privilege escalation using watchpoint

VERIFIED FIXED in mozilla1.9alpha1

Status

()

Core
JavaScript Engine
P1
normal
VERIFIED FIXED
11 years ago
5 years ago

People

(Reporter: shutdown, Assigned: mrbkap)

Tracking

({testcase, verified1.8.0.9, verified1.8.1.1})

Trunk
mozilla1.9alpha1
testcase, verified1.8.0.9, verified1.8.1.1
Points:
---
Bug Flags:
blocking1.8.1.1 +
blocking1.8.0.9 +
in-testsuite -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical])

Attachments

(3 attachments)

(Reporter)

Description

11 years ago
Pseudo stack frame constructed by js_watch_set() is not aware of function
cloning. So it can be used to execute arbitrary code with elevated privilege.
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/js/src/jsdbgapi.c&rev=3.68&mark=362-375#362
(Reporter)

Comment 1

11 years ago
Created attachment 240755 [details]
testcase

works on:
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.1)
  Gecko/20060930 BonEcho/2.0
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.0.8pre)
  Gecko/20060930 Firefox/1.5.0.8pre
Johnny: you just landed bug 336731. Although that doesn't fix this, is it similar enough to this one that you'd want to look into the fix?
Flags: blocking1.8.1.1+
Flags: blocking1.8.0.9+
Whiteboard: [sg:critical]
(Assignee)

Comment 3

11 years ago
Created attachment 244855 [details] [diff] [review]
Fix

I have a feeling that brendan won't be too happy with this fix, but I haven't given this bug enough thought to fix it in a better way. This fix makes the faux frame maintain the illusion of the cloned function object.
Assignee: general → mrbkap
Status: NEW → ASSIGNED
Attachment #244855 - Flags: review?(brendan)
(Assignee)

Updated

11 years ago
Priority: -- → P1
Target Milestone: --- → mozilla1.9alpha
Comment on attachment 244855 [details] [diff] [review]
Fix

No, I like this fix.  But didn't Igor try an auto-storage-class array initialiser with runtime values and find some old compiler we still care about choking on it?

/be
Attachment #244855 - Flags: review?(brendan) → review+
(Assignee)

Comment 5

11 years ago
Igor, do you remember the compiler that comment 4 mentions?
(Assignee)

Comment 6

11 years ago
Fix checked into trunk. I'll fix compiler bustage as needed.
Status: ASSIGNED → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED

Comment 7

11 years ago
Comment on attachment 244855 [details] [diff] [review]
Fix

>+                jsval argv[2] = { OBJECT_TO_JSVAL(funobj), JSVAL_NULL };
Note: gcc 2.96 won't compile this because OBJECT_TO_JSVAL(funobj) is not a constant - "initializer element is not computable at load time".
(Assignee)

Comment 8

11 years ago
Created attachment 244959 [details] [diff] [review]
Fix (potential) build bustage
Attachment #244959 - Flags: review?(brendan)
Comment on attachment 244959 [details] [diff] [review]
Fix (potential) build bustage

r=jst
Attachment #244959 - Flags: review?(brendan) → review+
Eagerly awaiting branch patch(es).

/be
The "potential" build bustage is breaking BeOS, can we get attachment 244959 [details] [diff] [review] checked in?
Depends on: 360376
filed bug 360376 so we can hand out the bustage patch more easily.
(Assignee)

Comment 13

11 years ago
Created attachment 245376 [details] [diff] [review]
Combined branch patch

This is just a combination of the other two patches in this bug.
Attachment #245376 - Flags: approval1.8.1.1?
Attachment #245376 - Flags: approval1.8.0.9?
Comment on attachment 245376 [details] [diff] [review]
Combined branch patch

approved for 1.8/1.8.0 branches, a=dveditz for drivers
Attachment #245376 - Flags: approval1.8.1.1?
Attachment #245376 - Flags: approval1.8.1.1+
Attachment #245376 - Flags: approval1.8.0.9?
Attachment #245376 - Flags: approval1.8.0.9+
(Assignee)

Comment 15

11 years ago
Fixed on the 1.8.* branches.
Keywords: fixed1.8.0.9, fixed1.8.1.1

Comment 16

11 years ago
20061127 windows/linux

verified fixed 1.8.0.9 no alert appears, but the security error about Components.classes does not appear until the page is refreshed.

verified fixed 1.8.1.1/1.9 no alert appears, security error appears when the link is clicked.
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.0.9, fixed1.8.1.1 → verified1.8.0.9, verified1.8.1.1

Comment 17

11 years ago
hi shutdown,

I've tried to send you e-mail a few times without success.  Can you contact chofmann@mozilla.org so we can pay you bug bounty in connection with this bug and other research that you have done.

thanks

chris h.

Comment 18

11 years ago
pvnick is doing a bit of research on XSS and also gathering up bugs with security related test cases to help add to the regression/certification test suites.  adding him to the cc list in these...
Group: security
Flags: in-testsuite?

Comment 19

10 years ago
i Like this technologie of browsers, but i need one version of mozzila orriginal wich body , iguality of 98 windos or os  9.2. more jflat ..

sorry for   my inglish friends 

peace 

www.myspace.com/akafabiomachado

Updated

9 years ago
Keywords: testcase
Flags: in-testsuite? → in-testsuite-
You need to log in before you can comment on or make changes to this bug.