Last Comment Bug 342267 - (zdi-can-055) Mozilla Firefox Javascript navigator Object Vulnerability (ZDI-CAN-055, CVE-2006-3677)
(zdi-can-055)
: Mozilla Firefox Javascript navigator Object Vulnerability (ZDI-CAN-055, CVE-2...
Status: RESOLVED FIXED
[sg:critical] requires Java (on by de...
: crash, fixed1.8.1, verified1.8.0.5
Product: Core
Classification: Components
Component: Security (show other bugs)
: Trunk
: All All
: P1 normal (vote)
: mozilla1.9alpha1
Assigned To: Blake Kaplan (:mrbkap)
:
Mentors:
javascript:navigator=0;new Packages()...
Depends on: 342490
Blocks:
  Show dependency treegraph
 
Reported: 2006-06-21 03:11 PDT by Daniel Veditz [:dveditz]
Modified: 2007-08-17 15:59 PDT (History)
5 users (show)
dveditz: blocking1.7.14-
dveditz: blocking‑aviary1.0.9-
dveditz: blocking1.9a2+
mtschrep: blocking1.8.1+
dveditz: blocking1.8.0.5+
dveditz: in‑testsuite?
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Fix (6.49 KB, patch)
2006-06-22 13:07 PDT, Blake Kaplan (:mrbkap)
dveditz: review+
jst: superreview+
dveditz: approval1.8.0.5+
darin.moz: approval1.8.1+
Details | Diff | Splinter Review
exp_loader.html (crashes and launches calc.exe on windows) (80 bytes, text/html)
2006-06-22 15:40 PDT, Daniel Veditz [:dveditz]
no flags Details
BMO-specific loader page (launches calc.exe on windows) (125 bytes, text/html)
2006-06-22 16:28 PDT, Daniel Veditz [:dveditz]
no flags Details
Null-defense patch (816 bytes, patch)
2006-06-23 11:07 PDT, Blake Kaplan (:mrbkap)
dveditz: review+
dveditz: superreview+
dveditz: approval1.8.0.5+
mtschrep: approval1.8.1+
Details | Diff | Splinter Review

Description Daniel Veditz [:dveditz] 2006-06-21 03:11:35 PDT
ZDI-CAN-055: Mozilla Firefox Javascript navigator Object Vulnerability

-- ABSTRACT ------------------------------------------------------------

3Com has identified a vulnerability affecting the following products:

Firefox 1.5.x

-- VULNERABILITY DETAILS -----------------------------------------------

A vulnerability exists in the latest version of Mozilla Firefox which
allows arbitrary code to execute.  The problem lies in Firefox's use of
the navigator object and Javascript.  The vulnerability can be exploited
when a user visits a malicious web page and executes under the context
of that users credentials.

The vulnerability is due to the fact that you can assign another object
to the "navigator" object in Firefox.  Then when a new Packages object
is created, a method from the navigator object is called. The Packages
object is a so called LiveConnect object which enables the
communication between Javascript and Java applets.  So a JVM has to be
installed to exploit the vulnerability.

Assigning the object to a user controlled value leads to remote code
execution.  The bug is only possible because the navigator object could
be overwritten. This object is later used while creating the Packages
object. The crash occurs in

./js/src/jsapi.c:2697 in JS_GetProperty() which is called from
./modules/oji/src/ProxyClassLoader.cpp:80

if (!JS_GetProperty(cx, window, "navigator", &navigator))
    return NS_ERROR_FAILURE;

    The ClassLoader acts on the assumption that the navigator object
can not be changed.


Vulnerable versions tested:
    Firefox 1.5.0.1 Windows XP SP2
    Firefox 1.5.0.1 Fedora Core 3

Not vulnerable versions tested:
    Firefox 1.0.7 Windows XP SP2

-- CREDIT --------------------------------------------------------------

This vulnerability was discovered by:

    Anonymous
Comment 1 Daniel Veditz [:dveditz] 2006-06-21 03:43:03 PDT
ZDI sent us a zipped proof-of-concept that launches calc.exe (same shellcode as zdi-can-026), but essentially all you need to do to trigger the crash is get rid of the navigator object and call up java. The following seems sufficient to cause the crash reliably:
    javascript:navigator=0;new Packages();void(0);
Note: you must have Java enabled.

