The default bug view has changed. See this FAQ.

chrome XBL method.eval + setTimeout allows arbitary code execution

VERIFIED FIXED

Status

()

Core
Security
--
critical
VERIFIED FIXED
12 years ago
6 years ago

People

(Reporter: shutdown, Assigned: mrbkap)

Tracking

({fixed1.8, verified1.7.13})

Trunk
fixed1.8, verified1.7.13
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.7.13 +
blocking-aviary1.0.8 +
blocking1.8rc1 +
blocking1.9a1 +
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical] fixed by 311403, alternate exploit)

Attachments

(1 attachment)

(Reporter)

Description

12 years ago
You can use setTimeout() to circumvent eval()'s principal checks
and can execute arbitary code with elevated privilege.
This one can exploit 1.0.x versions too.
Probably be fixed by bug 311403.
(Reporter)

Comment 1

12 years ago
Created attachment 198775 [details]
testcase

Works on:
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.12) Gecko/20051006 Firefox/1.0.7
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8b5) Gecko/20051006 Firefox/1.4.1
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.9a1) Gecko/20051006 Firefox/1.6a1
Assignee: dveditz → mrbkap
Blocks: 256195
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [sg:critical] similar to 311403, same fix?
Flags: blocking1.9a1+
Flags: blocking1.8rc1+
Flags: blocking1.7.13+
Flags: blocking-aviary1.0.8+
(Assignee)

Comment 2

12 years ago
This should be fixed on trunk unless there's a similar exploit involving |new
Script|. Leaving open for that possibility.
Depends on: 311403
(Assignee)

Comment 3

12 years ago
Fixed by bug 311403.
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED
Whiteboard: [sg:critical] similar to 311403, same fix? → [sg:critical] fixed by 311403, alternate exploit

Comment 4

12 years ago
Blake, are we done with this on the 1.8 branch then? If so, can you please add
the  fixed1.8 keyword. If not, can you help us make sure that it does get fixed
on the branch (with the fix for the other bug?) Thanks.
(Assignee)

Comment 5

12 years ago
Asa, the plan right now is to land all of the security fixing that's been going
on in one fell swoop, so this is not yet fixed on the 1.8 branch.
(Assignee)

Comment 6

12 years ago
Checked in on MOZILLA_1_8_BRANCH.
Keywords: fixed1.8

Updated

11 years ago
Flags: testcase+
(Assignee)

Comment 7

11 years ago
This is fixed on the 1.7 branches by one of my other checkins.
Keywords: fixed-aviary1.0.8, fixed1.7.13

Comment 8

11 years ago
verified with:
Windows:
Moz - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060215
Fx - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060215
Firefox/1.0.8
Macintosh:
Moz - Mozilla/5.0 (Macintosh; U;PPC Mac OS X Mach-O; en-US; rv:1.7.13)
Gecko/20060215 Firefox/1.0.8
Fx - Mozilla/5.0 (Macintosh; U;PPC Mac OS X Mach-O; en-US; rv:1.7.13)
Gecko/20060215 Firefox/1.0.8
Linux
Moz - Mozilla/5.0 (X11; U;Linux i686; en-US; rv:1.7.13) Gecko/20060215
Status: RESOLVED → VERIFIED
Keywords: fixed-aviary1.0.8, fixed1.7.13 → verified-aviary1.0.8, verified1.7.13
Group: security

Updated

10 years ago
Flags: in-testsuite+ → in-testsuite?
You need to log in before you can comment on or make changes to this bug.