Note: There are a few cases of duplicates in user autocompletion which are being worked on.

Arbitrary code execution using XSS hole and feed preview page

RESOLVED FIXED in Firefox 3

Status

()

Firefox
RSS Discovery and Preview
P2
normal
RESOLVED FIXED
11 years ago
9 years ago

People

(Reporter: moz_bug_r_a4, Assigned: mano)

Tracking

({verified1.8.1.17})

unspecified
Firefox 3
x86
Windows XP
verified1.8.1.17
Points:
---
Dependency tree / graph
Bug Flags:
blocking-firefox3 +
blocking1.8.1.13 -
blocking1.8.1.15 -
blocking1.8.1.17 +
wanted1.8.1.x +
blocking1.8.0.next -
wanted1.8.0.x -
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical])

Attachments

(4 attachments, 2 obsolete attachments)

(Reporter)

Description

11 years ago
Please see bug 353266.

Array.prototype methods trick (bug 344495) and document.(open|write) trick (bug
346659) and XSS holes (bug 351370, bug 359137) are available on fx2.0. (bug
359137 was already fixed.)

In a feed preview page, an event handler that was registered by content script
can be called by chrome script via elem.doCommand() or elem.dispatchEvent(). 
In this case, the event handler's scripted caller is chrome script.  Thus, an
attacker can run arbitrary code with chrome privileges by using Array.prototype
methods trick or document.write trick.

--
  document.getElementById("handlersMenuList")
   .addEventListener("command", x, true);

  SubscribeHandler._feedWriter.write(window);
   or
  SubscribeHandler._feedWriter
   .QueryInterface(Components.interfaces.nsIObserver)
   .observe({}, "nsPref:changed", "browser.feeds.handler.default");

x() (if x is a function) or x.handleEvent() is called in
FeedWriter._setSelectedHandler() via handlers[0].doCommand(),
selectedAppMenuItem.doCommand() or liveBookmarksMenuItem.doCommand().

  document.getElementById("alwaysUse")
   .addEventListener("CheckboxStateChange", y, true);

  SubscribeHandler._feedWriter.write(window);
   or
  SubscribeHandler._feedWriter
   .QueryInterface(Components.interfaces.nsIObserver)
   .observe({}, "nsPref:changed", "browser.feeds.handler");

y() or y.handleEvent() is called in FeedWriter._setCheckboxCheckedState() via
aCheckbox.dispatchEvent(event).
--

* Fx1.5.0.x is not affected since it does not have feed preview feature.
* The trunk should be exploitable if an XSS hole existed.
(Reporter)

Comment 3

11 years ago
The old testcases no longer work, since those try to use the XSS hole (bug
351370) that has been already fixed.  I'm attaching new testcases that use
another XSS hole (Bug 363597).
(Reporter)

Comment 6

11 years ago
Is there any chance this can be fixed without relying on fixing bug 344495?
Is this still a problem in current trunk/branch build?
Flags: blocking-firefox3?
(Reporter)

Comment 8

10 years ago
Yes, at least on 1.8 branch.  It's still possible to use the feed preview page
to turn an XSS bug into an arbitrary code execution bug.

Updated

10 years ago
Depends on: 393762
Flags: blocking1.8.1.13?
Flags: blocking1.8.1.12?
Flags: blocking-firefox3?
Whiteboard: [sg:critical]
Flags: blocking1.8.1.13?
Flags: blocking1.8.1.13+
Flags: blocking1.8.1.12?

Comment 11

10 years ago
Repeating the question:
(In reply to comment #7)
> Is this still a problem in current trunk/branch build?

If this is branch only, could the bug be marked as gecko-1.8branch/ff-2.0branch?

Flags: blocking-firefox3?
Whether or not it's a trunk problem depends on whether there are any known universal-xss vulnerabilities on the trunk, or will be any found (or made) in the future. We've gone to a lot of trouble to make sure content can't open any chrome-privileged URIs precisely because we didn't trust that there were no such holes, but being able to open frames on arbitrary feeds means that web content _can_ still open chrome-privileged frames.

The only true solution is to make the Feed preview non-privileged. The privileged part could be a separate chrome-privileged sheet-like thing much like an oversized infobar.
Flags: wanted1.8.1.x+
Not gonna block Firefox 3 on this for now, but if you find that potential XSS vuln or figure out a fix for branch, please renom.
Flags: blocking-firefox3? → blocking-firefox3-
sayrer, is this something you can look at?

