XSS with XPCNativeWrapper(window).Function(...)

RESOLVED FIXED in mozilla1.9alpha1

Status

()

Core
Security
P1
critical
RESOLVED FIXED
11 years ago
8 years ago

People

(Reporter: shutdown, Assigned: mrbkap)

Tracking

({fixed1.8.1, verified1.8.0.5})

Trunk
mozilla1.9alpha1
fixed1.8.1, verified1.8.0.5
Points:
---
Bug Flags:
blocking1.7.14 -
blocking-aviary1.0.9 -
blocking1.9a1 +
blocking1.8.1 +
blocking1.8.0.5 +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:high][patch] not 1.7/aviary)

Attachments

(1 attachment, 2 obsolete attachments)

(Reporter)

Description

11 years ago
XPCNativeWrapper(window).Function(...) allows one to
create a function that can be used for XSS attacks.
(Reporter)

Comment 1

11 years ago
Created attachment 222601 [details]
testcase

works on:
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.1a2)
  Gecko/20060518 BonEcho/2.0a2
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.0.4)
  Gecko/20060518 Firefox/1.5.0.4
Flags: blocking1.9a1+
Flags: blocking1.8.1+
Flags: blocking1.8.0.5+
Flags: blocking1.7.14?
Flags: blocking-aviary1.0.9?
Whiteboard: [sg:high]
Assignee: dveditz → mrbkap
(Assignee)

Comment 2

11 years ago
I think I have this mostly figured out. I'm too jetlagged at the moment to explain more, but it has to do with XPCNativeWrappers causing the outer window's Function to be found instead of the inner one's. I'll have details and hopefully a patch tomorrow.
Priority: -- → P1
Target Milestone: --- → mozilla1.9alpha
(Assignee)

Comment 3

11 years ago
Created attachment 224283 [details] [diff] [review]
wip

With this patch, standard classes don't resolve at all through XPCNativeWrappers. I'll work on that soon.
(Assignee)

Comment 4

11 years ago
> With this patch, standard classes don't resolve at all through
> XPCNativeWrappers.

The problem is simply that I need to define the resolved property on the rewrapped obj2 for things to work. I'll probably have a patch tomorrow or Monday.
Status: NEW → ASSIGNED
(Assignee)

Comment 5

11 years ago
Created attachment 224509 [details] [diff] [review]
Hackable patch

This patch goes half-way. I realized that it isn't sufficient, since it will happily return a content-supplied Function to unsuspecting XPCNativeWrapper(window) users.
Attachment #224283 - Attachment is obsolete: true
(Assignee)

Comment 6

11 years ago
Created attachment 226409 [details] [diff] [review]
No standard classes from XPCNativeWrapper

So, jst and I talked about this a bunch, and came to the conclusion that getting standard classes out of XPCNativeWrappers is unsupported and shouldn't be allowed. If you need to create a function or string in a content context from chrome, the preferred way (after this patch) will be to use w.eval(...) instead.
Attachment #224509 - Attachment is obsolete: true
Attachment #226409 - Flags: superreview?(bzbarsky)
Attachment #226409 - Flags: review?(jst)
(Assignee)

Updated

11 years ago
Whiteboard: [sg:high] → [sg:high][patch]
Comment on attachment 226409 [details] [diff] [review]
No standard classes from XPCNativeWrapper

Looks reasonable, yeah.
Attachment #226409 - Flags: superreview?(bzbarsky) → superreview+
Comment on attachment 226409 [details] [diff] [review]
No standard classes from XPCNativeWrapper

r=jst
Attachment #226409 - Flags: review?(jst) → review+
(Assignee)

Comment 9

11 years ago
Fix checked into trunk.
Status: ASSIGNED → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED
(Assignee)

Updated

11 years ago
Attachment #226409 - Flags: approval1.8.1?
Attachment #226409 - Flags: approval1.8.0.5?
Comment on attachment 226409 [details] [diff] [review]
No standard classes from XPCNativeWrapper

approved for 1.8.0 branch, a=dveditz for drivers
Attachment #226409 - Flags: approval1.8.0.5? → approval1.8.0.5+
(Assignee)

Comment 11

11 years ago
Fix checked into the 1.8.0 branch.
Keywords: fixed1.8.0.5

Updated

11 years ago
Attachment #226409 - Flags: approval1.8.1? → approval1.8.1+
(Assignee)

Comment 12

11 years ago
Fix checked into the 1.8 branch.
Keywords: fixed1.8.1

Comment 13

11 years ago
v.fixed on 1.8.0 branch with Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US;
rv:1.8.0.5) Gecko/20060626 Firefox/1.5.0.5, no exploit with testcase:

XPCNativeWrapper(window).Function is not a function
attachment.cgi?id... (line 11)
anonymous
Keywords: fixed1.8.0.5 → verified1.8.0.5
Blocks: 256195
Not needed for moz1.7 or aviary branches, XPCNativeWrapper() not available.
Flags: blocking1.7.14?
Flags: blocking1.7.14-
Flags: blocking-aviary1.0.9?
Flags: blocking-aviary1.0.9-
Whiteboard: [sg:high][patch] → [sg:high][patch] not 1.7/aviary

Comment 15

11 years ago
pvnick is doing a bit of research on XSS and also gathering up bugs with security related test cases to help add to the regression/certification test suites.  adding him to the cc list in these...
Group: core-security
You need to log in before you can comment on or make changes to this bug.