Last Comment Bug 381300 - (CVE-2007-3089) Frame spoofing is possible within a short time frame while the window is loading.
(CVE-2007-3089)
: Frame spoofing is possible within a short time frame while the window is load...
Status: RESOLVED FIXED
[sg:low spoof] 1.8-branch only
: fixed1.8.0.15, fixed1.8.1.5, qawanted
Product: Core
Classification: Components
Component: DOM (show other bugs)
: 1.8 Branch
: All All
: -- normal with 1 vote (vote)
: ---
Assigned To: Johnny Stenback (:jst, jst@mozilla.com)
: Hixie (not reading bugmail)
Mentors:
: 382686 (view as bug list)
Depends on: 387979 CVE-2007-3844
Blocks: 346663 346664 382686
  Show dependency treegraph
 
Reported: 2007-05-19 19:17 PDT by Ronen Zilberman
Modified: 2009-01-25 13:05 PST (History)
25 users (show)
dveditz: blocking1.8.1.5+
dveditz: wanted1.8.1.x+
dveditz: blocking1.8.0.14-
dveditz: blocking1.8.0.next+
dveditz: wanted1.8.0.x+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Exploit testcase. (1.93 KB, text/html)
2007-05-19 19:18 PDT, Ronen Zilberman
no flags Details
Backport of fix for bug 325816 and bug 332182 to 1.8 branch (58.24 KB, patch)
2007-06-19 20:11 PDT, Boris Zbarsky [:bz] (Out June 25-July 6)
mrbkap: review+
jst: superreview+
dveditz: approval1.8.1.5+
Details | Diff | Review
1.8.0 branch patch (57.36 KB, patch)
2007-07-11 14:13 PDT, Boris Zbarsky [:bz] (Out June 25-July 6)
caillon: approval1.8.0.next+
Details | Diff | Review

Description Ronen Zilberman 2007-05-19 19:17:20 PDT
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3

When opening a window from a script, it is possible to spoof the content of the newly opened window's frames within a short time frame, while the window is loading.

Because the exact time is non-constant and unknown, multiple attempt are carried out. The failed ones are silently discarded using a try catch block.

This is similar to Bug 343168.
Both the 'frames[x].document.open()' method (described in above bug) and a normal 'frames[x].document' method are shown to reliably produce the exploit.

Reproducible: Always

Steps to Reproduce:
See attached test case.
Comment 1 Ronen Zilberman 2007-05-19 19:18:37 PDT
Created attachment 265398 [details]
Exploit testcase.
Comment 2 :Gavin Sharp [email: gavin@gavinsharp.com] 2007-05-19 19:27:12 PDT
I can reproduce this with a current branch build, but not on the trunk.
Comment 3 Ronen Zilberman 2007-05-21 19:39:58 PDT
It seems that the problem is this:

The frame's location is "about:blank" while it is being loaded, and it is during this time that it can be spoofed (after the parent document has been loaded, but before the framed document has been loaded).



Comment 4 Daniel Veditz [:dveditz] 2007-05-24 11:40:00 PDT
This was fixed on the trunk by changing the way we treat about:blank
Comment 5 Boris Zbarsky [:bz] (Out June 25-July 6) 2007-05-24 13:09:46 PDT
I wonder whether we could at least port part of that (e.g. the default principal for subframes)... Not sure how easy that would be.
Comment 6 Bob Clary [:bc:] 2007-06-04 10:35:25 PDT
*** Bug 382686 has been marked as a duplicate of this bug. ***
Comment 7 Bob Clary [:bc:] 2007-06-04 10:38:23 PDT
publicly disclosed by Michal Zalewski to full-disclosure.
Comment 8 Boris Zbarsky [:bz] (Out June 25-July 6) 2007-06-05 18:17:05 PDT
The trunk fix was in bug 332182.  Looking at it now, it might not be impossible to merge to branch, if we're sure it doesn't break the web (which seems likely).  Some of the code is sure to not apply, and we'd need to add interfaces instead of changing them, but it might be doable in general....  Unfortunately, I'm not going to be able to do it in the near future.  :(
Comment 9 pigfoot@gmail.com 2007-06-05 20:23:10 PDT
I think it's a critical vulnerability, do I? It's very dangerous if someone using this exploit to steal accounts..

