Last Comment Bug 354978 - privilege escalation using watchpoint
: privilege escalation using watchpoint
Status: VERIFIED FIXED
[sg:critical]
: testcase, verified1.8.0.9, verified1.8.1.1
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: All All
: P1 normal (vote)
: mozilla1.9alpha1
Assigned To: Blake Kaplan (:mrbkap)
:
: Jason Orendorff [:jorendorff]
Mentors:
Depends on: 360376
Blocks:
  Show dependency treegraph
 
Reported: 2006-09-30 13:45 PDT by shutdown
Modified: 2013-03-26 08:03 PDT (History)
13 users (show)
dveditz: blocking1.8.1.1+
dveditz: blocking1.8.0.9+
choller: in‑testsuite-
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Fix (1.42 KB, patch)
2006-11-06 18:44 PST, Blake Kaplan (:mrbkap)
brendan: review+
Details | Diff | Splinter Review
Fix (potential) build bustage (1.28 KB, patch)
2006-11-07 16:25 PST, Blake Kaplan (:mrbkap)
jst: review+
Details | Diff | Splinter Review
Combined branch patch (1.48 KB, patch)
2006-11-11 23:37 PST, Blake Kaplan (:mrbkap)
dveditz: approval1.8.0.9+
dveditz: approval1.8.1.1+
Details | Diff | Splinter Review

Description shutdown 2006-09-30 13:45:25 PDT
Pseudo stack frame constructed by js_watch_set() is not aware of function
cloning. So it can be used to execute arbitrary code with elevated privilege.
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/js/src/jsdbgapi.c&rev=3.68&mark=362-375#362
Comment 1 shutdown 2006-09-30 13:46:38 PDT
Created attachment 240755 [details]
testcase

works on:
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.1)
  Gecko/20060930 BonEcho/2.0
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.0.8pre)
  Gecko/20060930 Firefox/1.5.0.8pre
Comment 2 Daniel Veditz [:dveditz] 2006-11-06 16:56:56 PST
Johnny: you just landed bug 336731. Although that doesn't fix this, is it similar enough to this one that you'd want to look into the fix?
Comment 3 Blake Kaplan (:mrbkap) 2006-11-06 18:44:35 PST
Created attachment 244855 [details] [diff] [review]
Fix

I have a feeling that brendan won't be too happy with this fix, but I haven't given this bug enough thought to fix it in a better way. This fix makes the faux frame maintain the illusion of the cloned function object.
Comment 4 Brendan Eich [:brendan] 2006-11-06 19:24:03 PST
Comment on attachment 244855 [details] [diff] [review]
Fix

No, I like this fix.  But didn't Igor try an auto-storage-class array initialiser with runtime values and find some old compiler we still care about choking on it?

/be
Comment 5 Blake Kaplan (:mrbkap) 2006-11-06 19:25:15 PST
Igor, do you remember the compiler that comment 4 mentions?
Comment 6 Blake Kaplan (:mrbkap) 2006-11-06 21:10:18 PST
Fix checked into trunk. I'll fix compiler bustage as needed.
Comment 7 neil@parkwaycc.co.uk 2006-11-07 16:17:16 PST
Comment on attachment 244855 [details] [diff] [review]
Fix

>+                jsval argv[2] = { OBJECT_TO_JSVAL(funobj), JSVAL_NULL };
Note: gcc 2.96 won't compile this because OBJECT_TO_JSVAL(funobj) is not a constant - "initializer element is not computable at load time".
Comment 8 Blake Kaplan (:mrbkap) 2006-11-07 16:25:13 PST
Created attachment 244959 [details] [diff] [review]
Fix (potential) build bustage
Comment 9 Johnny Stenback (:jst, jst@mozilla.com) 2006-11-08 14:11:52 PST
Comment on attachment 244959 [details] [diff] [review]
Fix (potential) build bustage

r=jst
Comment 10 Brendan Eich [:brendan] 2006-11-08 23:51:39 PST
Eagerly awaiting branch patch(es).

/be
Comment 11 Daniel Veditz [:dveditz] 2006-11-11 10:56:21 PST
The "potential" build bustage is breaking BeOS, can we get attachment 244959 [details] [diff] [review] checked in?
Comment 12 Daniel Veditz [:dveditz] 2006-11-11 11:05:57 PST
filed bug 360376 so we can hand out the bustage patch more easily.
Comment 13 Blake Kaplan (:mrbkap) 2006-11-11 23:37:02 PST
Created attachment 245376 [details] [diff] [review]
Combined branch patch

This is just a combination of the other two patches in this bug.
Comment 14 Daniel Veditz [:dveditz] 2006-11-13 12:18:56 PST
Comment on attachment 245376 [details] [diff] [review]
Combined branch patch

approved for 1.8/1.8.0 branches, a=dveditz for drivers
Comment 15 Blake Kaplan (:mrbkap) 2006-11-24 11:45:53 PST
Fixed on the 1.8.* branches.
Comment 16 Bob Clary [:bc:] 2006-11-27 23:01:42 PST
20061127 windows/linux

verified fixed 1.8.0.9 no alert appears, but the security error about Components.classes does not appear until the page is refreshed.

verified fixed 1.8.1.1/1.9 no alert appears, security error appears when the link is clicked.
Comment 17 chris hofmann 2007-01-23 12:10:02 PST
hi shutdown,

I've tried to send you e-mail a few times without success.  Can you contact chofmann@mozilla.org so we can pay you bug bounty in connection with this bug and other research that you have done.

thanks

chris h.
Comment 18 chris hofmann 2007-04-24 15:29:35 PDT
pvnick is doing a bit of research on XSS and also gathering up bugs with security related test cases to help add to the regression/certification test suites.  adding him to the cc list in these...
Comment 19 071273 2008-01-25 07:33:00 PST
i Like this technologie of browsers, but i need one version of mozzila orriginal wich body , iguality of 98 windos or os  9.2. more jflat ..

sorry for   my inglish friends 

peace 

www.myspace.com/akafabiomachado

Note You need to log in before you can comment on or make changes to this bug.