Closed Bug 330037 Opened 16 years ago Closed 16 years ago

Embed Propertypage Remote Compromise (version 2)

Categories

(Core :: Security, defect)

defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: pvnick, Assigned: martijn.martijn)

Details

(Keywords: fixed1.8.1, verified1.8.0.4, Whiteboard: [sg:moderate])

Attachments

(3 files)

The patch from the previous advisory can be circumvented if the following two changes are made:
1) The embed element is shown on a javascript page
2) The executed javascript accesses chrome using it's full priviledges to the opener object

This can be exploited using a small amount of user interaction which will likely occur given the right social engineering.
Attached file testcase
Navigates to a javascript:"content" page. Click on the broken embed box and press manual install. An alert will be shown in the chrome window indicating the execution of arbitrary script.
Attached patch patchSplinter Review
Well, this fixes it for me, by moving some code in nsScriptSecurityManager.cpp.
Attachment #214683 - Flags: review?(dveditz)
The code in the plugin finder is:
http://lxr.mozilla.org/seamonkey/source/toolkit/mozapps/plugins/content/pluginInstallerWizard.js#566

This is probably a stupid question, but would the evalInSandbox stuff (http://developer.mozilla.org/en/docs/evalInSandbox) be any better for this code?
Another example of the evils of string URL compares rather than principal compares.
Whiteboard: [sg:critical]
Comment on attachment 214683 [details] [diff] [review]
patch

This is good as a band-aide. r/sr=dveditz
Attachment #214683 - Flags: review?(dveditz)
Attachment #214683 - Flags: review+
Attachment #214683 - Flags: approval1.8.0.3?
Attachment #214683 - Flags: approval-branch-1.8.1+
Attachment #214683 - Flags: approval-aviary1.0.9?
Assignee: nobody → martijn.martijn
Flags: blocking1.8.0.3?
Flags: blocking-firefox2+
Flags: blocking-aviary1.0.9?
I filed bug 330102 on myself to switch the code to nsIPrincipal 
Sorry, but do I need sr+ for the patch?
Comment on attachment 214683 [details] [diff] [review]
patch

Generally, yes.  ;)
Attachment #214683 - Flags: superreview+
Checking in caps/src/nsScriptSecurityManager.cpp;
/cvsroot/mozilla/caps/src/nsScriptSecurityManager.cpp,v  <--  nsScriptSecurityMa
nager.cpp
new revision: 1.289; previous revision: 1.288
done

Checked into trunk.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Checked in on the 1.8 branch.
mozilla/caps/src/nsScriptSecurityManager.cpp; new revision: 1.266.2.10;
Keywords: fixed1.8.1
OS: Windows XP → All
Hardware: PC → All
Flags: blocking1.8.0.3? → blocking1.8.0.3+
Component: Plugin Finder Service → Security
Flags: review+
Flags: blocking-firefox2+
Product: Firefox → Core
Version: 1.5.0.x Branch → Trunk
Flags: blocking1.7.14?
Attachment #214683 - Flags: approval1.7.14?
Comment on attachment 214683 [details] [diff] [review]
patch

approved for 1.8.0 branch, a=dveditz for drivers
Attachment #214683 - Flags: approval1.8.0.3? → approval1.8.0.3+
mozilla/caps/src/nsScriptSecurityManager.cpp 	1.266.2.7.2.5
Keywords: fixed1.8.0.4
v.fixed on 1.8.0 branch: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4 with testcase.
Impact lowered to "moderate" given the user interaction required. A legit "manual" install button is used to download and install and that could be malware as well, the only difference is this exploit removes one last chance for the user to think better of running the downloaded install.
Whiteboard: [sg:critical] → [sg:moderate]
Attached patch 1.0.x versionSplinter Review
Attachment #225481 - Flags: review?(caillon)
Group: security
Flags: in-testsuite?
Attachment #214683 - Flags: approval1.7.14?
Attachment #214683 - Flags: approval-aviary1.0.9?
You need to log in before you can comment on or make changes to this bug.