Closed Bug 354978 Opened 13 years ago Closed 13 years ago

privilege escalation using watchpoint

Categories

(Core :: JavaScript Engine, defect, P1)

defect

Tracking

()

VERIFIED FIXED
mozilla1.9alpha1

People

(Reporter: sync2d, Assigned: mrbkap)

References

Details

(Keywords: testcase, verified1.8.0.9, verified1.8.1.1, Whiteboard: [sg:critical])

Attachments

(3 files)

Pseudo stack frame constructed by js_watch_set() is not aware of function
cloning. So it can be used to execute arbitrary code with elevated privilege.
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/js/src/jsdbgapi.c&rev=3.68&mark=362-375#362
Attached file testcase
works on:
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.1)
  Gecko/20060930 BonEcho/2.0
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.0.8pre)
  Gecko/20060930 Firefox/1.5.0.8pre
Johnny: you just landed bug 336731. Although that doesn't fix this, is it similar enough to this one that you'd want to look into the fix?
Flags: blocking1.8.1.1+
Flags: blocking1.8.0.9+
Whiteboard: [sg:critical]
Attached patch FixSplinter Review
I have a feeling that brendan won't be too happy with this fix, but I haven't given this bug enough thought to fix it in a better way. This fix makes the faux frame maintain the illusion of the cloned function object.
Assignee: general → mrbkap
Status: NEW → ASSIGNED
Attachment #244855 - Flags: review?(brendan)
Priority: -- → P1
Target Milestone: --- → mozilla1.9alpha
Comment on attachment 244855 [details] [diff] [review]
Fix

No, I like this fix.  But didn't Igor try an auto-storage-class array initialiser with runtime values and find some old compiler we still care about choking on it?

/be
Attachment #244855 - Flags: review?(brendan) → review+
Igor, do you remember the compiler that comment 4 mentions?
Fix checked into trunk. I'll fix compiler bustage as needed.
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Comment on attachment 244855 [details] [diff] [review]
Fix

>+                jsval argv[2] = { OBJECT_TO_JSVAL(funobj), JSVAL_NULL };
Note: gcc 2.96 won't compile this because OBJECT_TO_JSVAL(funobj) is not a constant - "initializer element is not computable at load time".
Comment on attachment 244959 [details] [diff] [review]
Fix (potential) build bustage

r=jst
Attachment #244959 - Flags: review?(brendan) → review+
Eagerly awaiting branch patch(es).

/be
The "potential" build bustage is breaking BeOS, can we get attachment 244959 [details] [diff] [review] checked in?
Depends on: 360376
filed bug 360376 so we can hand out the bustage patch more easily.
This is just a combination of the other two patches in this bug.
Attachment #245376 - Flags: approval1.8.1.1?
Attachment #245376 - Flags: approval1.8.0.9?
Comment on attachment 245376 [details] [diff] [review]
Combined branch patch

approved for 1.8/1.8.0 branches, a=dveditz for drivers
Attachment #245376 - Flags: approval1.8.1.1?
Attachment #245376 - Flags: approval1.8.1.1+
Attachment #245376 - Flags: approval1.8.0.9?
Attachment #245376 - Flags: approval1.8.0.9+
Fixed on the 1.8.* branches.
20061127 windows/linux

verified fixed 1.8.0.9 no alert appears, but the security error about Components.classes does not appear until the page is refreshed.

verified fixed 1.8.1.1/1.9 no alert appears, security error appears when the link is clicked.
Status: RESOLVED → VERIFIED
hi shutdown,

I've tried to send you e-mail a few times without success.  Can you contact chofmann@mozilla.org so we can pay you bug bounty in connection with this bug and other research that you have done.

thanks

chris h.
pvnick is doing a bit of research on XSS and also gathering up bugs with security related test cases to help add to the regression/certification test suites.  adding him to the cc list in these...
Group: security
Flags: in-testsuite?
i Like this technologie of browsers, but i need one version of mozzila orriginal wich body , iguality of 98 windos or os  9.2. more jflat ..

sorry for   my inglish friends 

peace 

www.myspace.com/akafabiomachado
Keywords: testcase
Flags: in-testsuite? → in-testsuite-
You need to log in before you can comment on or make changes to this bug.