342267 - (zdi-can-055) Mozilla Firefox Javascript navigator Object Vulnerability (ZDI-CAN-055, CVE-2006-3677)

Status: RESOLVED FIXED

(Core :: Security, defect, P1)

Description

[Daniel Veditz [:dveditz]]

ZDI-CAN-055: Mozilla Firefox Javascript navigator Object Vulnerability

-- ABSTRACT ------------------------------------------------------------

3Com has identified a vulnerability affecting the following products:

Firefox 1.5.x

-- VULNERABILITY DETAILS -----------------------------------------------

A vulnerability exists in the latest version of Mozilla Firefox which
allows arbitrary code to execute.  The problem lies in Firefox's use of
the navigator object and Javascript.  The vulnerability can be exploited
when a user visits a malicious web page and executes under the context
of that users credentials.

The vulnerability is due to the fact that you can assign another object
to the "navigator" object in Firefox.  Then when a new Packages object
is created, a method from the navigator object is called. The Packages
object is a so called LiveConnect object which enables the
communication between Javascript and Java applets.  So a JVM has to be
installed to exploit the vulnerability.

Assigning the object to a user controlled value leads to remote code
execution.  The bug is only possible because the navigator object could
be overwritten. This object is later used while creating the Packages
object. The crash occurs in

./js/src/jsapi.c:2697 in JS_GetProperty() which is called from
./modules/oji/src/ProxyClassLoader.cpp:80

if (!JS_GetProperty(cx, window, "navigator", &navigator))
    return NS_ERROR_FAILURE;

    The ClassLoader acts on the assumption that the navigator object
can not be changed.


Vulnerable versions tested:
    Firefox 1.5.0.1 Windows XP SP2
    Firefox 1.5.0.1 Fedora Core 3

Not vulnerable versions tested:
    Firefox 1.0.7 Windows XP SP2

-- CREDIT --------------------------------------------------------------

This vulnerability was discovered by:

    Anonymous

Comment 1

[Daniel Veditz [:dveditz]]

ZDI sent us a zipped proof-of-concept that launches calc.exe (same shellcode as zdi-can-026), but essentially all you need to do to trigger the crash is get rid of the navigator object and call up java. The following seems sufficient to cause the crash reliably:
    javascript:navigator=0;new Packages();void(0);
Note: you must have Java enabled.

A quick patch might be to add a check that the navigator property is an object in getScriptClassLoader: http://lxr.mozilla.org/mozilla/source/modules/oji/src/ProxyClassLoader.cpp#76

That doesn't prevent content from messing with Java by playing with the navigator object in other ways, though.
So why isn't FF1.0 vulnerable? The OJI code appears to be essentially the same

Comment 2

[Blake Kaplan (:mrbkap) (inactive)]

Attachment: Fix

So, the testcase doesn't work for me on my debug build. I get "Setting a property that only has a getter" because the navigator property is supposed to be read only! This patch should work anyway.

Comment 3

[Daniel Veditz [:dveditz]]

Attachment: exp_loader.html (crashes and launches calc.exe on windows)

Comment 4

[Blake Kaplan (:mrbkap) (inactive)]

Dan, is that testcase really for this bug?

Comment 5

[Daniel Veditz [:dveditz]]

Attachment: Guts of the testcase

The first one isn't going to work loaded from bugzilla... I didn't seem to need the refresh to reproduce, but if you can't save this attachment and the exp_loader one locally and load it from there.

Comment 6

[Daniel Veditz [:dveditz]]

Attachment: BMO-specific loader page (launches calc.exe on windows)

So loading the mail exploit itself seems to just crash, locally I do need to load the loader page first to get the exploit to run correctly. Here's an attempt to do just that on BMO.

Comment 7

[Daniel Veditz [:dveditz]]

> So loading the mail exploit itself seems to just crash, locally I do need to
> load the loader page first to get the exploit to run correctly. Here's an
> attempt to do just that on BMO.

Doesn't seem to work (launch calc.exe) on a known broken version. Still get the crash, but for full effect download attachments 226717 and 226722 locally.

Comment 8

[Daniel Veditz [:dveditz]]

So Firefox 1.0 and mozilla 1.7 are not vulnerable because bug 246224 ("Mozilla crashes if a chrome app uses Live Connect") was fixed on those branches by removing the only call to ProxyFindClass

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/oji/src/ProxyJNI.cpp&rev=1.29.8.2&mark=322,325,328#315

Comment 9

[Daniel Veditz [:dveditz]]

Comment on attachment 226691 [details] [diff] [review]
Fix

That should do nicely, r=dveditz

You mention this bug didn't happen to you on the trunk because navigator can't be overridden. I'm not seeing that, I crash. This should land on the trunk regardless: either it fixes the crash, or *will* fix it if the readonly attribute stops being enforced again.

Comment 10

[Johnny Stenback (:jst)]

Comment on attachment 226691 [details] [diff] [review]
Fix

sr=jst

Comment 11

[Blake Kaplan (:mrbkap) (inactive)]

Attachment: Null-defense patch

I can't believe I missed this before: the liveconnect code checks for JSVAL_IS_OBJECT and if that tests true, then it passes the jsval (as a JSObject *) to JS_GetPrivate. Unfortunately, null is an object, and JS_GetPrivate is not null-safe.

Comment 12

[Daniel Veditz [:dveditz]]

Comment on attachment 226808 [details] [diff] [review]
Null-defense patch

r/sr=dveditz

Comment 13

[Blake Kaplan (:mrbkap) (inactive)]

Fix checked into trunk.

Comment 14

[Daniel Veditz [:dveditz]]

Comment on attachment 226808 [details] [diff] [review]
Null-defense patch

approved for 1.8.0 branch, a=dveditz for drivers

Comment 15

[Daniel Veditz [:dveditz]]

Comment on attachment 226691 [details] [diff] [review]
Fix

oops, forgot to mark the main patch. Of course we want this on the 1.8.0 branch also, a=dveditz for drivers

Comment 16

[Blake Kaplan (:mrbkap) (inactive)]

Fix checked into the 1.8.0 branch.

Comment 17

[Darin Fisher]

Comment on attachment 226691 [details] [diff] [review]
Fix

a=darin on behalf of drivers (please land on the MOZILLA_1_8_BRANCH and add the fixed1.8.1 keyword to the bug)

Comment 18

[Blake Kaplan (:mrbkap) (inactive)]

Fix checked into the 1.8 branch.

Comment 19

[Jay Patel [:jay]]

v.fixed on 1.8.0 branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.5) Gecko/20060626 Firefox/1.5.0.5, no crash with testcases and no calc.exe execution (was able to execute with 6/20 build).