Closed
Bug 302177
Opened 19 years ago
Closed 16 years ago
problem of DictionarySearch and easyGestures
Categories
(Core :: Security, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: moz_bug_r_a4, Assigned: dveditz)
References
Details
(Whiteboard: [sg:extension issue])
Attachments
(3 files)
|
777 bytes,
application/xhtml+xml
|
Details | |
|
837 bytes,
patch
|
Details | Diff | Splinter Review | |
|
581 bytes,
text/html
|
Details |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050717
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050717 Firefox/1.0.6
DictionarySearch and easyGestures have the same vulnerability that is mentioned
in Bug 290324. And, that exploit relies on "node spoofing" trick. Since MFSA
2005-55 and Bug 298892 have been already published, I think that this
vulnerability should be reported to the authors. But, I don't know if I may
disclose it to the authors, because Bug 290324 is marked Security-Sensitive.
The approach to fix is mentioned in Bug 290417.
Could someone please contact the authors?
The following attachment is a arbitrary code execution demo that is using XHTML
node spoofing.
Reproducible: Always
Steps to Reproduce:
|
Reporter | |
Comment 1•19 years ago
|
||
|
Assignee | |
Updated•19 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: problem of DictionarySearch and easyGestures → problem of DictionarySearch and easyGestures
Whiteboard: [sg:fix] in extensions themselves
|
|
Assignee | |
Comment 2•19 years ago
|
||
Jaap A. Haitsma is the DictionarySearch project owner.
"Snow Blanc" (laeb) is listed as the easy gestures owner.
The exploit happens because "TEXTAREA" means nothing in xhtml, but because of
the case-insensitive string compare on the nodeName it's assumed to be a true
textarea element and then unwrapped content-supplied properties are used.
On the trunk this is solved by automatic wrappers. Today you have to explicitly
set xpcnativewrappers=yes in your manifest, but those will be turned on for all
extensions in the upcoming Firefox 1.5 beta.
The branch does not have the "split wrappers" architecture, for 1.0.2 and before
the only thing you can do is explicitly create XPCNativeWrappers around any
content object. in 1.0.3 and later you're safe if you get a *real* DOM object,
but then you have to be careful of namespace node spoofing.
Use "instanceof HTMLTextAreaElement" instead of relying on the nodeName.
See http://developer.mozilla.org/en/docs/Safely_accessing_content_DOM_from_chrome
See attachment 187685 [details] [diff] [review] for an example of instanceof code.
It's probably fair to assume people still using 1.0.2 have worse problems than
the exploits in your extensions, but we do need fixes for 1.0.3.
|
||
Comment 3•19 years ago
|
||
Thanks for all the explanations. Does the attached patch solve everything for
dictionary search?
|
|
Assignee | |
Comment 4•19 years ago
|
||
It solves the only instance of this vulnerability -- at least for ff1.0.3 and
above. Users of 1.0.2 are still vulnerable, but so is 1.0.2 without
dictionarysearch and that's a more attractive target for hackers.
You've already got an explicit XPCNativeWrapper around the only other thing that
stood out to me, so it looks good at a quick read.
|
|
Reporter | |
Comment 5•19 years ago
|
||
easyGestures 3.1 is out, only for Deer Park. But, it is still vulnerable,
because it has not set xpcnativewrappers=yes in its manifest. I think
information about this vulnerability probably has not yet reached "Ons Besbes"
the easyGestures project owner.
dveditz, could you please contact Ons Besbes?
http://easygestures.mozdev.org/credits.html
|
||
Comment 6•19 years ago
|
||
I sent an email to Ons Besbes <easygestures@gmail.com>.
|
||
Comment 7•19 years ago
|
||
This will be fixed further by xpcnativewrappers=yes.
Ons: will you be able to fix your extension for this as well?
Depends on: 302276
Ok, here is what i'm going to do:
For the last version of eG, only compatible with Deer Park (eG 3.1):
I'll fix that by adding "xpcnativewrappers=yes" in the chrome.manifest file in
the next release (in about a week). if Deer Park Beta is out before the release,
this won't be necessary because this will be set by Firefox itself.
I'll change the bad code anyway using "instanceof HTMLTextAreaElement".
For the last version of eG compatible with the official Firefox (eG 3.0):
I'll fix that using "instanceof HTMLTextAreaElement" and releasing a special
version very soon.
Is that ok ?
Ons.
|
|
||
Comment 9•19 years ago
|
||
Thanks, Ons. Please add your update (easyGestures 3.0.1?) to update.mozilla.org
so that users get the new version through extension auto-update.
|
|
||
Updated•19 years ago
|
Whiteboard: [sg:fix] in extensions themselves → [sg:extension issue]
|
||
Comment 10•19 years ago
|
||
That's done.
Ons.
|
|
||
Comment 11•19 years ago
|
||
Fixed versions of easyGestures and DictionarySearch are on addons.mozilla.org :)
I'll disclose this bug in 2-3 weeks, which should give users enough time to
upgrade (Firefox automatically checks for extension updates once a week), unless
someone objects.
Are other extensions likely to be vulnerable to similar attacks, at least in
Firefox 1.0.x?
|
|
Reporter | |
Comment 12•19 years ago
|
||
This is a exploit testcase for DictionarySearch 0.9.3 on Deer Park.
DictionarySearch 0.9.3 supports Deer Park, but, does not use
xpcnativewrappers=yes. Thus, it is still vulnerable.
|
|
||
Comment 13•19 years ago
|
||
(In reply to comment #12)
> Created an attachment (id=192938) [edit]
> Arbitrary code execution using DOM property overrides
>
> This is a exploit testcase for DictionarySearch 0.9.3 on Deer Park.
>
> DictionarySearch 0.9.3 supports Deer Park, but, does not use
> xpcnativewrappers=yes. Thus, it is still vulnerable.
>
Where should I set that exactly?
|
|
Reporter | |
Comment 14•19 years ago
|
||
(In reply to comment #13)
> Where should I set that exactly?
You need to create the "chrome.manifest" file.
Please see:
http://developer.mozilla.org/en/docs/Chrome_Registration#xpcnativewrappers
|
|
||
Comment 15•19 years ago
|
||
(In reply to comment #14)
> (In reply to comment #13)
> > Where should I set that exactly?
>
> You need to create the "chrome.manifest" file.
>
> Please see:
> http://developer.mozilla.org/en/docs/Chrome_Registration#xpcnativewrappers
>
OK I did this for dictionarysearch.
|
|
Reporter | |
Comment 16•16 years ago
|
||
This bug is fixed.
The problem has been fixed on fx1.5 by automatic XPCNativeWrapper, and fx1.0.x
is no longer supported.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
|
||
Comment 17•16 years ago
|
||
Firefox 1.5 isn't supported either. Any reason not to open this bug up?
|
|
Assignee | |
Updated•16 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•