Closed Bug 330037 Opened 19 years ago Closed 19 years ago

Embed Propertypage Remote Compromise (version 2)

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: pvnick, Assigned: martijn.martijn)

Details

(Keywords: fixed1.8.1, verified1.8.0.4, Whiteboard: [sg:moderate])

Attachments

(3 files)

testcase
299 bytes, text/html
Details
patch
1.68 KB, patch
bzbarsky
: superreview+
dveditz
: approval-branch-1.8.1+
dveditz
: approval1.8.0.4+
Details | Diff | Splinter Review
1.0.x version
1.35 KB, patch
asac
: review?
caillon
Details | Diff | Splinter Review
The patch from the previous advisory can be circumvented if the following two changes are made: 1) The embed element is shown on a javascript page 2) The executed javascript accesses chrome using it's full priviledges to the opener object This can be exploited using a small amount of user interaction which will likely occur given the right social engineering.
Attached file testcase
Navigates to a javascript:"content" page. Click on the broken embed box and press manual install. An alert will be shown in the chrome window indicating the execution of arbitrary script.
Attached patch patchSplinter Review
Well, this fixes it for me, by moving some code in nsScriptSecurityManager.cpp.
Attachment #214683 - Flags: review?(dveditz)
The code in the plugin finder is: http://lxr.mozilla.org/seamonkey/source/toolkit/mozapps/plugins/content/pluginInstallerWizard.js#566 This is probably a stupid question, but would the evalInSandbox stuff (http://developer.mozilla.org/en/docs/evalInSandbox) be any better for this code?
Another example of the evils of string URL compares rather than principal compares.
Whiteboard: [sg:critical]
Comment on attachment 214683 [details] [diff] [review] patch This is good as a band-aide. r/sr=dveditz
Attachment #214683 - Flags: review?(dveditz)
Attachment #214683 - Flags: review+
Attachment #214683 - Flags: approval1.8.0.3?
Attachment #214683 - Flags: approval-branch-1.8.1+
Attachment #214683 - Flags: approval-aviary1.0.9?
Assignee: nobody → martijn.martijn
Flags: blocking1.8.0.3?
Flags: blocking-firefox2+
Flags: blocking-aviary1.0.9?
I filed bug 330102 on myself to switch the code to nsIPrincipal
Sorry, but do I need sr+ for the patch?
Comment on attachment 214683 [details] [diff] [review] patch Generally, yes. ;)
Attachment #214683 - Flags: superreview+
Checking in caps/src/nsScriptSecurityManager.cpp; /cvsroot/mozilla/caps/src/nsScriptSecurityManager.cpp,v <-- nsScriptSecurityMa nager.cpp new revision: 1.289; previous revision: 1.288 done Checked into trunk.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Checked in on the 1.8 branch. mozilla/caps/src/nsScriptSecurityManager.cpp; new revision: 1.266.2.10;
Keywords: fixed1.8.1
OS: Windows XP → All
Hardware: PC → All
Flags: blocking1.8.0.3? → blocking1.8.0.3+
Component: Plugin Finder Service → Security
Flags: review+
Flags: blocking-firefox2+
Product: Firefox → Core
Version: 1.5.0.x Branch → Trunk
Flags: blocking1.7.14?
Attachment #214683 - Flags: approval1.7.14?
Comment on attachment 214683 [details] [diff] [review] patch approved for 1.8.0 branch, a=dveditz for drivers
Attachment #214683 - Flags: approval1.8.0.3? → approval1.8.0.3+
mozilla/caps/src/nsScriptSecurityManager.cpp 1.266.2.7.2.5
Keywords: fixed1.8.0.4
v.fixed on 1.8.0 branch: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4 with testcase.
Keywords: fixed1.8.0.4verified1.8.0.4
Impact lowered to "moderate" given the user interaction required. A legit "manual" install button is used to download and install and that could be malware as well, the only difference is this exploit removes one last chance for the user to think better of running the downloaded install.
Whiteboard: [sg:critical] → [sg:moderate]
Attached patch 1.0.x versionSplinter Review
Attachment #225481 - Flags: review?(caillon)
Group: security
Flags: in-testsuite?
Attachment #214683 - Flags: approval1.7.14?
Attachment #214683 - Flags: approval-aviary1.0.9?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: