The default bug view has changed. See this FAQ.

generateCRMFRequest() allows privilege escalation

RESOLVED FIXED

Status

()

Core
Security
--
critical
RESOLVED FIXED
11 years ago
9 years ago

People

(Reporter: shutdown, Assigned: dveditz)

Tracking

({verified1.7.13, verified1.8.0.2, verified1.8.1})

Trunk
verified1.7.13, verified1.8.0.2, verified1.8.1
Points:
---
Bug Flags:
blocking1.7.13 +
blocking-aviary1.0.8 +
blocking1.8.1 +
blocking1.8.0.2 +
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical][rft-dl])

Attachments

(3 attachments)

(Reporter)

Description

11 years ago
crypto.generateCRMFRequest() has a vulnerability similar to bug 314865.
(Reporter)

Comment 1

11 years ago
Created attachment 211841 [details]
exploit testcase

exploitable:
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8) Gecko/20060213 Firefox/1.5
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.9a1) Gecko/20060213 Firefox/1.6a1
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.13) Gecko/20060213 Firefox/1.0.8
(Assignee)

Updated

11 years ago
Flags: blocking1.8.0.2+
Flags: blocking1.7.13?
Flags: blocking-aviary1.0.8?
Whiteboard: [sg:critical]
(Assignee)

Updated

11 years ago
Flags: blocking1.7.13?
Flags: blocking1.7.13+
Flags: blocking-aviary1.0.8?
Flags: blocking-aviary1.0.8+
(Assignee)

Comment 2

11 years ago
Another missing context push/pop.
So what happens here?  This is opening a modal window, so I'd expect it to do the right thing....
Note that I can't debug this in a useful way due to bug 326501.  Is there a non-tree-related testcase possible?
Depends on: 326501
(Assignee)

Comment 5

11 years ago
(In reply to comment #4)
> Is there a non-tree-related testcase possible?

mrbkap and I have a fix in mind for this.
(Assignee)

Comment 6

11 years ago
Created attachment 212066 [details] [diff] [review]
push the js context

This resolves the permissions issue by making sure the right context will be found on the stack.
Attachment #212066 - Flags: superreview?(jst)
Attachment #212066 - Flags: review?(mrbkap)
Attachment #212066 - Flags: approval1.8.0.2?
Attachment #212066 - Flags: approval1.7.13?
Attachment #212066 - Flags: approval-branch-1.8.1?
Attachment #212066 - Flags: approval-aviary1.0.8?
(Assignee)

Updated

11 years ago
Attachment #212066 - Flags: approval-branch-1.8.1? → approval-branch-1.8.1?(kengert)
Comment on attachment 212066 [details] [diff] [review]
push the js context

>Index: security/manager/ssl/src/nsCrypto.cpp
>@@ -1773,15 +1774,22 @@ nsCryptoRunnable::Run()
>+  if (!stack || NS_FAILED(stack->Push(cx)))
>+    return NS_ERROR_FAILURE;

Nit: Please overbrace this if statement (even though it isn't necessary).

While it'd be nice to have an auto-pusher/popper to guard against early returns, that's another bug for another day. r=mrbkap
Attachment #212066 - Flags: review?(mrbkap) → review+

Updated

11 years ago
Attachment #212066 - Flags: approval-branch-1.8.1?(kengert) → approval-branch-1.8.1+
Comment on attachment 212066 [details] [diff] [review]
push the js context

sr=dbaron (trusting mrbkap's review)

Is the bug on a class to do this filed?
Attachment #212066 - Flags: superreview?(jst) → superreview+
(Assignee)

Comment 9

11 years ago
Comment on attachment 212066 [details] [diff] [review]
push the js context

approved for 1.7/1.8.0/aviary101 branches, a=dveditz
Attachment #212066 - Flags: approval1.8.0.2?
Attachment #212066 - Flags: approval1.8.0.2+
Attachment #212066 - Flags: approval1.7.13?
Attachment #212066 - Flags: approval1.7.13+
Attachment #212066 - Flags: approval-aviary1.0.8?
Attachment #212066 - Flags: approval-aviary1.0.8+
(Assignee)

