[1.0.8] "Set as wallpaper" arbitrary execution using <object> src property

RESOLVED FIXED

Status

()

defect
RESOLVED FIXED
13 years ago
13 years ago

People

(Reporter: dveditz, Assigned: Gavin)

Tracking

({fixed-aviary1.0.8})

1.7 Branch
Points:
---
Bug Flags:
blocking-aviary1.0.8 +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical] aviary1.0 branch only)

Attachments

(1 attachment, 2 obsolete attachments)

(Reporter)

Description

13 years ago
Spun off from bug 333305, see bug 333305 comment 8 and testcase in attachment 217800 [details] (full credit to moz_bug_r_a4 here).

The regression bug 333305 didn't introduce this security hole, the security hole exists in firefox 1.0.7 and presumably mozilla 1.7.12. The regressions from the fix for bug 293527 had the side-effect of "fixing" this security hole, but as we've fixed those regressions the original broken state was restored.

This is a variant on bug 292737, using an image <object> with a spoofed content-supplied .src property to get around the fix in that bug. In 1.8 this exploit is prevented by "shared wrappers" which will not let chrome access the content-defined .src property.
(Reporter)

Updated

13 years ago
Flags: blocking1.7.13+
Flags: blocking-aviary1.0.8+
Summary: "Set as wallpaper" arbitrary execution using <object> (aviary/moz1.7 branch) → "Set as wallpaper" arbitrary execution using <object> src property
Whiteboard: [sg:critical] aviary1.0/moz1.7 branch only

Comment 1

13 years ago
(In reply to comment #0)
> the security hole exists in firefox 1.0.7 and presumably mozilla 1.7.12.

Mozilla suite is not affected by "Set As Wallpaper" attack, since Mozilla suite
does not use "setWallpaper.xul".
http://lxr.mozilla.org/mozilla1.7/source/xpfe/communicator/resources/content/nsContextMenu.js#615
(Reporter)

Comment 2

13 years ago
(Reporter)

Comment 3

13 years ago
Posted patch prevent <object> wallpaper (obsolete) — Splinter Review
Alternate patches, both prevent this problem. This second patch simply bails out for <object> images -- prevents the exploit, and no loss of functionality since bugs prevented them from being used as wallpaper anyway.

The first patch reads the correct data attribute for <object> images. This also stops the exploit, but adds functionality over 1.0.7 (though intended functionality).
This was given r+sr+a and landed as part of bug 333305, attaching here for reference.
Assignee: dveditz → gavin.sharp
Attachment #217818 - Attachment is obsolete: true
Attachment #217819 - Attachment is obsolete: true
Status: NEW → ASSIGNED
Status: ASSIGNED → RESOLVED
Last Resolved: 13 years ago
Flags: blocking1.7.13+
Resolution: --- → FIXED
Whiteboard: [sg:critical] aviary1.0/moz1.7 branch only → [sg:critical] aviary1.0 branch only
(Reporter)

Updated

13 years ago
Group: security
Summary: "Set as wallpaper" arbitrary execution using <object> src property → [1.0.8] "Set as wallpaper" arbitrary execution using <object> src property
You need to log in before you can comment on or make changes to this bug.