Closed
Bug 344494
Opened 19 years ago
Closed 17 years ago
Arbitrary code execution with DOM Inspector by using Array.prototype methods (and Firebug)
Categories
(Other Applications :: DOM Inspector, defect, P1)
Other Applications
DOM Inspector
Tracking
(Not tracked)
RESOLVED
FIXED
Future
People
(Reporter: moz_bug_r_a4, Assigned: mrbkap)
References
Details
(Keywords: arch, Whiteboard: [sg:critical] [firebug-p1])
Attachments
(1 file, 1 obsolete file)
|
7.01 KB,
patch
|
jst
:
review+
jst
:
superreview+
|
Details | Diff | Splinter Review |
This works on the trunk, fx2.0 and fx1.5.0.5.
|
Reporter | |
Comment 2•19 years ago
|
||
This works on the trunk, fx2.0, fx1.5.0.5, fx1.0.8 and moz1.7.13.
|
||
Comment 3•19 years ago
|
||
With Firebug installed the victim doesn't even have to explicitly launch something as is the case with DOM Inspector.
1. Open testcase 1
2. Switch to another tab
3. return to testcase tab --> exploit fires.
Every time you return to the testcase tab the alert will fire three times from Firebug's utils.js line 322 (version 0.4), and another once when you close the tab.
Firebug makes the problem far worse -- every page is a potential attack, not just pages you actively inspect. If you have new windows set to open in tabs (the default in FF2!) it's trivial to force this by opening a window and then closing it. Doesn't seem to work with real windows, just tabs for some reason (different events that Firebug's looking for?)
If Firebug has XML spying turned on then the presence of window.__firebug__ will alert hackers that it's there. I've been worried that the presence of functions that chrome will call means that's hackable, too, though I think all the obvious stuff has been fixed in 1.5.0.5. I guess that's for another bug (moz_bug_r_a4: would any of your PAC-hacking techniques work on this?)
Interesting: disabling Firebug just now from this window caused the exploit alert to fire one last time in another window containing testcase1.
Flags: blocking1.9a1+
Flags: blocking1.8.1?
Flags: blocking1.8.0.6+
Flags: blocking1.7.14?
Flags: blocking-aviary1.0.9?
Summary: Arbitrary code execution with DOM Inspector by using Array.prototype methods → Arbitrary code execution with DOM Inspector by using Array.prototype methods (and Firebug)
Whiteboard: [sg:critical]
|
||
Updated•19 years ago
|
Flags: blocking1.8.1? → blocking1.8.1+
|
|
Reporter | |
Comment 4•19 years ago
|
||
(In reply to comment #3)
> If Firebug has XML spying turned on then the presence of window.__firebug__
> will alert hackers that it's there.
In that case, Firebug will call content-defined window.__firebug__ getter, and
the call to getter can trigger an exploit. Also, by default, window.console
getter, document.styleSheets getter, window.addEventListener, etc. etc. can be
used as a trigger of an exploit. I have a testcase for Firebug, which can
exploit without user interaction. Should I attach it here?
|
|
||
Comment 5•19 years ago
|
||
> I have a testcase for Firebug, which can
> exploit without user interaction. Should I attach it here?
Let's start a new bug for the Firebug issues.
|
|
Reporter | |
Comment 6•19 years ago
|
||
|
||
Comment 7•19 years ago
|
||
So if we turned XPCNativeWrapper on for DOM inspector, the only thing affected would be the "JS Object" view, right?
Frankly, that may be the way to go for the time being -- I'm not sure how much the "examine random page-set JS stuff" case is really used in the JS Object view. If we do want to leave that case allowed, we can control security better by moving the impl into C++ and pushing JSContexts on the stack or whatever it takes to get the right principals into play, but we'd still be running arbitrary code (with the page's privileges) on every prop access. So we're still kinda stuck, since the page can always set up getters that will, e.g., close the window when one gets some property (to disallow inspection altogether)....
For JS-defined getters we could actually skip calling the getter altogether and just indicate that a getter was defined.
I'll have a stab at this.
Assignee: dom-inspector → bugmail
|
|
Reporter | |
Comment 10•19 years ago
|
||
It seems that the patch (attachment 229913 [details] [diff] [review]) in Bug 344495 also fixes the
privilege escalation bugs.
