Closed Bug 333394 Opened 19 years ago Closed 19 years ago

[1.0.8] "Set as wallpaper" arbitrary execution using <object> src property

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Version:
1.7 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: dveditz, Assigned: Gavin)

Details

(Keywords: fixed-aviary1.0.8, Whiteboard: [sg:critical] aviary1.0 branch only)

Attachments

(1 file, 2 obsolete files)

patch from bug 333305
1.87 KB, patch
Details | Diff | Splinter Review 
Spun off from bug 333305, see bug 333305 comment 8 and testcase in attachment 217800 [details] (full credit to moz_bug_r_a4 here).

The regression bug 333305 didn't introduce this security hole, the security hole exists in firefox 1.0.7 and presumably mozilla 1.7.12. The regressions from the fix for bug 293527 had the side-effect of "fixing" this security hole, but as we've fixed those regressions the original broken state was restored.

This is a variant on bug 292737, using an image <object> with a spoofed content-supplied .src property to get around the fix in that bug. In 1.8 this exploit is prevented by "shared wrappers" which will not let chrome access the content-defined .src property.
Flags: blocking1.7.13+
Flags: blocking-aviary1.0.8+
Summary: "Set as wallpaper" arbitrary execution using <object> (aviary/moz1.7 branch) → "Set as wallpaper" arbitrary execution using <object> src property
Whiteboard: [sg:critical] aviary1.0/moz1.7 branch only
(In reply to comment #0)
> the security hole exists in firefox 1.0.7 and presumably mozilla 1.7.12.

Mozilla suite is not affected by "Set As Wallpaper" attack, since Mozilla suite
does not use "setWallpaper.xul".
http://lxr.mozilla.org/mozilla1.7/source/xpfe/communicator/resources/content/nsContextMenu.js#615
Attached patch make <object> work as wallpaper (obsolete) — Splinter Review 

    
    

    
  

      
      
      
      

        Attached patch
          
          
        prevent <object> wallpaper (obsolete)
        — Splinter Review
      

    


  
Alternate patches, both prevent this problem. This second patch simply bails out for <object> images -- prevents the exploit, and no loss of functionality since bugs prevented them from being used as wallpaper anyway.

The first patch reads the correct data attribute for <object> images. This also stops the exploit, but adds functionality over 1.0.7 (though intended functionality).

    
    

    
  


  
This was given r+sr+a and landed as part of bug 333305, attaching here for reference.
Assignee: dveditz → gavin.sharp

        Attachment #217818 -
        Attachment is obsolete: true

        Attachment #217819 -
        Attachment is obsolete: true
Status: NEW → ASSIGNED
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Flags: blocking1.7.13+
Keywords: fixed-aviary1.0.8
Resolution: --- → FIXED
Whiteboard: [sg:critical] aviary1.0/moz1.7 branch only → [sg:critical] aviary1.0 branch only

    
  
Group: security
Summary: "Set as wallpaper" arbitrary execution using <object> src property → [1.0.8] "Set as wallpaper" arbitrary execution using <object> src property

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: