Closed
Bug 369213
Opened 18 years ago
Closed 18 years ago
PAC script can access internal BackstagePass object
Categories
(Core :: Security, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: sync2d, Assigned: mrbkap)
References
Details
(Whiteboard: [sg:moderate] critical for PAC users; need SJsOW)
Attachments
(2 files)
|
306 bytes,
text/javascript
|
Details | |
|
2.73 KB,
patch
|
crowderbt
:
review+
darin.moz
:
review+
dveditz
:
superreview+
|
Details | Diff | Splinter Review |
By using Script object, PAC script can access an internal BackstagePass
object which can be used to execute arbitrary code with chrome privileges.
The testcase works on:
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.1.2pre)
Gecko/20070203 BonEcho/2.0.0.2pre
IMO, trunk is not vulnerable since it has no Script object (bug 355820).
|
||
Updated•18 years ago
|
Flags: blocking1.8.1.2?
Flags: blocking1.8.0.10?
|
||
Comment 2•18 years ago
|
||
Are the fixes for bug 355214/355215 likely to help here?
Assignee: dveditz → crowder
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Whiteboard: [sg:moderate] critical for PAC users
|
||
Comment 3•18 years ago
|
||
It seems like they should, yes. shutdown, can you experiment with those patches (especially, I think, the fix in 355214, even though it breaks the netwerk tests currently)?
|
|
||
Comment 4•18 years ago
|
||
Actually this might want both.... not sure.
|
Assignee | |
Comment 5•18 years ago
|
||
As a guess (I haven't tested), this exploit will still work (albeit s/call/apply/). I think we should simply filter for FindProxyForURL instanceof sandbox.Function.
(In reply to comment #3)
> It seems like they should, yes. shutdown, can you experiment with those
> patches (especially, I think, the fix in 355214, even though it breaks the
> netwerk tests currently)?
I cannot access those bugs.
(In reply to comment #5)
> As a guess (I haven't tested), this exploit will still work (albeit
> s/call/apply/). I think we should simply filter for FindProxyForURL instanceof
> sandbox.Function.
Such check could be defeated by doing |Function = Script;| in a PAC script.
|
|
||
Comment 7•18 years ago
|
||
Unless this fix falls out of the ones we're already working on (and at risk for this release as it is) this will have to wait for next release.
Flags: blocking1.8.1.3+
Flags: blocking1.8.1.2?
Flags: blocking1.8.0.11+
Flags: blocking1.8.0.10?
|
|
||
Comment 8•18 years ago
|
||
shutdown: please contact chris hofmann. he's been unable to reach you by mail
|
|
||
Comment 9•18 years ago
|
||
Giving this one to mrbkap, since he's got the other 2 or 3 PAC bugs I'm aware of.
Assignee: crowder → mrbkap
|
|
Assignee | |
Comment 10•18 years ago
|
||
This fix clamps the 'this' value to be the sandbox when we call into FindProxyForURL.
Attachment #255644 -
Flags: superreview?(dveditz)
Attachment #255644 -
Flags: review?(darin.moz)
Attachment #255644 -
Flags: review?(crowder)
|
|
||
Comment 11•18 years ago
|
||
Comment on attachment 255644 [details] [diff] [review]
Fix
ok.. there's so much subtlety here. Is there anything you can do to better document how this safety is achieved in the code?
Attachment #255644 -
Flags: review?(darin.moz) → review+
|
|
||
Comment 12•18 years ago
|
||
Comment on attachment 255644 [details] [diff] [review]
Fix
While I agree that some comments might prove useful for future reference, I'm not sure you want them to be TOO useful either... I'm torn.
Attachment #255644 -
Flags: review?(crowder) → review+
|
|
||
Comment 13•18 years ago
|
||
I've said this before, but using XPConnect for PAC seems extremely fragile, as evidenced by how many of these bugs keep appearing. A simple C++ solution that just programs to JSAPI directly seems ideal to me.
|
|
||
Comment 14•18 years ago
|
||
(In reply to comment #13)
> I've said this before, but using XPConnect for PAC seems extremely fragile, as
> evidenced by how many of these bugs keep appearing. A simple C++ solution that
> just programs to JSAPI directly seems ideal to me.