Reassigning to moz_bug_r_a4 since he's working on this
Assignee: bugmail → moz_bug_r_a4
|
|
||
Comment 13•19 years ago
|
||
No safe fix, mrbkap's unavailable, try for 1.8.0.8
Flags: blocking1.8.0.8+
Flags: blocking1.8.0.7-
Flags: blocking1.8.0.7+
|
||
Comment 14•18 years ago
|
||
Pushing out to 1.8.1.1
Flags: blocking1.8.1.1?
Flags: blocking1.8.1-
Flags: blocking1.8.1+
|
|
||
Updated•18 years ago
|
Flags: blocking1.8.0.8?
|
|
||
Updated•18 years ago
|
Flags: blocking1.8.0.8? → blocking1.8.0.9?
|
|
||
Updated•18 years ago
|
Flags: blocking1.9?
|
|
||
Updated•18 years ago
|
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Flags: blocking1.8.1.1?
Flags: blocking1.8.1.1-
Flags: blocking1.8.0.9?
Flags: blocking1.8.0.9-
|
|
||
Updated•18 years ago
|
Flags: blocking1.8.1.2+
Flags: blocking1.8.0.10+
|
|
||
Comment 15•18 years ago
|
||
No good fix yet, clearing 1.8.1.2/1.8.0.10 blocking flags
Flags: blocking1.8.1.2+
Flags: blocking1.8.0.10+
|
||
Updated•18 years ago
|
Keywords: arch
Whiteboard: [sg:critical] → [sg:critical] fixed by ? https://bugzilla.mozilla.org/show_bug.cgi?id=344495
|
|
||
Updated•18 years ago
|
Assignee: moz_bug_r_a4 → mrbkap
|
||
Updated•18 years ago
|
Flags: blocking1.9?
Flags: blocking1.9+
Flags: blocking-aviary1.0.9?
|
||
Comment 16•18 years ago
|
||
Targeting to B1 per conversation with Blake.
Target Milestone: --- → mozilla1.8.1beta1
|
Assignee | |
Updated•18 years ago
|
Target Milestone: mozilla1.8.1beta1 → mozilla1.9beta
|
||
Updated•18 years ago
|
QA Contact: timeless → dom-inspector
|
|
||
Comment 17•17 years ago
|
||
This appears fixed on the trunk in M8, by XOW (bug 367911, which fixed bug 344495)?
Whiteboard: [sg:critical] fixed by ? https://bugzilla.mozilla.org/show_bug.cgi?id=344495 → [sg:critical] fixed by XOW (bug 367911)?
|
|
Reporter | |
Comment 18•17 years ago
|
||
DOMi is still exploitable.
If content does document.__defineGetter__("nodeType", x), and DOMi accesses
document.nodeType, x is not called. But, if content does
document.__proto__.__defineGetter__("nodeType", x), x can be called by DOMi.
Also, e.g. document.documentElement.__defineGetter__("nodeType", x) can be used
since document.documentElement is not wrapped in XOW.
|
|
Reporter | |
Comment 19•17 years ago
|
||
|
|
Assignee | |
Comment 20•17 years ago
|
||
Yeah, the general solution for this bug will ensure that DOMi always gets a wrapper of some kind. Right now, it's relying on what's basically a happy coincidence.
|
|
Reporter | |
Comment 21•17 years ago
|
||
|
|
||
Comment 22•17 years ago
|
||
Blake, I know you are super busy, but any progress on this? Getting really close to freeze date for beta.
|
|
||
Comment 23•17 years ago
|
||
So if this is not yet fixed on 1.8 why block 1.9b1 for it?
|
|
||
Comment 24•17 years ago
|
||
For scary-risky changes such as these that rely on new or tweaked wrappers we really need them tested on trunk before back-porting the fixes to 1.8 (if back-porting is even possible). b1 will get a lot of use, nightlies not so much.
|
|
||
Comment 25•17 years ago
|
||
That said we've been waiting a long time on this, it could potentially wait for b2 if we have to and you don't mind pushing the risk out that late. I don't know what the actual risk is of what Blake's proposing, I'd imagine most of the arch-level risk was in the cross-origin wrappers (XOW) themselves and that's already in.
|
|
||
Comment 26•17 years ago
|
||
Just to clarify here, this security issue is not publicly known, correct? If not, I agree that we could probably ship beta without it.
|
|
Assignee | |
Comment 27•17 years ago
|
||
For what it's worth, I've been hoping to find a general solution that will fix this without changing any DOMI code. However, there are a couple of DOMI changes that will fix this for good (using XPCSafeJSObjectWrapper on content nodes explicitly in DOMI). While that's not a hack, my ideal solution would be to do said wrapping in XPConnect and let extensions Just Work.
|
|
||
Comment 28•17 years ago
|
||
Any progress, Blake? :-)
|
||
Updated•17 years ago
|
Whiteboard: [sg:critical] fixed by XOW (bug 367911)? → [sg:critical]
|
|
||
Comment 29•17 years ago
|
||
Retargeting to M10. Not a public sec issue, and there is no way a fix can make it for beta.
