354978 - privilege escalation using watchpoint

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect, P1)

Description

[shutdown]

Pseudo stack frame constructed by js_watch_set() is not aware of function
cloning. So it can be used to execute arbitrary code with elevated privilege.
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/js/src/jsdbgapi.c&rev=3.68&mark=362-375#362

Comment 1

[shutdown]

Attachment: testcase

works on:
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.1)
  Gecko/20060930 BonEcho/2.0
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.0.8pre)
  Gecko/20060930 Firefox/1.5.0.8pre

Comment 2

[Daniel Veditz [:dveditz]]

Johnny: you just landed bug 336731. Although that doesn't fix this, is it similar enough to this one that you'd want to look into the fix?

Comment 3

[Blake Kaplan (:mrbkap) (inactive)]

Attachment: Fix

I have a feeling that brendan won't be too happy with this fix, but I haven't given this bug enough thought to fix it in a better way. This fix makes the faux frame maintain the illusion of the cloned function object.

Comment 4

[Brendan Eich [:brendan]]

Comment on attachment 244855 [details] [diff] [review]
Fix

No, I like this fix.  But didn't Igor try an auto-storage-class array initialiser with runtime values and find some old compiler we still care about choking on it?

/be

Comment 5

[Blake Kaplan (:mrbkap) (inactive)]

Igor, do you remember the compiler that comment 4 mentions?

Comment 6

[Blake Kaplan (:mrbkap) (inactive)]

Fix checked into trunk. I'll fix compiler bustage as needed.

Comment 7

[neil@parkwaycc.co.uk]

Comment on attachment 244855 [details] [diff] [review]
Fix

>+                jsval argv[2] = { OBJECT_TO_JSVAL(funobj), JSVAL_NULL };
Note: gcc 2.96 won't compile this because OBJECT_TO_JSVAL(funobj) is not a constant - "initializer element is not computable at load time".

Comment 8

[Blake Kaplan (:mrbkap) (inactive)]

Attachment: Fix (potential) build bustage

Comment 9

[Johnny Stenback (:jst)]

Comment on attachment 244959 [details] [diff] [review]
Fix (potential) build bustage

r=jst

Comment 10

[Brendan Eich [:brendan]]

Eagerly awaiting branch patch(es).

/be

Comment 11

[Daniel Veditz [:dveditz]]

The "potential" build bustage is breaking BeOS, can we get attachment 244959 [details] [diff] [review] checked in?

Comment 12

[Daniel Veditz [:dveditz]]

filed bug 360376 so we can hand out the bustage patch more easily.

Comment 13

[Blake Kaplan (:mrbkap) (inactive)]

Attachment: Combined branch patch

This is just a combination of the other two patches in this bug.

Comment 14

[Daniel Veditz [:dveditz]]

Comment on attachment 245376 [details] [diff] [review]
Combined branch patch

approved for 1.8/1.8.0 branches, a=dveditz for drivers

Comment 15

[Blake Kaplan (:mrbkap) (inactive)]

Fixed on the 1.8.* branches.

Comment 16

[Bob Clary [:bc] (inactive)]

20061127 windows/linux

verified fixed 1.8.0.9 no alert appears, but the security error about Components.classes does not appear until the page is refreshed.

verified fixed 1.8.1.1/1.9 no alert appears, security error appears when the link is clicked.

Comment 17

[chris hofmann]

hi shutdown,

I've tried to send you e-mail a few times without success.  Can you contact chofmann@mozilla.org so we can pay you bug bounty in connection with this bug and other research that you have done.

thanks

chris h.

Comment 18

[chris hofmann]

pvnick is doing a bit of research on XSS and also gathering up bugs with security related test cases to help add to the regression/certification test suites.  adding him to the cc list in these...

Comment 19

[071273]

i Like this technologie of browsers, but i need one version of mozzila orriginal wich body , iguality of 98 windos or os  9.2. more jflat ..

sorry for   my inglish friends 

peace 

www.myspace.com/akafabiomachado