|
jst
:
review+
brendan
:
superreview+
brendan
:
approval1.8b3+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050702 Firefox/1.0+
Content can make chrome access content-defined object even though
XPCNativeWrapper auto-wrapping is enabled.
In content window:
<a id="a" href="test">a</a>
<b id="b">b</b>
<script>
Object.prototype.href = { };
</script>
Then, in chrome JS:
content.document.getElementById("a").href is not affected.
content.document.getElementById("b").href is the content-defined object.
Bug 298892 comment 20 or Bug 299518 can be combined with this bug to execute
arbitrary code.
Reproducible: Always
Steps to Reproduce:
|
Reporter | |
Comment 1•19 years ago
|
||
I've confirmed that this works on: Firefox/1.0+ 2005-07-02-07-trunk This is using Node spoofing (Bug 298892 comment 20).
|
|
Reporter | |
Comment 2•19 years ago
|
||
I've confirmed that this works on: Firefox/1.0+ 2005-07-02-07-trunk This is using XPCOM interface spoofing (Bug 299518).
Flags: blocking1.8b4+
Flags: blocking1.8b3?
Flags: blocking-aviary1.1+
Comment on attachment 188087 [details]
Bypassing XPCNativeWrapper with Node spoofing
With this test case in DP1.1a1, I get the sidebar opened, but it can't get the
stack:
Error: uncaught exception: Permission denied to get property UnnamedClass.stack|
|
Reporter | |
Comment 4•19 years ago
|
||
(In reply to comment #3) > (From update of attachment 188087 [details] [edit]) > With this test case in DP1.1a1, I get the sidebar opened, but it can't get the > stack: > > Error: uncaught exception: Permission denied to get property UnnamedClass.stack > Bug 221490 is related to this error. And other bugs are related to the reason that attachment 188088 [details] doesn't work on DP1.1a1. Please test with the new testcases that should work on both 2005-07-03-06 and DP1.1a1.
|
|
Reporter | |
Comment 5•19 years ago
|
||
This works on both Deer Park a1 and Firefox/1.0+ 2005-07-03-06.
|
|
Reporter | |
Comment 6•19 years ago
|
||
This works on both Deer Park a1 and Firefox/1.0+ 2005-07-03-06.
|
|
Reporter | |
Updated•19 years ago
|
Attachment #188087 -
Attachment is obsolete: true
|
|
Reporter | |
Updated•19 years ago
|
Attachment #188088 -
Attachment is obsolete: true
|
||
Comment 7•19 years ago
|
||
I thought the trunk's split wrappers would prevent this. Does wrapping only apply to native/script properties of the object itself and not if we walk the prototype chain? These testcases don't work on the aviary branch.
Assignee: dveditz → jst
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [sg:fix]
|
Assignee | |
Comment 8•19 years ago
|
||
Yeah, wrapping just wraps up the actual object. And the proto chain goes through the content protos; I bet the same exploit could be performed with XPCNativeWrapper.prototype.... The problem is that we really don't want chrome objects as prototypes of the XPCNativeWrapper. Perhaps XPCNativeWrapper prototypes should actually be forced to null explicitly?
|
|
Assignee | |
Comment 9•19 years ago
|
||
|
|
Assignee | |
Updated•19 years ago
|
Attachment #188360 -
Attachment mime type: text/xml → application/xml
|
|
Assignee | |
Comment 10•19 years ago
|
||
|
|
Assignee | |
Comment 11•19 years ago
|
||
Attachment #188363 -
Flags: superreview?(brendan)
Attachment #188363 -
Flags: review?(jst)
|
||
Comment 12•19 years ago
|
||
Comment on attachment 188363 [details] [diff] [review] Proposed patch (thanks to shaver for advice!) r=jst
Attachment #188363 -
Flags: review?(jst) → review+
|
||
Comment 13•19 years ago
|
||
Comment on attachment 188363 [details] [diff] [review] Proposed patch (thanks to shaver for advice!) Thanks for fixing this, the GetOrSet wn/wn_obj was my fault. sr+a=me. /be
Attachment #188363 -
Flags: superreview?(brendan)
Attachment #188363 -
Flags: superreview+
Attachment #188363 -
Flags: approval1.8b3+
|
|
Assignee | |
Updated•19 years ago
|
Assignee: jst → bzbarsky
OS: Windows XP → All
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → mozilla1.8beta3
|
|
Assignee | |
Comment 14•19 years ago
|
||
Fixed for 1.8b3
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
|
||
Updated•19 years ago
|
Flags: blocking1.8b3?
|
||
Updated•19 years ago
|
Flags: testcase+
|
|
||
Updated•18 years ago
|
Whiteboard: [sg:fix] → [sg:fix] not ff1.0/moz1.7
|
|
||
Updated•18 years ago
|
Group: security
|
|
||
Updated•17 years ago
|
Flags: in-testsuite+ → in-testsuite?
You need to log in
before you can comment on or make changes to this bug.
Description
•