Comment 15

10 years ago
(In reply to comment #14)
> sayrer, is this something you can look at?
> 

Mano dealt with this stuff last time, and came up with the Fx2 solution. I am really busy with other stuff--a summary of the attributes and elements used for the attack would be much appreciated.

Updated

10 years ago
Assignee: nobody → jst
Mano, do you have time to look at this in the next week? We're about a week away from our branch freeze.
Assignee: jst → mano
(In reply to comment #13)
> Not gonna block Firefox 3 on this for now, but if you find that potential XSS
> vuln or figure out a fix for branch, please renom.

We find XSS fairly regularly, it needs to get fixed.

Flags: blocking-firefox3- → blocking-firefox3?
Created attachment 306777 [details] [diff] [review]
patch
Attachment #306777 - Flags: superreview?(jst)
Attachment #306777 - Flags: review?(sayrer)
Target Milestone: --- → Firefox 3

Updated

10 years ago
Attachment #306777 - Flags: review?(sayrer) → review+
Whiteboard: [sg:critical] → [sg:critical][need sr jst]

Updated

10 years ago
Attachment #306777 - Flags: superreview?(jst) → superreview+
Attachment #306777 - Flags: approval1.9b4?
Whiteboard: [sg:critical][need sr jst] → [sg:critical]
Comment on attachment 306777 [details] [diff] [review]
patch

a1.9b4=beltzner
Attachment #306777 - Flags: approval1.9b4? → approval1.9b4+
mozilla/browser/components/feeds/src/FeedWriter.js 1.53
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Priority: -- → P1
Resolution: --- → FIXED
Mano, does this same patch apply to the branch? If so, can you request approval? If not, a branch-specific one would be great.
Created attachment 307041 [details] [diff] [review]
untested branch patch

I don't have a tree to this one on.
Flags: blocking-firefox3? → blocking-firefox3+
(Reporter)

Comment 23

10 years ago
It seems that appendChild(), removeAttribute(), etc. are also exploitable,
since those methods fire mutation events.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Followup bug would be better unless the landed patch is backed out.

/be
Let's keep using this one.
Status: REOPENED → ASSIGNED
Attachment #307041 - Flags: review?(dveditz)

Updated

10 years ago
Whiteboard: [sg:critical] → [sg:critical][needs new patch]
This needs a complete trunk patch before we can take it on the branch. Punting to the next release.
Flags: blocking1.8.1.14+
Flags: blocking1.8.1.13-
Flags: blocking1.8.1.13+
Target Milestone: Firefox 3 → Firefox 3 beta5
Mike and I agreed to push this to early-post-beta given the scale of my upcoming rewrite.
Target Milestone: Firefox 3 beta5 → Firefox 3
Priority: P1 → P2
So, after thinking about this a little more, I'm going to just rely on the fact that DOMAttrModified and other mutation events are not being dispatched for nodes which are not yet inserted into the document (and call appendChild within the sandbox).
In the js console:
var a=function() { alert('foo'); }; document.addEventListener("DOMAttrModified", a, true); var b = document.createElement("b"); b.setAttribute("f", "b"); document.documentElement.appendChild(b); b.setAttribute("m", "f");

alerts only for the second setAttribute call. Boris, Jonas,  Johnny: Can the feedwriter code rely on this? W3C's documentation is pretty vague about mutation events behavior for nodes which are not yet inserted into the document.

Comment 31

10 years ago
Mutation events do get dispatched, but in your testcase the event can't 
propagate to document, because element isn't in document.
But if you add mutation event listener to the element, the listener will be
called.
I'm fine with that, we create the elements and set the attributes on the same time. Would it be enough than to call appendChild and all  _post_ node-insertion, attribute-modifications methods  in the sandbox?
Created attachment 311020 [details] [diff] [review]
wip
Created attachment 311175 [details] [diff] [review]
patch
Attachment #311020 - Attachment is obsolete: true
Attachment #311175 - Flags: review?(mconnor)
Comment on attachment 311175 [details] [diff] [review]
patch

>-      feedTitleLink.setAttribute("title", titleText);
>+      this._contentSandbox.feedTitleLink = feedTitleLink;
>+      this._contentSandbox.titleText = titleText;
>+      var codeStr = "feedTitleLink.setAttribute('title', titleText);";
>+      Cu.evalInSandbox(codeStr, this._contentSandbox);
>       this._safeSetURIAttribute(feedTitleLink, "href", 
>                                 parts.getPropertyAsAString("link"));

can null these after to clean up

>   _setSubscribeUsingLabel: function FW__setSubscribeUsingLabel() {
>-    var stringLabel = null;
>-
>-    switch (this._getFeedType()) {
>+    var stringLabel;
>+    var feedType = this._getFeedType();
>+    switch (feedType) {

you don't use feedType elsewhere, don't understand the change here.

