Closed
Bug 370461
Opened 17 years ago
Closed 16 years ago
__proto__ of a function returned by Components.lookupMethod() comes from content
Categories
(Core :: XPConnect, defect, P3)
Tracking
()
VERIFIED
FIXED
mozilla1.9.1a1
People
(Reporter: moz_bug_r_a4, Assigned: mrbkap)
References
Details
(Keywords: verified1.8.1.19, verified1.9.0.5, verified1.9.1, Whiteboard: [sg:critical?] critical if chrome code does this.)
Attachments
(3 files)
6.21 KB,
patch
|
bzbarsky
:
review+
jst
:
superreview+
|
Details | Diff | Splinter Review |
7.03 KB,
patch
|
jst
:
review+
jst
:
superreview+
dveditz
:
approval1.9.0.5+
|
Details | Diff | Splinter Review |
5.92 KB,
patch
|
jst
:
review+
jst
:
superreview+
dveditz
:
approval1.8.1.19+
asac
:
approval1.8.0.next+
|
Details | Diff | Splinter Review |
This is similar to bug 370127. Since __proto__ of a function returned by Components.lookupMethod() comes from content, it is unsafe to use properties and methods of that function. If chrome code calls .call() or .apply() on that function then content code can run arbitrary code with chrome privileges by using Array.prototype methods trick (bug 344495). Bug 344495's trick is not required in some cases. For example: chrome: var d = content.document; var s = Components.lookupMethod(d, "title").call(d); s = s.substring(s.indexOf(" ") + 1); content: var s = { substring : privileged_eval, indexOf : function() { return code + "//"; } }; Function.prototype.call = function() { return s; }; Using Components.lookupMethod() with .call() or .apply() might be prevailing usage, since there are many such examples in 1.7 branch code, including XPCNativeWrapper.js (this means fx1.0.x and moz1.7.x are exploitable without any extensions). But, I'm not sure if there are any vulnerable extensions on addons.mozilla.org.
Updated•17 years ago
|
Flags: blocking1.9?
Comment 1•17 years ago
|
||
Blake, this is more than likely the same problem as in bug 370127 I just gave you.
Assignee: nobody → mrbkap
Flags: blocking1.9? → blocking1.9+
Assignee | ||
Comment 2•17 years ago
|
||
This turned out to be more difficult than bug 370127 because the offending functions are compiled way before lookupMethod ever gets to them. I'm not sure what the best fix for this is. We could potentially return a brand new wrapper function that does the right thing (really, it'd just call the inner function with the same |this| object and parameters) or try to force the prototype to be something else. Does that sound reasonable, or am I missing an easier option (that doesn't involve the word "wrapper!"
Comment 3•17 years ago
|
||
Targeting A6 per conversation with Blake.
Target Milestone: --- → mozilla1.9alpha6
Assignee | ||
Comment 4•17 years ago
|
||
I was hoping that brendan's recent JS_CloneFunctionObject changes were going to fix this, but we clone with the "wrong" parent, so we still get the wrong prototype, which suggests a fix like the one in bug 370127 -- but I'm going to need to think about it a little harder.
Comment 5•17 years ago
|
||
punting remaining a6 bugs to b1, all of these shipped in a5, so we're at least no worse off by doing so.
Target Milestone: mozilla1.9alpha6 → mozilla1.9beta1
Do we know of any places in 1.9 code where Components.lookupMethod is used in an exploitable way? If so this might be a higher priority.
Priority: -- → P3
Comment 7•17 years ago
|
||
Not in Gecko per se. Camino does it. Some extensions might too (though I hope not).
Updated•16 years ago
|
Flags: wanted1.9.0.x+
Flags: tracking1.9+
Flags: blocking1.9-
Comment 8•16 years ago
|
||
I can no long reproduce in FF2.0.0.14 or recent trunk, I get "invalid setter usage" errors. Did we fix this, or merely break this particular testcase?
Comment 9•16 years ago
|
||
We killed indirect eval on both trunk and branch and the setter in the testcase is trying to use <Marquee>.init.eval That doesn't fix the underlying problem and there is surely another way to abuse it.
Updated•16 years ago
|
Whiteboard: [sg:moderate?]
Reporter | ||
Comment 10•16 years ago
|
||
This uses location setter instead of eval. (This uses Bug 344495's trick.) This works on trunk and fx2.0.0.14.
Updated•16 years ago
|
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.15?
Updated•16 years ago
|
Flags: blocking1.8.1.15? → blocking1.8.1.16?
Updated•16 years ago
|
Priority: P3 → P2
Comment 11•16 years ago
|
||
If any chrome code uses this feature on content then this is sg:critical
Flags: blocking1.9.0.2?
Flags: blocking1.8.1.17?
Flags: blocking1.8.1.17+
Whiteboard: [sg:moderate?] → [sg:moderate?] critical if chrome code does this.