A quick patch might be to add a check that the navigator property is an object in getScriptClassLoader: http://lxr.mozilla.org/mozilla/source/modules/oji/src/ProxyClassLoader.cpp#76

That doesn't prevent content from messing with Java by playing with the navigator object in other ways, though.
So why isn't FF1.0 vulnerable? The OJI code appears to be essentially the same
Comment 2 Blake Kaplan (:mrbkap) 2006-06-22 13:07:19 PDT
Created attachment 226691 [details] [diff] [review]
Fix

So, the testcase doesn't work for me on my debug build. I get "Setting a property that only has a getter" because the navigator property is supposed to be read only! This patch should work anyway.
Comment 3 Daniel Veditz [:dveditz] 2006-06-22 15:40:06 PDT
Created attachment 226717 [details]
exp_loader.html (crashes and launches calc.exe on windows)
Comment 4 Blake Kaplan (:mrbkap) 2006-06-22 15:43:59 PDT
Dan, is that testcase really for this bug?
Comment 5 Daniel Veditz [:dveditz] 2006-06-22 16:13:48 PDT
Created attachment 226722 [details]
Guts of the testcase

The first one isn't going to work loaded from bugzilla... I didn't seem to need the refresh to reproduce, but if you can't save this attachment and the exp_loader one locally and load it from there.
Comment 6 Daniel Veditz [:dveditz] 2006-06-22 16:28:06 PDT
Created attachment 226723 [details]
BMO-specific loader page (launches calc.exe on windows)

So loading the mail exploit itself seems to just crash, locally I do need to load the loader page first to get the exploit to run correctly. Here's an attempt to do just that on BMO.
Comment 7 Daniel Veditz [:dveditz] 2006-06-22 16:48:54 PDT
> So loading the mail exploit itself seems to just crash, locally I do need to
> load the loader page first to get the exploit to run correctly. Here's an
> attempt to do just that on BMO.

Doesn't seem to work (launch calc.exe) on a known broken version. Still get the crash, but for full effect download attachments 226717 and 226722 locally.
Comment 8 Daniel Veditz [:dveditz] 2006-06-22 17:48:57 PDT
So Firefox 1.0 and mozilla 1.7 are not vulnerable because bug 246224 ("Mozilla crashes if a chrome app uses Live Connect") was fixed on those branches by removing the only call to ProxyFindClass

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/oji/src/ProxyJNI.cpp&rev=1.29.8.2&mark=322,325,328#315

Comment 9 Daniel Veditz [:dveditz] 2006-06-22 17:57:46 PDT
Comment on attachment 226691 [details] [diff] [review]
Fix

That should do nicely, r=dveditz

You mention this bug didn't happen to you on the trunk because navigator can't be overridden. I'm not seeing that, I crash. This should land on the trunk regardless: either it fixes the crash, or *will* fix it if the readonly attribute stops being enforced again.
Comment 10 Johnny Stenback (:jst, jst@mozilla.com) 2006-06-23 10:53:19 PDT
Comment on attachment 226691 [details] [diff] [review]
Fix

sr=jst
Comment 11 Blake Kaplan (:mrbkap) 2006-06-23 11:07:46 PDT
Created attachment 226808 [details] [diff] [review]
Null-defense patch

I can't believe I missed this before: the liveconnect code checks for JSVAL_IS_OBJECT and if that tests true, then it passes the jsval (as a JSObject *) to JS_GetPrivate. Unfortunately, null is an object, and JS_GetPrivate is not null-safe.
Comment 12 Daniel Veditz [:dveditz] 2006-06-23 11:15:09 PDT
Comment on attachment 226808 [details] [diff] [review]
Null-defense patch

r/sr=dveditz
Comment 13 Blake Kaplan (:mrbkap) 2006-06-23 11:18:57 PDT
Fix checked into trunk.
Comment 14 Daniel Veditz [:dveditz] 2006-06-23 11:21:29 PDT
Comment on attachment 226808 [details] [diff] [review]
Null-defense patch

approved for 1.8.0 branch, a=dveditz for drivers
Comment 15 Daniel Veditz [:dveditz] 2006-06-23 14:16:54 PDT
Comment on attachment 226691 [details] [diff] [review]
Fix

oops, forgot to mark the main patch. Of course we want this on the 1.8.0 branch also, a=dveditz for drivers
Comment 16 Blake Kaplan (:mrbkap) 2006-06-23 14:33:21 PDT
Fix checked into the 1.8.0 branch.
Comment 17 Darin Fisher 2006-06-23 15:19:21 PDT
Comment on attachment 226691 [details] [diff] [review]
Fix

a=darin on behalf of drivers (please land on the MOZILLA_1_8_BRANCH and add the fixed1.8.1 keyword to the bug)
Comment 18 Blake Kaplan (:mrbkap) 2006-06-23 15:36:43 PDT
Fix checked into the 1.8 branch.
Comment 19 Jay Patel [:jay] 2006-06-26 15:47:54 PDT
v.fixed on 1.8.0 branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.5) Gecko/20060626 Firefox/1.5.0.5, no crash with testcases and no calc.exe execution (was able to execute with 6/20 build).

Note You need to log in before you can comment on or make changes to this bug.