Comment 10

11 years ago
Patch checked in to trunk and aviary101, moz17, moz180, and moz18 branches
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Flags: blocking1.8.1+
Keywords: fixed-aviary1.0.8, fixed1.7.13, fixed1.8.0.2, fixed1.8.1
Resolution: --- → FIXED
Verified on:
Windows:
Fx: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060216 Firefox/1.0.8
Moz: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060216
Mac:
Fx: Mozilla/5.0 (Macintosh; U;PPC Mac OS X Mach-O; en-US; rv:1.7.13)
Gecko/20060216 Firefox/1.0.8
Moz: Not available for 0216
Linux:
Fx: Not available for 0216
Moz: Mozilla/5.0 (X11; U;Linux i686; en-US; rv:1.7.13) Gecko/20060216
Keywords: fixed-aviary1.0.8, fixed1.7.13 → verified-aviary1.0.8, verified1.7.13

Updated

11 years ago
Flags: testcase+

Updated

11 years ago
Whiteboard: [sg:critical] → [sg:critical][rft-dl]

Comment 12

11 years ago
ff 1.0.8/mac/20060221 opens the Software Security Device Change password dialog. Doesn't seem nice.

Comment 13

11 years ago
I crash with Firefox 1.0.8 linux 20060221 on the windowsPoC after closing the
security device password dialog. I don't know if this is the exploitable crash though.
Well, generateCRMFRequest crashes easily when using wrong arguments, see bug 327524. Not sure, though, if that's the issue in comment 13.

Comment 15

11 years ago
v.fixed on 1.8.0 branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060224 Firefox/1.5.0.1, testcase exploit blocked, js console:

Attempt to load a javascript: URL from one host
in a window displaying content from another host
was blocked by the security manager.
Keywords: fixed1.8.0.2 → verified1.8.0.2

Comment 16

11 years ago
I have the crash in ff 1.0.8/linux in gdb.

0x0116918a in ns_if_addref<nsIRegion*> (expr=0x78)
   at ../../../dist/include/xpcom/nsISupportsUtils.h:114
114        return expr ? expr->AddRef() : 0;

Comment 17

11 years ago
I've backported patch from bug #330900 on firefox 1.0.8 build and despite fixing crash with testcase from bug #327524, I still get crash with exploit testcase for this bug.

Comment 18

11 years ago
I ran the testcase on the released Mozilla1.7.13 on Solaris10 and Fedora5. It still crashes. On Fedora, you need to reload the testcase to reproduce that issue.
(Assignee)

Comment 19

11 years ago
(In reply to comment #18)
> I ran the testcase on the released Mozilla1.7.13 on Solaris10 and Fedora5. It
> still crashes. On Fedora, you need to reload the testcase to reproduce that
> issue.

Where does it crash? In addition to the bug 330900 crash in generateCRMFrequest itself this bug also depends on bug 326501 which describes a crash in tree views.

Note that *this* bug was never about a crash, it was about running the callback javascript code with chrome privileges. If neither 330900 nor 326501 describes the crash you're seeing now we need a new bug.

Comment 20

11 years ago
Created attachment 225681 [details]
Core stack

The core stack for Mozilla1.7.13 on Solaris 10: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.7.13) Gecko/20060615.

Comment 21

11 years ago
Created attachment 225682 [details]
Core stack on ubuntu

The core stack for Mozilla1.7.13 on Ubuntu: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.13) Gecko/20060615.

Comment 22

11 years ago
shutdown,  can you contact me at chofmann@mozilla.org?  Having a problem getting mail though to you.  thanks.

Comment 23

11 years ago
With the patch for bug 326501 applied, no crash anymore.

Comment 24

11 years ago
https://bugzilla.mozilla.org/attachment.cgi?id=211841
ff2b2 windows/linux verified fixed 1.8
Error: uncaught exception: [Exception... "Security error"  code: "1000" nsresult: "0x805303e8 (NS_ERROR_DOM_SECURITY_ERR)"  location: "chrome://global/content/bindings/tree.xml Line: 0"]
Keywords: fixed1.8.1 → verified1.8.1

Updated

10 years ago
Flags: in-testsuite+ → in-testsuite?
(Assignee)

Updated

10 years ago
Group: security
You need to log in before you can comment on or make changes to this bug.