Closed Bug 323367 Opened 19 years ago Closed 18 years ago

When calling XPCNativeWrapper's toString method, content-defined toString method can be called

Categories

(Core :: Security, defect, P2)

Product:
Core
Component:
Security
Platform:
x86
Windows XP
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9alpha1

People

(Reporter: moz_bug_r_a4, Assigned: mrbkap)

Details

(Keywords: verified1.8.0.2, verified1.8.1, Whiteboard: [sg:high] XSS [partial patch][rft-dl])

Attachments

(4 files, 1 obsolete file)

testcase 1 - xWin.toString(), xWin.getSelection().toString() and xWin.getSelection().getRangeAt(0).toString()
1.29 KB, text/html
Details
testcase 2 - Selection.prototype.toString = cookieGetter;
921 bytes, text/html
Details
Potential fix
4.50 KB, patch
bzbarsky
: review+
jst
: superreview+
Details | Diff | Splinter Review
What I checked in
6.36 KB, patch
jst
: approval-branch-1.8.1+
dveditz
: approval1.8.0.2+
Details | Diff | Splinter Review 
If an object's toString method is redefined by content, when toString method of
the XPCNativeWrapper for that object is called, content-defined toString method
ends up being called.

  window.toString = function() { return "xxx"; };
  xWin = new XPCNativeWrapper(window);
  s = xWin.toString();

s is "xxx".

Note, content-defined toString method cannot return an object.

  window.toString = function() { return new String("xxx"); };
  xWin = new XPCNativeWrapper(window);
  s = xWin.toString();

s is "[object Window]".


This bug could be a potential vulnerability.

content:
  <iframe src="http://www.yahoo.com/"></iframe>
  cookieGetter = Components.lookupMethod(frames[0].document, "cookie");
  Selection.prototype.toString = cookieGetter;

chrome:
  s = content.getSelection().toString();

s is a cookie value set by http://www.yahoo.com/.
cookieGetter = Components.lookupMethod(frames[0].document, "cookie");

Don't we need to do security check on Components.lookupMethod, for preventing
future exploits?

XPC_NW_toString calls JS_ValueToString on the unwrapped JS object, and then
js_ValueToString calls js_DefaultValue.  In js_DefaultValue, js_TryMethod calls
content-defined toString method.  If content-defined toString method returns
non-primitive, XPC_WN_Shared_Convert is called.
Assignee: dveditz → jst
Whiteboard: [sg:high] XSS
Flags: blocking1.8.1+
Flags: blocking1.8.0.2?
Flags: blocking1.7.13?
Flags: blocking-aviary1.0.8?
Several questions come to mind...

Why isn't chrome getting the native Selection toString()? I thought split wrappers prevented content from this kind of overriding?

The call doesn't have chrome privs (maybe that answers the first question), but if it's running with the content principal how is it getting the cookie?
I got this one.
Assignee: jst → mrbkap
Priority: -- → P2
Target Milestone: --- → mozilla1.9alpha
Attached patch Partial fix (obsolete) — Splinter Review 
This fix needs testing and comments. There's also a remaining call to JS_ValueToString, but I'm not convinced that it's a real problem (since the result will be wrapped in our normal XPCNativeWrapper toString jazz).

Brendan are there any cases where this fix will be too strict?
Status: NEW → ASSIGNED
Whiteboard: [sg:high] XSS → [sg:high] XSS [partial patch]
Attached patch Potential fixSplinter Review 
This, I believe, is the safe way to implement XPCNativeWrapper's toString method.
Attachment #210667 - Attachment is obsolete: true
Attachment #210935 - Flags: superreview?(jst)
Attachment #210935 - Flags: review?(bzbarsky)
Comment on attachment 210935 [details] [diff] [review]
Potential fix

>Index: js/src/xpconnect/src/XPCNativeWrapper.cpp
>+    if (!member->GetValue(ccx, iface, &toStringVal)) {
>+      return JS_FALSE;
>+    }
...
> 
>+    JSObject *funobj = xpc_CloneJSFunction(ccx, JSVAL_TO_OBJECT(toStringVal),
>+                                           wn_obj);

You need to keep toStringVal from dying here if the clone triggers GC.  Look at the other callers of xpc_CloneJSFunction in this file.

I really wish we could share this code with the GetOrSet method or something, but I guess the part about outputting our own thing makes it hard...

>-      ::JS_GetFunctionNative(cx, toStringFun) != XPC_WN_Shared_ToString;

Since you removed that, do you still need the extern decl of XPC_WN_Shared_ToString above?  I doubt you do.

> +  JSString* str = NULL;;

nsnull?

r=bzbarsky with those.
Attachment #210935 - Flags: review?(bzbarsky) → review+
Doesn't appear to affect ff1.0.7/moz1.7.12 -- am I right in assuming this exploits changes in the wrappers made in 1.8?
Flags: blocking1.7.13?
Flags: blocking1.7.13-
Flags: blocking-aviary1.0.8?
Flags: blocking-aviary1.0.8-
> am I right in assuming this exploits changes in the wrappers made in 1.8?

That's correct.
Flags: blocking1.8.0.2? → blocking1.8.0.2+
(In reply to comment #9)
> (From update of attachment 210935 [details] [diff] [review] [edit])
> >-      ::JS_GetFunctionNative(cx, toStringFun) != XPC_WN_Shared_ToString;
> 
> Since you removed that, do you still need the extern decl of
> XPC_WN_Shared_ToString above?  I doubt you do.

And if you remove the extern decl, you could make XPC_WN_Shared_ToString() in xpcwrappednativejsops.cpp static again too.

> 
> > +  JSString* str = NULL;;
> 
> nsnull?
> 
> r=bzbarsky with those.
> 


Comment on attachment 210935 [details] [diff] [review]
Potential fix

sr=jst
Attachment #210935 - Flags: superreview?(jst) → superreview+
This is what I just checked in.
Attachment #212268 - Flags: approval1.8.0.2?
Attachment #212268 - Flags: approval-branch-1.8.1?(jst)
Fix checked into trunk.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Attachment #212268 - Flags: approval-branch-1.8.1?(jst) → approval-branch-1.8.1+
Comment on attachment 212268 [details] [diff] [review]
What I checked in

approved for 1.8.0 branch, a=dveditz
Attachment #212268 - Flags: approval1.8.0.2? → approval1.8.0.2+
Fix checked into the 1.8 branches.
Keywords: fixed1.8.0.2, fixed1.8.1
Whiteboard: [sg:high] XSS [partial patch] → [sg:high] XSS [partial patch][rft-dl]
Flags: in-testsuite+
v 1.8.0.2/winxp/20060308
Keywords: fixed1.8.0.2verified1.8.0.2
ffb2 windows/linux verified fixed 1.8
Keywords: fixed1.8.1verified1.8.1
Flags: in-testsuite+ → in-testsuite?
Group: security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: