Embed Propertypage Remote Compromise (version 2)

RESOLVED FIXED

Status

()

Core
Security
--
critical
RESOLVED FIXED
11 years ago
9 years ago

People

(Reporter: Paul Nickerson, Assigned: Martijn Wargers (dead))

Tracking

({fixed1.8.1, verified1.8.0.4})

Trunk
fixed1.8.1, verified1.8.0.4
Points:
---
Bug Flags:
blocking1.7.14 ?
blocking-aviary1.0.9 ?
blocking1.8.0.4 +
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:moderate])

Attachments

(3 attachments)

299 bytes, text/html
Details
1.68 KB, patch
Details | Diff | Splinter Review
1.35 KB, patch
Alexander Sack
: review?
Christopher Aillon (sabbatical, not receiving bugmail)
Details | Diff | Splinter Review
(Reporter)

Description

11 years ago
The patch from the previous advisory can be circumvented if the following two changes are made:
1) The embed element is shown on a javascript page
2) The executed javascript accesses chrome using it's full priviledges to the opener object

This can be exploited using a small amount of user interaction which will likely occur given the right social engineering.
(Reporter)

Comment 1

11 years ago
Created attachment 214672 [details]
testcase

Navigates to a javascript:"content" page. Click on the broken embed box and press manual install. An alert will be shown in the chrome window indicating the execution of arbitrary script.
(Assignee)

Comment 2

11 years ago
Created attachment 214683 [details] [diff] [review]
patch

Well, this fixes it for me, by moving some code in nsScriptSecurityManager.cpp.
Attachment #214683 - Flags: review?(dveditz)

Comment 3

11 years ago
The code in the plugin finder is:
http://lxr.mozilla.org/seamonkey/source/toolkit/mozapps/plugins/content/pluginInstallerWizard.js#566

This is probably a stupid question, but would the evalInSandbox stuff (http://developer.mozilla.org/en/docs/evalInSandbox) be any better for this code?
Another example of the evils of string URL compares rather than principal compares.
Whiteboard: [sg:critical]
Comment on attachment 214683 [details] [diff] [review]
patch

This is good as a band-aide. r/sr=dveditz
Attachment #214683 - Flags: review?(dveditz)
Attachment #214683 - Flags: review+
Attachment #214683 - Flags: approval1.8.0.3?
Attachment #214683 - Flags: approval-branch-1.8.1+
Attachment #214683 - Flags: approval-aviary1.0.9?
Assignee: nobody → martijn.martijn
Flags: blocking1.8.0.3?
Flags: blocking-firefox2+
Flags: blocking-aviary1.0.9?

Comment 6

11 years ago
I filed bug 330102 on myself to switch the code to nsIPrincipal 
(Assignee)

Comment 7

11 years ago
Sorry, but do I need sr+ for the patch?
Comment on attachment 214683 [details] [diff] [review]
patch

Generally, yes.  ;)
Attachment #214683 - Flags: superreview+
(Assignee)

Comment 9

11 years ago
Checking in caps/src/nsScriptSecurityManager.cpp;
/cvsroot/mozilla/caps/src/nsScriptSecurityManager.cpp,v  <--  nsScriptSecurityMa
nager.cpp
new revision: 1.289; previous revision: 1.288
done

Checked into trunk.
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED
Checked in on the 1.8 branch.
mozilla/caps/src/nsScriptSecurityManager.cpp; new revision: 1.266.2.10;
Keywords: fixed1.8.1
OS: Windows XP → All
Hardware: PC → All
Flags: blocking1.8.0.3? → blocking1.8.0.3+
Component: Plugin Finder Service → Security
Flags: review+
Flags: blocking-firefox2+
Product: Firefox → Core
Version: 1.5.0.x Branch → Trunk
Flags: blocking1.7.14?
Attachment #214683 - Flags: approval1.7.14?
Comment on attachment 214683 [details] [diff] [review]
patch

approved for 1.8.0 branch, a=dveditz for drivers
Attachment #214683 - Flags: approval1.8.0.3? → approval1.8.0.3+
mozilla/caps/src/nsScriptSecurityManager.cpp 	1.266.2.7.2.5
Keywords: fixed1.8.0.4

Comment 13

11 years ago
v.fixed on 1.8.0 branch: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4 with testcase.
Keywords: fixed1.8.0.4 → verified1.8.0.4
Impact lowered to "moderate" given the user interaction required. A legit "manual" install button is used to download and install and that could be malware as well, the only difference is this exploit removes one last chance for the user to think better of running the downloaded install.
Whiteboard: [sg:critical] → [sg:moderate]

Comment 15

11 years ago
Created attachment 225481 [details] [diff] [review]
1.0.x version

Updated

11 years ago
Attachment #225481 - Flags: review?(caillon)
Group: security
Flags: in-testsuite?
Attachment #214683 - Flags: approval1.7.14?
Attachment #214683 - Flags: approval-aviary1.0.9?
You need to log in before you can comment on or make changes to this bug.