Target Milestone: mozilla1.9 M9 → mozilla1.9 M10
|
|
Assignee | |
Comment 30•17 years ago
|
||
This should be fixed by wrapperizing harder. P1 due to the severity.
Priority: -- → P1
Priority: P1 → P2
|
|
||
Comment 31•17 years ago
|
||
We're not sure if this can get done before Beta 2 here. Blake, are you sure
you can get this done? Moving to P2 for now.
|
|
Assignee | |
Comment 32•17 years ago
|
||
This patch isn't ready yet. SJOWs need some more lovin' before they'll be ready for prime time. However, this does stop testcase 3 in its tracks. I'll file (probably non-ss) bugs to track SJOW that needs to happen before this goes in.
|
|
Assignee | |
Updated•17 years ago
|
Attachment #294681 -
Attachment is patch: true
Attachment #294681 -
Attachment mime type: application/octet-stream → text/plain
|
|
Assignee | |
Comment 33•17 years ago
|
||
Comment on attachment 229060 [details]
testcase 1
Obsoleted because we no longer allow indirect eval.
|
|
Assignee | |
Comment 34•17 years ago
|
||
Comment on attachment 229061 [details]
testcase 2
Depends on indirect eval.
|
|
||
Comment 35•17 years ago
|
||
we should try and get any security bug work for this area done before b3, so there is testing time for any compatibility and stability fall out. blake, think that is possible?
Priority: P2 → P1
|
|
||
Comment 36•17 years ago
|
||
Blake can you set the TM to either B3 or B4 depending on when we can get this in?
|
||
Comment 37•17 years ago
|
||
Builds with the patch in this bug (and s/JS_GET_CLASS(cx, /STOBJ_GET_CLASS(/) applied are now available at:
https://build.mozilla.org/tryserver-builds/2008-02-19_16:40-jst@mozilla.com-wrapper-fun/
|
|
Assignee | |
Comment 38•17 years ago
|
||
Attachment #294681 -
Attachment is obsolete: true
|
||
Comment 39•17 years ago
|
||
I gave the tryserver build a quick twirl with Firebug 1.2. It didn't seem obviously broken (the DOMi thing worked, and I was able to set a breakpoint and trace JS in a page), but I'm not sure exactly what to bang on.
|
|
||
Comment 40•17 years ago
|
||
Anyone else see any issues? Johnny, Blake, does it look like the latest patch from Blake is a go here for beta 4?
|
||
Updated•17 years ago
|
Target Milestone: mozilla1.9beta2 → Future
|
|
||
Updated•17 years ago
|
OS: Windows XP → All
Hardware: PC → All
Whiteboard: [sg:critical] → [sg:critical] [firebug-p1]
Version: unspecified → Trunk
|
|
Assignee | |
Comment 41•17 years ago
|
||
Comment on attachment 304532 [details] [diff] [review]
Updated to trunk
This should be ready to go.
Attachment #304532 -
Flags: superreview?(jst)
Attachment #304532 -
Flags: review?(jst)
|
|
||
Updated•17 years ago
|
Attachment #304532 -
Flags: superreview?(jst)
Attachment #304532 -
Flags: superreview+
Attachment #304532 -
Flags: review?(jst)
Attachment #304532 -
Flags: review+
|
|
Assignee | |
Comment 42•17 years ago
|
||
Fix checked into trunk.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
|
|
||
Comment 43•17 years ago
|
||
Fixing the blocking flag here. Was still carrying the tracking1.9 flag for some reason.
Flags: tracking1.9+ → blocking1.9+
|
|
Reporter | |
Comment 44•17 years ago
|
||
A testcase that works on fx-2.0.0.14pre-2008-03-16-03, as promised in bug
363891 comment #36.
|
|
||
Updated•12 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Comment 1
•