>       case Ci.nsIFeed.TYPE_VIDEO:
>         stringLabel = "subscribeVideoPodcastUsing";
>         break;
> 
>       case Ci.nsIFeed.TYPE_AUDIO:
>         stringLabel = "subscribeAudioPodcastUsing";
>         break;
> 
>       default:
>         stringLabel = "subscribeFeedUsing";
>     }

you could just init stringLabel to this and it'd be a little less code overall, but that's being nitpicky.

r=me, this should be pretty safe, just needs to get tested thoroughly by QA tomorrow...
Attachment #311175 - Flags: review?(mconnor) → review+
Attachment #311175 - Flags: approval1.9b5?
Comment on attachment 311175 [details] [diff] [review]
patch

a1.9b5 on this patch, as its fixing an sg:critical bug and has potential regression impact in the wild.

Please make sure that the existing litmus tests cover the functionality we're touching here, and send mail to qa@mozilla.org asking that they be run ASAP on all platforms.  If there are missing tests, please tell QA what the tests should cover.
Attachment #311175 - Flags: approval1.9b5? → approval1.9b5+
It seems to me that this wouldn't be too hard to automate testing on? (not that I'm volunteering - my plate is plenty full)

The testcases seem to basically be already written (some modification so they don't use an alert box maybe, but that shouldn't be too hard either...)
Flags: in-testsuite?
No, you cannot test this, we generally fix XSS holes :p
right but, if we can exploit said vulnerability in a test, the test should fail, right?
But we cannot. As far as i can tell, none of the tests attached here can be used to test this bug on current trunk.

Comment 41

10 years ago
XSS-like conditions can be created by code with UniversalXPConnect privileges, no?
I couldn't find a way (even with privileges enabled) to call about:feed's SubscribeHandler.init on trunk without using the console / urlbar as described in testcase 6. 
Created attachment 311366 [details] [diff] [review]
for checkin

I'll write some tests later as we figure out how to do so...
mozilla/browser/components/feeds/src/FeedWriter.js 1.54

Mail sent to qa@m.c.
Status: ASSIGNED → RESOLVED
Last Resolved: 10 years ago10 years ago
Resolution: --- → FIXED

Comment 45

10 years ago
> without using the console / urlbar as described in testcase 6. 

So if you inject code into the Firefox window that calls eval(content.code), it doesn't work?
Firefox window as in browser.xul? I guess that might work, though it requires the chrome-testing framework....

Comment 47

10 years ago
Why?  You can do that from inside a mochitest if you really want to...

Doing it from chrome mochitests might work as long as you can get the feed preview page loaded first.

Updated

10 years ago
Blocks: 425010

Updated

10 years ago
No longer blocks: 425010
Depends on: 425010
Is there any work being done here for an updated branch patch, presumably one that also includes a fix for bug 430658?
Whiteboard: [sg:critical][needs new patch] → [sg:critical][needs new branch patch]
Still don't have a branch patch and given the size of the trunk patch we don't want to take it at the last minute. Moving to 1.8.1.16, but we need to get a patch soon so we can land it early in the cycle.
Flags: blocking1.8.1.16+
Flags: blocking1.8.1.15-
Flags: blocking1.8.1.15+
Mano, we could really use a branch patch here...
Created attachment 334770 [details] [diff] [review]
combined branch patch
Attachment #307041 - Attachment is obsolete: true
Attachment #334770 - Flags: review?(mconnor)
Attachment #307041 - Flags: review?(dveditz)
Blocks: 430658
Comment on attachment 334770 [details] [diff] [review]
combined branch patch

This feels like pain.
Attachment #334770 - Flags: review?(mconnor) → review+
Attachment #334770 - Flags: approval1.8.1.17?
qanote: testcase 7 can't be used to verify because the stepping-stone bug was fixed in FF2.0.0.15. Either we need a 2.0.0.16-working testcase that uses another yet-unfixed XSS bug, or this patch needs to be verified by applying the patch to a 2.0.0.14 source tree.
Comment on attachment 334770 [details] [diff] [review]
combined branch patch

It'd be good to get a second review given the size of the patch and the limited testing time we've got left for this release. Johnny: you reviewed an earlier iteration, you up for it?
Attachment #334770 - Flags: review?(jst)
Whiteboard: [sg:critical][needs new branch patch] → [sg:critical]