I really appreciate if you can fix this since next branch build..
Comment 10 Marek Stępień [:marcoos, inactive] 2007-06-09 10:42:54 PDT
This bug got some publicity and one bank tells their users to 'stop using Firefox until it's fixed and switch to IE6'. http://www.multibank.pl/co_nowego/aktualnosci?_a=15793
Comment 11 Mike Mason 2007-06-18 14:44:19 PDT
It is gaining in publicity.
NIST's Vulnerability DB lists the CVSS Severity at a 10.0(High)  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3089

All Fx users at my work got a message from our corp security team last week telling us to uninstall Fx immediately.
Comment 12 Boris Zbarsky [:bz] (Out June 25-July 6) 2007-06-19 20:11:14 PDT
Created attachment 269025 [details] [diff] [review]
Backport of fix for bug 325816 and bug 332182 to 1.8 branch

I've confirmed that this patch fixes the "exploit testcase" in this bug.  I have NOT had a chance to do any other testing yet.  In particular, I have not run it on the tests attached to bug 332182.  It would be great if someone would, with all the various new-window pref settings (at the very least, with the settings to force all new windows into windows, tabs, and same rendering area).

Note that the tests can be run with jssh; I think we have some documentation on mozilla.org for that.

I'll try to get this also ported to the 1.8.0 branch.
Comment 13 Boris Zbarsky [:bz] (Out June 25-July 6) 2007-06-19 20:12:01 PDT
I should also note that if run under jssh the tests will do the different pref values automatically...  So that's really the way to go, imo.
Comment 14 İsmail Dönmez 2007-06-20 00:40:28 PDT
Works with all the testcases from bug 332182 here, on Firefox 2.0.0.4+patch.
Comment 15 Boris Zbarsky [:bz] (Out June 25-July 6) 2007-06-20 04:18:46 PDT
I'm basically gone starting today for two weeks or so.  jst or Blake, could you drive this in?  I don't have the 1.8.0 port done (or even significantly started), unfortunately.  :(
Comment 16 Daniel Veditz [:dveditz] 2007-07-09 15:32:14 PDT
required to fix public exploit bug 382686
Comment 17 Johnny Stenback (:jst, jst@mozilla.com) 2007-07-10 15:51:41 PDT
Comment on attachment 269025 [details] [diff] [review]
Backport of fix for bug 325816 and bug 332182 to 1.8 branch

Looks good to me, sr=jst. I happened to spot one typo in surrounding code as I was reading through it, fix it if you want to:

- In nsDocShell::DoURILoad():

     // XXX: Is seems wrong that the owner is ignored - even if one is
Comment 18 Blake Kaplan (:mrbkap) (please use needinfo!) 2007-07-10 17:33:03 PDT
Comment on attachment 269025 [details] [diff] [review]
Backport of fix for bug 325816 and bug 332182 to 1.8 branch

*stamp*
Comment 19 Boris Zbarsky [:bz] (Out June 25-July 6) 2007-07-10 17:37:24 PDT
Comment on attachment 269025 [details] [diff] [review]
Backport of fix for bug 325816 and bug 332182 to 1.8 branch

Hoping for some last-minute approval love.
Comment 20 Daniel Veditz [:dveditz] 2007-07-11 09:45:17 PDT
Comment on attachment 269025 [details] [diff] [review]
Backport of fix for bug 325816 and bug 332182 to 1.8 branch

approved for 1.8.1.5, a=dveditz
Comment 21 Boris Zbarsky [:bz] (Out June 25-July 6) 2007-07-11 14:13:26 PDT
Created attachment 271902 [details] [diff] [review]
1.8.0 branch patch
Comment 22 moz_bug_r_a4 2007-07-12 20:12:33 PDT
Please see bug 387979.
Comment 23 juan becerra [:juanb] 2007-07-16 18:33:59 PDT
Verified using test cases in comment #1 on Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.5) Gecko/2007071317 Firefox/2.0.0.5. Also on Mac 2005rc2 build.
Comment 24 Daniel Veditz [:dveditz] 2007-08-07 11:13:08 PDT
In the interest of getting a Thunderbird 1.5.0.13 out ASAP to address the known problems, this spoofing bug will need to wait for 1.8.0.14 releases
Comment 25 Daniel Veditz [:dveditz] 2007-12-03 14:39:33 PST
Not needed in a Thunderbird 1.8.0 release, still wanted for browsers
Comment 26 Christopher Aillon (sabbatical, not receiving bugmail) 2008-02-20 08:27:53 PST
Comment on attachment 271902 [details] [diff] [review]
1.8.0 branch patch

a=caillon for 1.8.0.15 (and clearing stale .14 request)
Comment 27 Reed Loden [:reed] (use needinfo?) 2008-02-21 02:41:06 PST
MOZILLA_1_8_0_BRANCH:

Checking in caps/src/nsPrincipal.cpp;
/cvsroot/mozilla/caps/src/nsPrincipal.cpp,v  <--  nsPrincipal.cpp
new revision: 1.37.2.1.2.1; previous revision: 1.37.2.1
done
Checking in caps/src/nsScriptSecurityManager.cpp;
/cvsroot/mozilla/caps/src/nsScriptSecurityManager.cpp,v  <--  nsScriptSecurityManager.cpp
new revision: 1.266.2.7.2.11; previous revision: 1.266.2.7.2.10
done
Checking in content/base/src/nsFrameLoader.cpp;
/cvsroot/mozilla/content/base/src/nsFrameLoader.cpp,v  <--  nsFrameLoader.cpp
new revision: 1.53.6.1.4.2; previous revision: 1.53.6.1.4.1
done
Checking in content/base/src/nsDocument.h;
/cvsroot/mozilla/content/base/src/nsDocument.h,v  <--  nsDocument.h
new revision: 3.264.2.3.2.5; previous revision: 3.264.2.3.2.4
done
Checking in content/base/src/nsDocument.cpp;
/cvsroot/mozilla/content/base/src/nsDocument.cpp,v  <--  nsDocument.cpp
new revision: 3.566.2.6.2.17; previous revision: 3.566.2.6.2.16
done
Checking in docshell/base/nsDocShell.cpp;
/cvsroot/mozilla/docshell/base/nsDocShell.cpp,v  <--  nsDocShell.cpp
new revision: 1.719.2.21.2.14; previous revision: 1.719.2.21.2.13
done
Checking in docshell/base/nsDocShell.h;
/cvsroot/mozilla/docshell/base/nsDocShell.h,v  <--  nsDocShell.h
new revision: 1.186.2.3.2.2; previous revision: 1.186.2.3.2.1
done
Checking in dom/public/base/nsPIDOMWindow.h;
/cvsroot/mozilla/dom/public/base/nsPIDOMWindow.h,v  <--  nsPIDOMWindow.h
new revision: 1.49.2.2.4.1; previous revision: 1.49.2.2
done
Checking in dom/src/base/nsGlobalWindow.cpp;
/cvsroot/mozilla/dom/src/base/nsGlobalWindow.cpp,v  <--  nsGlobalWindow.cpp
new revision: 1.761.2.22.2.23; previous revision: 1.761.2.22.2.22
done
Checking in dom/src/base/nsGlobalWindow.h;
/cvsroot/mozilla/dom/src/base/nsGlobalWindow.h,v  <--  nsGlobalWindow.h
new revision: 1.250.2.9.2.4; previous revision: 1.250.2.9.2.3
done
Checking in embedding/components/windowwatcher/src/Makefile.in;
/cvsroot/mozilla/embedding/components/windowwatcher/src/Makefile.in,v  <--  Makefile.in
new revision: 1.26.26.1; previous revision: 1.26
done
Checking in embedding/components/windowwatcher/src/nsWindowWatcher.h;
/cvsroot/mozilla/embedding/components/windowwatcher/src/nsWindowWatcher.h,v  <--  nsWindowWatcher.h
new revision: 1.21.8.1.4.2; previous revision: 1.21.8.1.4.1
done
Checking in embedding/components/windowwatcher/src/nsWindowWatcher.cpp;
/cvsroot/mozilla/embedding/components/windowwatcher/src/nsWindowWatcher.cpp,v  <--  nsWindowWatcher.cpp
new revision: 1.100.2.5.2.4; previous revision: 1.100.2.5.2.3
done
Checking in dom/src/jsurl/nsJSProtocolHandler.cpp;
/cvsroot/mozilla/dom/src/jsurl/nsJSProtocolHandler.cpp,v  <--  nsJSProtocolHandler.cpp
new revision: 1.113.2.2.2.5; previous revision: 1.113.2.2.2.4
done
Checking in content/html/document/src/nsHTMLDocument.cpp;
/cvsroot/mozilla/content/html/document/src/nsHTMLDocument.cpp,v  <--  nsHTMLDocument.cpp
new revision: 3.615.2.10.2.17; previous revision: 3.615.2.10.2.16
done
Checking in content/base/public/nsIDocument.h;
/cvsroot/mozilla/content/base/public/nsIDocument.h,v  <--  nsIDocument.h
new revision: 3.207.2.1.4.4; previous revision: 3.207.2.1.4.3
done

Note You need to log in before you can comment on or make changes to this bug.