Updated•16 years ago
|
Flags: blocking1.9.0.2? → blocking1.9.0.2+
Target Milestone: mozilla1.9alpha8 → mozilla1.9.1a1
Updated•16 years ago
|
Whiteboard: [sg:moderate?] critical if chrome code does this. → [sg:moderate?][needs patches] critical if chrome code does this.
Comment 13•16 years ago
|
||
Blake, how's this patch (or patches) coming?
Comment 14•16 years ago
|
||
This will need trunk baking, so pushing out to next releases
Flags: blocking1.9.0.3+
Flags: blocking1.9.0.2+
Flags: blocking1.8.1.18+
Flags: blocking1.8.1.17+
Updated•16 years ago
|
Flags: blocking1.9.1? → blocking1.9.1+
Priority: P2 → P3
Isn't this sg:critical since it allows full chrome access?
Whiteboard: [sg:moderate?][needs patches] critical if chrome code does this. → [sg:critical?][needs patches] critical if chrome code does this.
Marking blocking- per the new security-bugs-fixing strategy
Flags: blocking1.9.1+ → blocking1.9.1-
Updated•16 years ago
|
Flags: blocking1.9.0.5+
Flags: blocking1.9.0.4+
Flags: blocking1.8.1.19+
Flags: blocking1.8.1.18+
Comment 17•16 years ago
|
||
Renominating since we're placing this on the Top Security Bugs list.
Flags: blocking1.9.1- → blocking1.9.1?
Assignee | ||
Comment 18•16 years ago
|
||
There's a sad lack of code-sharing here, but all of our wrappers do things *ever so slightly* different. I call XPCNativeWrapperCtor directly here to ensure that we don't hand out implicit native wrappers by accident. Given how ancient this API is (and that nobody should be using it anymore anyway) I'm OK with expandos on any returned XPCNativeWrappers disappearing.
Attachment #345418 -
Flags: superreview?(jst)
Attachment #345418 -
Flags: review?(bzbarsky)
Comment 19•16 years ago
|
||
Comment on attachment 345418 [details] [diff] [review] Proposed fix r=bzbarsky
Attachment #345418 -
Flags: review?(bzbarsky) → review+
Updated•16 years ago
|
Attachment #345418 -
Flags: superreview?(jst) → superreview+
Updated•16 years ago
|
Keywords: checkin-needed
Updated•16 years ago
|
Flags: blocking1.9.1? → blocking1.9.1+
Comment 20•16 years ago
|
||
Marking fixed: http://hg.mozilla.org/mozilla-central/rev/ef515839d49b
Assignee | ||
Comment 21•16 years ago
|
||
This conflicted because of JS_STATIC_DLL_CALLBACK removal on trunk.
Attachment #348118 -
Flags: review?(jst)
Attachment #348118 -
Flags: approval1.9.0.5?
Assignee | ||
Comment 22•16 years ago
|
||
Attachment #348122 -
Flags: review?(jst)
Attachment #348122 -
Flags: approval1.8.1.19?
Updated•16 years ago
|
Whiteboard: [sg:critical?][needs patches] critical if chrome code does this. → [sg:critical?][needs r jst] critical if chrome code does this.
Updated•16 years ago
|
Attachment #348118 -
Flags: superreview+
Attachment #348118 -
Flags: review?(jst)
Attachment #348118 -
Flags: review+
Updated•16 years ago
|
Attachment #348122 -
Flags: superreview+
Attachment #348122 -
Flags: review?(jst)
Attachment #348122 -
Flags: review+
Updated•16 years ago
|
Whiteboard: [sg:critical?][needs r jst] critical if chrome code does this. → [sg:critical?] critical if chrome code does this.
Comment 23•16 years ago
|
||
Comment on attachment 348118 [details] [diff] [review] Patch for the 1.9 branch Approved for 1.9.0.5, a=dveditz for release-drivers
Attachment #348118 -
Flags: approval1.9.0.5? → approval1.9.0.5+
Comment 24•16 years ago
|
||
Comment on attachment 348122 [details] [diff] [review] Patch for the 1.8 branch Approved for 1.8.1.19, a=dveditz for release-drivers
Attachment #348122 -
Flags: approval1.8.1.19? → approval1.8.1.19+
Comment 26•16 years ago
|
||
Verified for 1.8.1.19 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.19pre) Gecko/2008112503 BonEcho/2.0.0.19pre. Verified for 1.9.0.5 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5pre) Gecko/2008112505 GranParadiso/3.0.5pre. Verified for Trunk with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b2pre) Gecko/20081123 Minefield/3.1b2pre.
Status: RESOLVED → VERIFIED
Updated•16 years ago
|
Keywords: fixed1.9.1
Comment 27•16 years ago
|
||
Comment on attachment 348122 [details] [diff] [review] Patch for the 1.8 branch a=asac for 1.8.0 branch
Attachment #348122 -
Flags: approval1.8.0.next+
Updated•16 years ago
|
Flags: blocking1.8.0.next+
Updated•16 years ago
|
Keywords: verified1.9.1
Updated•16 years ago
|
Keywords: fixed1.9.1
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•