Updated

9 years ago
Attachment #334770 - Flags: review?(jst) → review+
Comment on attachment 334770 [details] [diff] [review]
combined branch patch

Approved for 1.8.1.17. Please land ASAP on the branch. a=ss
Attachment #334770 - Flags: approval1.8.1.17? → approval1.8.1.17+
Checking in src/FeedWriter.js;
/cvsroot/mozilla/browser/components/feeds/src/FeedWriter.js,v  <--  FeedWriter.js
new revision: 1.2.2.33; previous revision: 1.2.2.32
done
Keywords: fixed1.8.1.17
(Reporter)

Comment 60

9 years ago
The fx2 patch caused a syntax error on Windows.

Here is an extra "}".
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/browser/components/feeds/src/FeedWriter.js&rev=1.2.2.33&mark=788#782


Error: missing catch or finally after try
Source File: file:///C:/test/fx-2.0.0.17pre-2008-08-26-03/firefox/components/FeedWriter.js
Line: 736, Column: 6
Source Code:
      else {

Error: BrowserFeedWriter is not defined
Source File: chrome://browser/content/feeds/subscribe.js
Line: 45
Preeeetty sure we need the syntax error fixed before we can ship 2.0.0.17, so unmarking it as branch-fixed until that's addressed.

How did this code ever work in testing the #ifdef XP_WIN block?  We really, *really* can't be checking untested code into the stable branches, so I'm very much hoping that something else happened. :(
Keywords: fixed1.8.1.17
Bad merge :-/
With that fixed I get:
Error: uncaught exception: [Exception... "'[JavaScript Error: "result has no properties" {file: "file:///I:/mozb/mozilla/ff-opt/dist/bin/components/FeedWriter.js" line: 381}]' when calling method: [nsIFeedWriter::write]"  nsresult: "0x80570021 (NS_ERROR_XPC_JAVASCRIPT_ERROR_WITH_DETAILS)"  location: "JS frame :: chrome://browser/content/feeds/subscribe.js :: SH_init :: line 46"  data: yes]

with all of the testcases, along with:
Security Error: Content at about:feeds may not load or link to chrome://global/content/mozilla.xhtml.

I assume this is the expected failure (I get the same on trunk).
mozilla/browser/components/feeds/src/FeedWriter.js 	1.2.2.34 
Keywords: fixed1.8.1.17
Depends on: 452689
Verified on Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.17) Gecko/2008082909 Firefox/2.0.0.17 using test cases here. This is the output in the error console while running test case 8, in comment #57:

Error: result has no properties
Source File: file:///C:/Program%20Files/Mozilla%20Firefox/components/FeedWriter.js
Line: 354

Error: uncaught exception: [Exception... "'[JavaScript Error: "result has no properties" {file: "file:///C:/Program%20Files/Mozilla%20Firefox/components/FeedWriter.js" line: 354}]' when calling method: [nsIFeedWriter::write]"  nsresult: "0x80570021 (NS_ERROR_XPC_JAVASCRIPT_ERROR_WITH_DETAILS)"  location: "JS frame :: chrome://browser/content/feeds/subscribe.js :: SH_init :: line 46"  data: yes]

Error: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIDOMLocation.href]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "native frame :: <unknown filename> :: <TOP_LEVEL> :: line 0"  data: no]
Keywords: fixed1.8.1.17 → verified1.8.1.17

Comment 66

9 years ago
doesnt apply on 1.8.0 from what i can see. If i am mistaking flip wanted1.8.0.x or blocking1.8.0.15 to ? again. Thanks!
Flags: wanted1.8.0.x-
In 20015 test case #8 opens up an alert window, and in 20017 it doesn't.
moz_bug, could you file a new bug on the omissions? Tracking multiple patches in one bug just leads to confusion.
And it seems to me that should block the fx2.0.0.17 release, right?
(In reply to comment #70)
> moz_bug, could you file a new bug on the omissions? Tracking multiple patches
> in one bug just leads to confusion.

I have been convinced that's the right thing to do, instead of continually expanding the scope of this single bug. We'll leave this part of the issue as fixed & verified, and stamp out the others in future releases.

(In reply to comment #71)
> And it seems to me that should block the fx2.0.0.17 release, right?

No, we've waited before, and can continue to do so again.
Depends on: 453526
CC me on it please if you wanst me to fix it.
Group: core-security

Updated

9 years ago
Flags: blocking1.8.0.15-
You need to log in before you can comment on or make changes to this bug.