That's how PAC was implemented originally (all C, actually). But so were all other bindings, which meant a lot of hand-written glue code (native methods, getters, setters, etc.).
XPConnect looks like the right hammer for such nails in Mozilla, but it has unfixed security bugs. They bite PAC, but not only PAC. We need to fix them; we are going to fix them systematically, so there will be a general fix that cures this bug's symptom and ensures that it doesn't reopen. More in a bit.
/be
|
|
Assignee | |
Comment 15•18 years ago
|
||
(In reply to comment #14)
> XPConnect looks like the right hammer for such nails in Mozilla, but it has
> unfixed security bugs. They bite PAC, but not only PAC. We need to fix them; we
> are going to fix them systematically
The realization that I came to in bug 355215, comment 8 was that the safe object wrapper that jst just wrote would have solved most of the PAC problems. The problem of calling back into the PAC code in a safe way (with all of these horrible .calls floating around) is unique to PAC and, without some of the more major changes that we've discussed to subject principal computation would look the same, even with the safe object wrapper.
FWIW, this is exactly what bothered me when I started looking at bug 355214 -- I was hoping for an evalInSandbox fix that would help other consumers, but instead got a PAC specific one. I think the general fix in this case is to use correctly-compiled functions to talk with the sandbox until the safe object wrapper can do it for you.
|
|
Assignee | |
Comment 16•18 years ago
|
||
(In reply to comment #13)
> I've said this before, but using XPConnect for PAC seems extremely fragile, as
> evidenced by how many of these bugs keep appearing. A simple C++ solution that
> just programs to JSAPI directly seems ideal to me.
At the risk of inviting a deluge of PAC security bugs, I'm going to say that we're at the end of privilege-escalation bugs of this type in PAC. As far as I can tell, all points where privileged code touches unprivileged code now go through intermediaries that save us from ourselves.
The change to use the JSAPI directly as well as C code obviously has other benefits, I just don't think security should be the main reason to make the switch.
|
|
||
Comment 17•18 years ago
|
||
So, you guys are proposing a solution that is much simpler? (The current PAC code is extremely non-trivial, and I think most people would be rightly fearful to touch it.)
|
|
||
Comment 18•18 years ago
|
||
Comment on attachment 255644 [details] [diff] [review]
Fix
sr=dveditz
Attachment #255644 -
Flags: superreview?(dveditz) → superreview+
|
|
Assignee | |
Comment 19•18 years ago
|
||
I checked the fix into the trunk.
Darin, I believe that Brendan was talking about fixing the underlying security bugs in XPConnect/CAPS (in most cases this refers to native functions being skipped when computing subject principals). I was talking about using XPCSafeJSObjectWrapper to hide most of the function-creation.
I've also been thinking about simply returning a safe object wrapper from the sandbox constructor, which I *think* should make everything "just work".
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
|
|
||
Comment 20•18 years ago
|
||
Moving out per Blake
Flags: blocking1.8.1.5+
Flags: blocking1.8.1.4+
Flags: blocking1.8.0.13+
Flags: blocking1.8.0.12+
|
|
||
Updated•18 years ago
|
Flags: blocking1.8.1.5+ → blocking1.8.1.6+
|
|
||
Updated•18 years ago
|
Flags: blocking1.8.0.13+ → blocking1.8.0.14+
|
|
||
Comment 21•18 years ago
|
||
Can we land this safely in 1.8.1.8?
|
|
||
Updated•18 years ago
|
Flags: blocking1.8.1.8+ → blocking1.8.1.9+
Whiteboard: [sg:moderate] critical for PAC users → [sg:moderate] critical for PAC users; need SJsOW
|
|
||
Updated•18 years ago
|
Flags: blocking1.8.0.14+ → blocking1.8.0.14-
|
|
||
Updated•13 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•