Closed Bug 313566 Opened 19 years ago Closed 19 years ago

privilege escalation using commandDispatcher.focusedElement

Categories

(Core :: Security, defect, P1)

Product:
Core
Component:
Security
Platform:
x86
Windows 98
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.8rc1

People

(Reporter: sync2d, Assigned: mrbkap)

References

Details

(Keywords: fixed1.8, Whiteboard: [sg:critical])

Attachments

(3 files, 1 obsolete file)

testcase
1.17 KB, application/vnd.mozilla.xul+xml
Details
Protecting GetFocusedWindow
3.08 KB, patch
jst
: review+
bzbarsky
: superreview+
Details | Diff | Splinter Review
Updated to comments
5.42 KB, patch
mscott
: approval1.8rc1+
Details | Diff | Splinter Review 
In XUL documents, document.commandDispatcher.focusedElement
allows attackers to access privileged chrome DOM objects.
Attached file testcase 
Works on:
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.9a1) Gecko/20051022 Firefox/1.6a1
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8b5) Gecko/20051022 Firefox/1.5
Assigning to Blake because ultimately it comes down to another eval() case, but maybe it's a tabbrowser issue. Note that step 2 in the testcase refers to the tab widget for the current exploit page; exploiting this would thankfully require some "social engineering". Clicking another tab and clicking back does't trigger the exploit, but then clicking a second time in the exploit tab widget shows the exploit is still there waiting to get you.
Assignee: dveditz → mrbkap
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.8rc1+
Whiteboard: [sg:critical]
The problem here isn't eval, per se, but instead that content can get its greasy hands on chrome objects (the opposite of what XPCNativeWrapper was designed to do). I'm patching the XUL command dispatcher to not return chrome (or other, bad, objects) as focus elements, but it would appear that we need to make sure that there are not other avenues of attack through other node-getting functions.
Status: NEW → ASSIGNED
Priority: -- → P1
Target Milestone: --- → mozilla1.8rc1
Attached patch As described (obsolete) — Splinter Review 

        Attachment #200673 -
        Flags: review?(jst)

    
    

    
  
Comment on attachment 200673 [details] [diff] [review]
As described

drive by comment:

+  if (NS_FAILED(rv)) {
+    return rv;
+  }

This should be
NS_ENSURE_SUCCESS(rv, rv);

    
    

    
  
Shouldn't attempting to use an Element from a different domain (such as chrome://-
anything from http://-anything) raise a security exception?

    
    

    
  
Comment on attachment 200673 [details] [diff] [review]
As described

r=jst

        Attachment #200673 -
        Flags: review?(jst) → review+

    
    

    
  
(In reply to comment #6)
> Shouldn't attempting to use an Element from a different domain (such as
> chrome://-
> anything from http://-anything) raise a security exception?

Yes, but we don't access-check on every property access between arbitrary objects. In the web same-origin model, the only paths in the object graph between different trust domains go through window (frame, iframe) articulation points, and those objects' getters and setters check.

There are some hard cases outside of these articulation points in the object graph that must be covered by ad-hoc checks.  And here is one big honking one, thanks to XUL polluting (IMHO) every content window's document object with commandDispatcher.

/be
Priority: P1 → --
Target Milestone: mozilla1.8rc1 → ---

    
    

    
  
(In reply to comment #8)
> There are some hard cases outside of these articulation points in the object
> graph that must be covered by ad-hoc checks.  And here is one big honking one,
> thanks to XUL polluting (IMHO) every content window's document object with
> commandDispatcher.

Let me reemphasize how bad this is.  When we were automating XPCNativeWrappers to protect chrome that accesses content DOM, we said "no content script can get at a chrome DOM object" -- but the joke's on us.  Anyone know of other such cases?  What else did XUL add to the HTML DOM that shows up in content windows?

/be

    
    

    
  
Ian, we do special stuff in DOM classinfo in order to do those security checks. Because all of the elements in this testcase are either XUL or XBL, we bypass the security checks. I'm looking into adding security checks there as well.

I made mscott's suggested change.
Priority: -- → P1
Target Milestone: --- → mozilla1.8rc1

    
  

        Attachment #200673 -
        Flags: superreview?(bzbarsky)

    
    

    
  
Comment on attachment 200673 [details] [diff] [review]
As described

Oops, need to handle null better.

Also, jst and I both think that GetFocusedWindow needs similar treatment.

        Attachment #200673 -
        Flags: superreview?(bzbarsky)

        Attachment #200673 -
        Flags: review-

        Attachment #200673 -
        Flags: review+

    
    

    
  


  

        Attachment #200673 -
        Attachment is obsolete: true

        Attachment #200684 -
        Flags: review?(jst)

    
    

    
  
Comment on attachment 200684 [details] [diff] [review]
Protecting GetFocusedWindow

r=jst

        Attachment #200684 -
        Flags: review?(jst) → review+

    
  

        Attachment #200684 -
        Flags: superreview?(bzbarsky)

    
    

    
  
Comment on attachment 200684 [details] [diff] [review]
Protecting GetFocusedWindow

>Index: content/xul/document/src/nsXULCommandDispatcher.cpp
> nsXULCommandDispatcher::GetFocusedElement(nsIDOMElement** aElement)

>+  if (*aElement && !nsContentUtils::CanCallerAccess(*aElement)) {
>+    // XXX This might want to return null, but we use that return value
>+    // to mean "there is no focused element," so to be clear, throw an
>+    // exception.
>+    return NS_ERROR_DOM_SECURITY_ERR;

I think we also want NS_RELEASE(*aElement) here.  Otherwise caller might not know to release it (since our params might be garbage on a failure return).

>+  // Make sure the caller can access this window. The caller can access this
>+  // window iff the window's document has the same origin.

"iff he can access the document".  We're not doing a same-origin check, nor should we be.

>+  if (domdoc && !nsContentUtils::CanCallerAccess(domdoc)) {
>+    return NS_ERROR_DOM_SECURITY_ERR;

Again, NS_RELEASE(*aWindow), please.

Add similar checks to nsIDOMXULDocument.popupNode/tooltipNode, perhaps?  Just to be sure?

sr=bzbarsky

        Attachment #200684 -
        Flags: superreview?(bzbarsky) → superreview+

    
    

    
  
Comment on attachment 200692 [details] [diff] [review]
Updated to comments

This is an updated version of a patch that has r and sr. It simply adds a couple of security checks to prevent scripts from accessing nodes that they should not be able to access.

        Attachment #200692 -
        Flags: approval1.8rc1?

    
    

    
  
Checked into trunk.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED

    
  

        Attachment #200692 -
        Flags: approval1.8rc1? → approval1.8rc1+

    
    

    
  
Checked into MOZILLA_1_8_BRANCH.
Keywords: fixed1.8

    
  
Depends on: 315434

    
    

    
  
This caused bug 319434
Depends on: 319434

    
    

    
  
Specifically, there are cases when this keeps C++ layout code from accessing these nodes too, which breaks that code.
Flags: testcase+
Group: security
Flags: in-testsuite+ → in-testsuite?

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: