Closed
Bug 327126
Opened 15 years ago
Closed 15 years ago
generateCRMFRequest() allows privilege escalation
Categories
(Core :: Security, defect)
Core
Security
Tracking
()
RESOLVED
FIXED
People
(Reporter: sync2d, Assigned: dveditz)
References
Details
(Keywords: verified1.7.13, verified1.8.0.2, verified1.8.1, Whiteboard: [sg:critical][rft-dl])
Attachments
(3 files)
1.76 KB,
patch
|
mrbkap
:
review+
dbaron
:
superreview+
dveditz
:
approval-aviary1.0.8+
dveditz
:
approval1.7.13+
KaiE
:
approval-branch-1.8.1+
dveditz
:
approval1.8.0.2+
|
Details | Diff | Splinter Review |
4.48 KB,
text/plain
|
Details | |
5.26 KB,
text/plain
|
Details |
crypto.generateCRMFRequest() has a vulnerability similar to bug 314865.
exploitable: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8) Gecko/20060213 Firefox/1.5 Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.9a1) Gecko/20060213 Firefox/1.6a1 Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.13) Gecko/20060213 Firefox/1.0.8
Assignee | ||
Updated•15 years ago
|
Flags: blocking1.8.0.2+
Flags: blocking1.7.13?
Flags: blocking-aviary1.0.8?
Whiteboard: [sg:critical]
Assignee | ||
Updated•15 years ago
|
Flags: blocking1.7.13?
Flags: blocking1.7.13+
Flags: blocking-aviary1.0.8?
Flags: blocking-aviary1.0.8+
Assignee | ||
Comment 2•15 years ago
|
||
Another missing context push/pop.
![]() |
||
Comment 3•15 years ago
|
||
So what happens here? This is opening a modal window, so I'd expect it to do the right thing....
![]() |
||
Comment 4•15 years ago
|
||
Note that I can't debug this in a useful way due to bug 326501. Is there a non-tree-related testcase possible?
Depends on: 326501
Assignee | ||
Comment 5•15 years ago
|
||
(In reply to comment #4) > Is there a non-tree-related testcase possible? mrbkap and I have a fix in mind for this.
Assignee | ||
Comment 6•15 years ago
|
||
This resolves the permissions issue by making sure the right context will be found on the stack.
Attachment #212066 -
Flags: superreview?(jst)
Attachment #212066 -
Flags: review?(mrbkap)
Attachment #212066 -
Flags: approval1.8.0.2?
Attachment #212066 -
Flags: approval1.7.13?
Attachment #212066 -
Flags: approval-branch-1.8.1?
Attachment #212066 -
Flags: approval-aviary1.0.8?
Assignee | ||
Updated•15 years ago
|
Attachment #212066 -
Flags: approval-branch-1.8.1? → approval-branch-1.8.1?(kengert)
Comment 7•15 years ago
|
||
Comment on attachment 212066 [details] [diff] [review] push the js context >Index: security/manager/ssl/src/nsCrypto.cpp >@@ -1773,15 +1774,22 @@ nsCryptoRunnable::Run() >+ if (!stack || NS_FAILED(stack->Push(cx))) >+ return NS_ERROR_FAILURE; Nit: Please overbrace this if statement (even though it isn't necessary). While it'd be nice to have an auto-pusher/popper to guard against early returns, that's another bug for another day. r=mrbkap
Attachment #212066 -
Flags: review?(mrbkap) → review+
Updated•15 years ago
|
Attachment #212066 -
Flags: approval-branch-1.8.1?(kengert) → approval-branch-1.8.1+
Comment 8•15 years ago
|
||
Comment on attachment 212066 [details] [diff] [review] push the js context sr=dbaron (trusting mrbkap's review) Is the bug on a class to do this filed?
Attachment #212066 -
Flags: superreview?(jst) → superreview+
Assignee | ||
Comment 9•15 years ago
|
||
Comment on attachment 212066 [details] [diff] [review] push the js context approved for 1.7/1.8.0/aviary101 branches, a=dveditz
Attachment #212066 -
Flags: approval1.8.0.2?
Attachment #212066 -
Flags: approval1.8.0.2+
Attachment #212066 -
Flags: approval1.7.13?
Attachment #212066 -
Flags: approval1.7.13+
Attachment #212066 -
Flags: approval-aviary1.0.8?
Attachment #212066 -
Flags: approval-aviary1.0.8+
Assignee | ||
Comment 10•15 years ago
|
||
Patch checked in to trunk and aviary101, moz17, moz180, and moz18 branches
Status: NEW → RESOLVED
Closed: 15 years ago
Flags: blocking1.8.1+
Resolution: --- → FIXED
Comment 11•15 years ago
|
||
Verified on: Windows: Fx: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060216 Firefox/1.0.8 Moz: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060216 Mac: Fx: Mozilla/5.0 (Macintosh; U;PPC Mac OS X Mach-O; en-US; rv:1.7.13) Gecko/20060216 Firefox/1.0.8 Moz: Not available for 0216 Linux: Fx: Not available for 0216 Moz: Mozilla/5.0 (X11; U;Linux i686; en-US; rv:1.7.13) Gecko/20060216
Updated•15 years ago
|
Flags: testcase+
Updated•15 years ago
|
Whiteboard: [sg:critical] → [sg:critical][rft-dl]
Comment 12•15 years ago
|
||
ff 1.0.8/mac/20060221 opens the Software Security Device Change password dialog. Doesn't seem nice.
Comment 13•15 years ago
|
||
I crash with Firefox 1.0.8 linux 20060221 on the windowsPoC after closing the security device password dialog. I don't know if this is the exploitable crash though.
Comment 14•15 years ago
|
||
Well, generateCRMFRequest crashes easily when using wrong arguments, see bug 327524. Not sure, though, if that's the issue in comment 13.
Comment 15•15 years ago
|
||
v.fixed on 1.8.0 branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060224 Firefox/1.5.0.1, testcase exploit blocked, js console: Attempt to load a javascript: URL from one host in a window displaying content from another host was blocked by the security manager.
Keywords: fixed1.8.0.2 → verified1.8.0.2
Comment 16•15 years ago
|
||
I have the crash in ff 1.0.8/linux in gdb. 0x0116918a in ns_if_addref<nsIRegion*> (expr=0x78) at ../../../dist/include/xpcom/nsISupportsUtils.h:114 114 return expr ? expr->AddRef() : 0;
Comment 17•15 years ago
|
||
I've backported patch from bug #330900 on firefox 1.0.8 build and despite fixing crash with testcase from bug #327524, I still get crash with exploit testcase for this bug.
Comment 18•15 years ago
|
||
I ran the testcase on the released Mozilla1.7.13 on Solaris10 and Fedora5. It still crashes. On Fedora, you need to reload the testcase to reproduce that issue.
Assignee | ||
Comment 19•15 years ago
|
||
(In reply to comment #18) > I ran the testcase on the released Mozilla1.7.13 on Solaris10 and Fedora5. It > still crashes. On Fedora, you need to reload the testcase to reproduce that > issue. Where does it crash? In addition to the bug 330900 crash in generateCRMFrequest itself this bug also depends on bug 326501 which describes a crash in tree views. Note that *this* bug was never about a crash, it was about running the callback javascript code with chrome privileges. If neither 330900 nor 326501 describes the crash you're seeing now we need a new bug.
Comment 20•15 years ago
|
||
The core stack for Mozilla1.7.13 on Solaris 10: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.7.13) Gecko/20060615.
Comment 21•15 years ago
|
||
The core stack for Mozilla1.7.13 on Ubuntu: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.13) Gecko/20060615.
Comment 22•15 years ago
|
||
shutdown, can you contact me at chofmann@mozilla.org? Having a problem getting mail though to you. thanks.
Comment 23•15 years ago
|
||
With the patch for bug 326501 applied, no crash anymore.
Comment 24•15 years ago
|
||
https://bugzilla.mozilla.org/attachment.cgi?id=211841 ff2b2 windows/linux verified fixed 1.8 Error: uncaught exception: [Exception... "Security error" code: "1000" nsresult: "0x805303e8 (NS_ERROR_DOM_SECURITY_ERR)" location: "chrome://global/content/bindings/tree.xml Line: 0"]
Keywords: fixed1.8.1 → verified1.8.1
Updated•14 years ago
|
Flags: in-testsuite+ → in-testsuite?
Assignee | ||
Updated•14 years ago
|
Group: security
You need to log in
before you can comment on or make changes to this bug.
Description
•