Closed Bug 311892 Opened 19 years ago Closed 19 years ago

XSS: fixes for bug 311024 and bug 311619 can be circumvented by using window.__proto__

Categories

(Core :: JavaScript Engine, defect, P2)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows XP
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.8rc1

People

(Reporter: moz_bug_r_a4, Assigned: mrbkap)

References

Details

(Keywords: testcase, verified1.7.13, verified1.8, Whiteboard: [sg:high] xss (splitwindows))

Attachments

(6 files, 4 obsolete files)

testcase 1 - steal cookie - eval(code, window.__proto__)
587 bytes, text/html
Details
testcase 2 - steal cookie - script.exec(window.__proto__)
611 bytes, text/html
Details
iframe's content - eval(code, window.__proto__)
167 bytes, text/html
Details
testcase 3 - eval(code, window.__proto__) without data: url
450 bytes, text/html
Details
Bah
4.24 KB, patch
brendan
: review+
asa
: approval1.8rc1+
Details | Diff | Splinter Review
test.*.com/tests/mozilla.org/security/311892.zip
2.81 KB, application/zip
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050916 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051010 Firefox/1.6a1 Please see Bug 311024, Bug 311619 and Bug 310664. Exploit: code in subframe: function a(w) { with (w) alert(location.href + "\ncookie: " + document.cookie); } var f = eval("(" + a.toSource() + ");", window.__proto__); code in main: var x = frames[0].f; frames[0].location = "http://www.yahoo.com/"; x(frames[0]); I've tested on the hourly build 2005101002. Reproducible: Always Steps to Reproduce:
Assignee: dveditz → mrbkap
Status: UNCONFIRMED → NEW
Component: Security → JavaScript Engine
Depends on: splitwindows
Ever confirmed: true
Flags: blocking1.8rc1+
Flags: blocking1.7.13+
Flags: blocking-aviary1.0.8+
Whiteboard: [sg:high] xss (splitwindows)
I'm looking into this. This might end up being a data: url problem (where the data URL is exposing bad principals).
Status: NEW → ASSIGNED
Priority: -- → P2
Target Milestone: --- → mozilla1.8rc1
(In reply to comment #3) > I'm looking into this. This might end up being a data: url problem (where the > data URL is exposing bad principals). Exploits work without data: url.
Yeah, I should have updated this bug earlier. brendan and I tracked this down earlier and it has nothing to do with data: URIs and everything to do with eval not checking its passed-in scopeobj if called directly. I'll have a patch tomorrow.
Attachment #199144 - Attachment is obsolete: true
*** Bug 311962 has been marked as a duplicate of this bug. ***
Attached patch wrong file (obsolete) — Splinter Review
This is basically the patch from yesterday, but I cleaned it up a bit.
Attachment #199183 - Flags: review?(brendan)
Comment on attachment 199183 [details] [diff] [review] wrong file ffs, wrong file :(
Attachment #199183 - Flags: review?(brendan)
Attached patch possible fix (obsolete) — Splinter Review
Attachment #199183 - Attachment is obsolete: true
Attachment #199184 - Flags: review?(brendan)
Attachment #199183 - Attachment description: possible fix → wrong file
Comment on attachment 199184 [details] [diff] [review] possible fix > callerVarObj = caller->varobj; > if (obj != callerVarObj) { > /* Set fp->varobj too, for the compiler. */ > caller->varobj = fp->varobj = obj; > setCallerVarObj = JS_TRUE; > } This should move down too, per our face-to-face discussion. >+ if (caller) { >+ callerScopeChain = caller->scopeChain; >+ if (scopeobj != callerScopeChain) { >+ ok = CheckEvalAccess(cx, scopeobj, caller->script->principals); >+ if (!ok) >+ goto out; >+ >+ scopeobj = js_NewObject(cx, &js_WithClass, scopeobj, >+ callerScopeChain); >+ if (!scopeobj) { >+ ok = JS_FALSE; >+ goto out; >+ } >+ >+ /* Set fp->scopeChain too, for the compiler. */ >+ caller->scopeChain = fp->scopeChain = scopeobj; >+ setCallerScopeChain = JS_TRUE; >+ } >+ } How about a brief comment, talking about change of scope, in addition to indirect call, requiring this? /be
Attachment #199184 - Flags: review?(brendan)
Attachment #199184 - Flags: review+
Attachment #199184 - Flags: approval1.8rc1?
This ought to work. Blake will test and check into the trunk. Thanks. /be
Attachment #199184 - Attachment is obsolete: true
Attachment #199267 - Flags: review+
Attachment #199267 - Flags: approval1.8rc1?
Comment on attachment 199267 [details] [diff] [review] better fix mrbkap pointed out we want, and he's right! This doesn't work. Of course the script has access to window.__proto__, it wouldn't be able to call eval with that parameter otherwise. The problem is that searching the parent chain of window.__proto__ finds the outer window. More thought is needed.
Attachment #199267 - Flags: review-
Attachment #199267 - Flags: review+
Attachment #199267 - Flags: approval1.8rc1?
Comment on attachment 199184 [details] [diff] [review] possible fix clearing approval flag for an obsolete patch
Attachment #199184 - Flags: approval1.8rc1?
Comment on attachment 199267 [details] [diff] [review] better fix mrbkap pointed out we want, and he's right! Also, caller could be null. Perhaps this is close, though. It's moving in the right direction to separate o.eval(s) and eval(s, o) cases. /be
Attachment #199267 - Attachment is obsolete: true
Blake and I talked this over and it seems like we need to make sure we never end up with objects whose parent is an outer window to be safe against attacks like this. The DOM objects currently parented at an outer window are window.__proto__, window.navigator (including prototypes), and window.location (also including prototypes). So this is getting rather messy, lots of things to tune by hand to get all this right. Anyone have any ideas on a better approach here?
(In reply to comment #18) > Anyone have any ideas on a better approach here? No :-/. I told blake to fix it this way originally (I warned him, but did he listen? Nooooooooooooo! ;-) Sucks. I'll help. /be
We need to make sure not to regress bug 304284 with these changes.
Attached patch BahSplinter Review
Brendan caught me when I was hungry and suggested this. This places an arbitrary limitation on the scope object passed to either eval() or script.exec() that it not have an innerizable object on its proto chain. The comment is too brief since I don't want to give too much away in it (though I'm not sure how much we have to worry about this).
Attachment #199494 - Flags: review?(brendan)
Comment on attachment 199494 [details] [diff] [review] Bah Nits: ScopeChain, not ScopeObject, and maybe common the "Script.prototype.exec" strict into a static const char [] explicitly? /be
Attachment #199494 - Flags: review?(brendan) → review+
Flags: testcase?
Fix checked into trunk.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Comment on attachment 199494 [details] [diff] [review] Bah This patch fixes a security bug by disallowing bad scoped objects from being passed into eval.
Attachment #199494 - Flags: approval1.8rc1?
Comment on attachment 199494 [details] [diff] [review] Bah Actually, I'm going to roll this into my monster "security fixer" branch patch.
Attachment #199494 - Flags: approval1.8rc1?
Attachment #199494 - Flags: approval1.8rc1?
Checked in on MOZILLA_1_8_BRANCH.
Keywords: fixed1.8
Attachment #199494 - Flags: approval1.8rc1? → approval1.8rc1+
tested with firefox 1.5 rc2 on winxp/linux testcase 1: pass testcase 2: pass testcase 3: pass
Keywords: fixed1.8verified1.8
Flags: testcase? → testcase+
Fixed on the aviary1.0/mozilla1.7 branches by the split-window alternative (bug 316589)
Keywords: fixed-aviary1.0.8, fixed1.7.13
v.fixed on 1.0.1 Aviary branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060215 Firefox/1.0.8, all 3 testcases pass.
Keywords: fixed-aviary1.0.8verified-aviary1.0.8
v ff on 1.7.13 windows/mac 20060221 builds, moz on 1.7.13 windows 20060221
Keywords: fixed1.7.13verified1.7.13
Group: security
Flags: in-testsuite+ → in-testsuite?
Keywords: testcase
Flags: in-testsuite? → in-testsuite-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: