Closed Bug 340107 Opened 18 years ago Closed 18 years ago

UniversalBrowserRead should not permit access to chrome documents

Categories

(Core :: XPConnect, defect)

Product:
Core
Component:
XPConnect
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.8.1beta1

People

(Reporter: sync2d, Assigned: dveditz)

References

Details

(Keywords: verified1.8.0.5, verified1.8.1, Whiteboard: [sg:moderate] (?due need for UBR))

Attachments

(4 files)

testcase
1.01 KB, text/html
Details
Patch v1
3.25 KB, patch
mrbkap
: review+
sicking
: superreview+
jay
: approval1.8.0.5+
mtschrep
: approval1.8.1+
Details | Diff | Splinter Review
xslt patch -- 1.8(.0) branch only
2.71 KB, patch
sicking
: review+
sicking
: superreview+
jay
: approval1.8.0.5+
mtschrep
: approval1.8.1+
Details | Diff | Splinter Review
for 1.0.x
1.76 KB, patch
Details | Diff | Splinter Review 
By the nature of the UniversalBrowserRead privilege, scripts with
this privilege enabled can access any document in anywhere, and
be able to take control of the user's activity on the web site
(by reading login cookies -- the "sentisive browser data").

The problem is "anywhere" mentioned in the above includes the chrome.
Once the script with UBR enabled have access to a chrome JavaScript
object, it can do more than to "read sensitive browser data" by
elevating its privilege to full chrome level (see bug 313684).
Guessing mrbkap given link to 313684, but maybe this is in the DOM.

Do you have a testcase/PoC?
Assignee: dveditz → mrbkap
Component: Security → XPConnect
One spot that might be trouble is nsContentUtils::CanCallerAccess(). If the caller isn't chrome then it shouldn't be able to access a privileged DOMNode regardless of UniversalBrowserRead permission; accessing a chrome node should require UniversalXPConnect permission. nsContentUtils::IsTrustedForRead() might lead to the same issues but for now that's only used safely in nsGlobalWindow.
... or maybe xpconnect's use of CanAccess, or...

I guess we've got to catch this centrally in CAPS. In nsScriptSecurityManager::CheckPropertyAccessImpl chrome privileged callers bail out early so if we're calling CheckSameOriginDOMProp() we know we're in a non-privileged doc. Can we deny access if the object principal is chrome?

CheckPropertyAccessImpl might want to check for UniversalXPConnect privs early.. looks like you can't access a "noAccess" property even if you have that explicit privilege (signed code).
Flags: blocking1.9a1+
Flags: blocking1.8.1?
Flags: blocking1.8.0.5?
Flags: blocking-aviary1.0.9?
So would it make sense to have nsIPrincipal::Subsumes or some such (to differentiate read and write) do the work here, have all the callers call that, and implement it once, correctly, in CAPS?

> Can we deny access if the object principal is chrome?

I think so.  Possibly even if the caller has UniversalXPConnect...  Should be pretty easy to do this part.

> looks like you can't access a "noAccess" property

At the moment you can, since we'll fall into the CheckXPCPermissions() code.  We should really clean this code up to be less confusing, or possibly document it better.  Or both.  We keep getting confused about the exact control flow, which is _so_ not good.
We need a fix for this.  Blake might have a lot on his plate right now, so if bz can take this one, that'll be great!  bz?
Flags: blocking1.8.0.5? → blocking1.8.0.5+
I'm not sure I'm going to have time to really work on this until after the onsite.  :(  I _might_ have time before, but not to the extent that I can guarantee working on this...
And anyone working on this would need some testcases to verify that their stuff works...
Flags: blocking1.8.1? → blocking1.8.1+
Blocks: sbb?
Whiteboard: [sg:moderate] (?due need for UBR) blocked by other recent fixes?
Assignee: mrbkap → dveditz
Attached file testcase 
requested thing.
Attached patch Patch v1Splinter Review 
There are two independent parts of this patch. The first change in nsScriptSecurityManager::CheckSameOriginDOMProp() is sufficient to stop the testcase in this bug. Punting on chrome objects is safe because access by the system principal is approved long before this point, and explicit UniversalXPConnect access is checked for and granted in CheckPropertyAccessImpl, the only caller of this routine.

You can verify the latter point by modifying the testcase to request UniversalXPConnect instead of UniversalBrowserRead -- it should work before and after the patch.

The second part of the patch covers nsContentUtils::CanCallerAccess which has the same problem, but will be harder to verify because we don't have a testcase to demonstrate the problem. It should be abusable by something like the XUL testcase in bug 313566 though I had no luck modifying it to actually do so.

It may also be more work to verify it doesn't regress anything since it's called in more places. It's called from
  nsGenericElement::doReplaceOrInsertBefore
  the VALIDATE_ACCESS macro all over nsRange (SetBegin, etc)
  nsXULCommandDispatcher::GetFocusedElement
  nsXULCommandDispatcher::GetFocusedWindow
  nsXULDocument::GetPopupNode
  nsXULDocument::GetTooltipNode
Attachment #227034 - Flags: superreview?(bzbarsky)
Attachment #227034 - Flags: review?(mrbkap)
dmose added the check for UniversalBrowserRead to CanCallerAccess for bug 219848. That'd be one thing to check for regressions, except it looks like that testcase has regressed even before I try out this patch. Bug 275194 was marked a dupe of that one and might be an easier testcase to resurrect (haven't tried yet).
Flags: blocking1.7.14?
I missed transformix, which has its own URIUtils::CanCallerAccess on the 1.8 branch but uses nsContentUtils on the trunk. It'll get fixed on the trunk, is there any way transformix can get hold of chrome nodes? Sicking, what do you think?

http://lxr.mozilla.org/mozilla1.8.0/search?string=URIUtils::CanCallerAccess

The trunk also has additional CanCallerAccess callers
  nsDOMSerializer::SerializeToString
  nsDOMSerializer::SerializeToStream
  nsXULDocument::GetPopupRangeParent
  nsXULDocument::GetPopupRangeOffset
On the trunk xslt uses nsContentUtils::CanCallerAccess, but if we're worried about it on the 1.8 branch we need this patch as well.
Attachment #227046 - Flags: superreview?(bzbarsky)
Attachment #227046 - Flags: review?(bugmail)
Comment on attachment 227046 [details] [diff] [review]
xslt patch -- 1.8(.0) branch only

The patch only seems to move the same code a bit further down (as well as duplicate the systemPrincipal check).
The first systemPrincipal check was for the subject (the running code). If it's systemPrincipal it can do anything so we return TRUE right then.

The second systemPrincipal check is on the argument node. If it is systemPrincipal then we do not want to let non-privileged code touch it. Privileged callers already returned TRUE so anyone getting this far must be non-privileged. We should return FALSE here.

The CheckSameOrigin bit has to be moved after we know and checn the principal of the object node or else UBR effectively grants permission to manipulate chrome nodes. That's what this bug is about.

(Arguably if nodePrincipal == systemPrincipal we should check whether UniversalXPConnect is enabled before bailing out, but on the trunk xslt uses nsContentUtils::CanCallerAccess and doesn't make that check. I didn't want to add a feature to the branch and then take it away on the trunk. If we want to change the trunk it should go in a new bug, and wouldn't hold up 1.8.0.5)
Attachment #227034 - Flags: review?(mrbkap) → review+
Attachment #227034 - Flags: approval1.8.1?
Attachment #227034 - Flags: approval1.8.0.5?
Attachment #227046 - Flags: approval1.8.1?
Attachment #227046 - Flags: approval1.8.0.5?
Whiteboard: [sg:moderate] (?due need for UBR) blocked by other recent fixes? → [sg:moderate] (?due need for UBR) need sr=/a=
Attachment #227034 - Flags: superreview?(bzbarsky) → superreview+
Attachment #227046 - Flags: superreview?(bzbarsky)
Attachment #227046 - Flags: superreview+
Attachment #227046 - Flags: review?(bugmail)
Attachment #227046 - Flags: review+
Comment on attachment 227034 [details] [diff] [review]
Patch v1

approved for 1.8.0 branch, a=jay for drivers.
Attachment #227034 - Flags: approval1.8.0.5? → approval1.8.0.5+
Comment on attachment 227046 [details] [diff] [review]
xslt patch -- 1.8(.0) branch only

a=jay for 1.8.0 branch
Attachment #227046 - Flags: approval1.8.0.5? → approval1.8.0.5+
Fix checked into the 1.8.0 branch
Keywords: fixed1.8.0.5
Whiteboard: [sg:moderate] (?due need for UBR) need sr=/a= → [sg:moderate] (?due need for UBR)
Fix checked into trunk
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Attachment #227034 - Flags: approval1.8.1? → approval1.8.1+
Attachment #227046 - Flags: approval1.8.1? → approval1.8.1+
Whiteboard: [sg:moderate] (?due need for UBR) → [sg:moderate] (?due need for UBR) [checkin needed]
Blocks: 343475
No longer blocks: 343475
Depends on: 343475
Please land this on the 1.8 branch ASAP so this does not hold up the FF2 beta1 release.  Or, explain why this should not be included in FF2 beta1.  Thanks!
Target Milestone: --- → mozilla1.8.1beta1
Fix checked into 1.8 branch
Keywords: fixed1.8.1
v.fixed on 1.8.0 branch with Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.5) Gecko/20060706 Firefox/1.5.0.5, access blocked:
uncaught exception: A script from "https://bugzilla.mozilla.org" was denied UniversalBrowserRead privileges.
Keywords: fixed1.8.0.5verified1.8.0.5
> uncaught exception: A script from "https://bugzilla.mozilla.org" was denied
> UniversalBrowserRead privileges.

I don't think that's a valid verification. You need to set the signed.applets.codebase_principal_support pref to true first, then you'll get a prompt asking for permission, grant it, *then* this security fix kicks in.

If you're not seeing the security prompt then you've not gotten far enough to test this bug. After the permission grant you should see an exception in the console like "Permission denied to get property Function.__proto__" rather than an alert showing Components.classes.
Keywords: verified1.8.0.5fixed1.8.0.5
QA Contact: toolkit → xpconnect
Whiteboard: [sg:moderate] (?due need for UBR) [checkin needed] → [sg:moderate] (?due need for UBR)
Thanks Dan for clarifying the steps.  I retested with the pref set and see exactly what you mentioned:

uncaught exception: Permission denied to get property Function.__proto__
initconsoleBindings.x... (line 86)
nullconsoleBindings.x... (line 267)

Returning to v.fixed.  Please change back if we are waiting for a more thorough verification.
Keywords: fixed1.8.0.5verified1.8.0.5
Attached patch for 1.0.xSplinter Review 

    
    

    
  
v.fixed on 1.8.1 branch: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1b2) Gecko/20060830 BonEcho/2.0b2
Keywords: fixed1.8.1verified1.8.1

    
  
Group: security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: