Closed Bug 381412 Opened 17 years ago Closed 17 years ago

Avoid XSS with incomplete sequences in multibyte character sets

Categories

(Core :: DOM: HTML Parser, defect)

Product:
Core
Component:
DOM: HTML Parser
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9alpha8

People

(Reporter: u217243, Assigned: emk)

References

(
URL
)

Details

(Keywords: jp-critical, verified1.8.1.8, Whiteboard: [sg:moderate] embargo until Feb 2008 (comment 29), longtest)

Attachments

(7 files, 5 obsolete files)

Similar trick in ISO-2022-JP
351 bytes, text/html; charset=iso-2022-jp
Details
And the same in hz-gb2312
338 bytes, text/html
Details
addressed review comments
36.02 KB, patch
smontagu
: review+
dveditz
: superreview+
dveditz
: approval1.8.1.8+
dveditz
: approval1.8.0.14-
Details | Diff | Splinter Review
Thunderbird 2.0.0.9 counldn't decode the subject at all
81 bytes, message/rfc822
Details
Testcase using ESC ( J
351 bytes, text/html; charset=ISO-2022-JP
Details
resolved review comment
1.42 KB, patch
smontagu
: review+
dveditz
: superreview+
Details | Diff | Splinter Review
new manual testcase
321 bytes, text/html; charset=ISO-2022-JP
Details 
Yosuke Hasegawa at WebAppSec.jp reported a bug in the Mozilla parser through JPCERT/CC.

The parser ignores control character '0x80' in HTML tag attributes if character encoding of the page is Shift_JIS commonly used in Japan, and allows Cross-Site Scripting attacks in some cases. Scripts cannot be run if the charset is not Shift_JIS.

He posted the POC here:
http://openmya.hacker.jp/hasegawa/PoC/firefox-0x80.html

It contains the following codes:
<div [0x80]onmouseover="alert('xss');">aaa</div>
<[0x80][0x80]s[0x80][0x80]c[0x80]r[0x80]i[0x80]p[0x80]t[0x80]>[0x80]document.write('[0x80]xss');</script>
Blocks: xss
Is the HTML parser ignoring characters or is the Shift_JIS decoder ignoring bytes?
I doubt it's the parser because we recently added checks for stuff like this
If it's in the charset converter, are similar issues lurking in scripts other than shift-JIS?
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Flags: blocking1.9?
Flags: blocking1.8.1.5?
Flags: blocking1.8.0.13?
Whiteboard: [sg:moderate]
This looks to me like a regression from bug 108136, and probably applies to all Japanese codepages.
Attached patch Minimal patch (obsolete) — Splinter Review 
This fixes the testcase, but I want to do more investigation in other codepages and regression testing.
Assignee: nobody → smontagu
Status: NEW → ASSIGNED
Flags: blocking1.9? → blocking1.9+
Target Milestone: --- → mozilla1.9alpha6
Unlike the original, this one also works in IE, and I think it will be somewhat harder to fix. It uses ISO-2022-JP escape sequences to create zero-length JIS X 0208 runs between ASCII characters.
Attachment #267398 - Attachment mime type: text/html → text/html; charset=iso-2022-jp
Summary: Avoid XSS with control character 0x80 in HTML tag attributes (charset Shift_JIS only) → Avoid XSS with incomplete sequences in multibyte character sets
Flags: blocking1.8.1.5?
Flags: blocking1.8.1.5+
Flags: blocking1.8.0.13?
Flags: blocking1.8.0.13+
For extra points, this one works in Mozilla, IE and Safari
Attached patch Patch (obsolete) — Splinter Review 
I audited all the DBCS and MCBS encodings in intl/uconv/ucvja ucvcn ucvko ucvtw and ucvtw2 for similar holes. This patch fixes:
The originally reported flaw with 0x80 in Shift-JIS
Assertions with out-of-range bytes in HZ-GB-2312
Zero-length non-ASCII runs in ISO-2022-JP (attachment 267398 [details])
Zero-length non-ASCII runs in ISO-2022-CN
Zero-length non-ASCII runs in ISO-2022-KR
Zero-length non-ASCII runs in HZ-GB-2312 (attachment 268763 [details]).
Attachment #265538 - Attachment is obsolete: true
Attachment #269066 - Flags: superreview?(dveditz)
Attachment #269066 - Flags: review?(jshin1987)
Whiteboard: [sg:moderate] → [sg:moderate] longtest
punting remaining a6 bugs to b1, all of these shipped in a5, so we're at least no worse off by doing so.
Target Milestone: mozilla1.9alpha6 → mozilla1.9beta1
Whiteboard: [sg:moderate] longtest → [sg:moderate] longtest, need r=jshin, sr=dveditz
Flags: blocking1.8.1.5+ → blocking1.8.1.6?
Flags: blocking1.8.0.13+ → blocking1.8.0.14?
Comment on attachment 269066 [details] [diff] [review]
Patch

r+. Sorry for the terrible delay. 

>Index: intl/uconv/ucvja/nsJapaneseToUnicode.cpp
>===================================================================

>+++ intl/uconv/ucvja/nsJapaneseToUnicode.cpp	20 Jun 2007 11:55:10 -0000
>@@ -132,18 +132,22 @@ NS_IMETHODIMP nsShiftJISToUnicode::Conve
>                  if(0xFFFD == mData) {
>                    // IE convert fd-ff as single byte and convert to
>                    // U+f8f1 to U+f8f3
>                    if((0xfd == *src) || (0xfe == *src) || (0xff == *src))
>                    {
>                      *dest++ = (PRUnichar) 0xf8f1 + 
>                                    (*src - (unsigned char)(0xfd));
>                      if(dest >= destEnd)
>                         goto error1;
>+                   } else {
>+                     *dest++ = 0x30FB;
>+                     if(dest >= destEnd)
>+                       goto error1;

Does IE also map 0x80 to U+30FB?  If so, please mention that. BTW,  can we do this and 0xFD - 0xFF mapping regardless of the value of intl.jis0208.map?
Attachment #269066 - Flags: review?(jshin1987) → review+
Whiteboard: [sg:moderate] longtest, need r=jshin, sr=dveditz → [sg:moderate] longtest, need sr=dveditz
> Does IE also map 0x80 to U+30FB?  If so, please mention that. 

IE maps 0x80 to itself, and 0xA0 to U+F8F0. I've changed the patch to follow this.

> BTW,  can we do
> this and 0xFD - 0xFF mapping regardless of the value of intl.jis0208.map?  

I've tested that that's what we do already.
Attachment #269066 - Attachment is obsolete: true
Attachment #278301 - Flags: superreview?(dveditz)
Attachment #278301 - Flags: review+
Attachment #269066 - Flags: superreview?(dveditz)
Flags: blocking1.8.1.7? → blocking1.8.1.7+
Comment on attachment 278301 [details] [diff] [review]
addressed review comments

sr=dveditz
Attachment #278301 - Flags: superreview?(dveditz) → superreview+
Attachment #278301 - Flags: approval1.8.1.7?
Attachment #278301 - Flags: approval1.8.0.14?
Checked in, with testcases.
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Simon says IE, Opera and Safari are also affected
Comment on attachment 278301 [details] [diff] [review]
addressed review comments

approved for 1.8.1.7 and 1.8.0.14, a=dveditz for release-drivers
Attachment #278301 - Flags: approval1.8.1.7?
Attachment #278301 - Flags: approval1.8.1.7+
Attachment #278301 - Flags: approval1.8.0.14?
Attachment #278301 - Flags: approval1.8.0.14+
Keywords: fixed1.8.1.8verified1.8.1.8
Whiteboard: [sg:moderate] longtest, need sr=dveditz → [sg:moderate] longtest
Microsoft and Opera both asked for us to delay disclosure of this flaw while they address it, both have releases early-to-mid December coming up so tentatively that's when we can announce this (along with FF2009 perhaps).
Whiteboard: [sg:moderate] longtest → [sg:moderate] embargo until Dec 2007 (comment 16), longtest
I re-pinged Apple for a status update (so far I've only gotten the initial "The issue is being investigated" reply). Kohei suggested I post their tracking number here.

> Please include the line below in follow-up emails for this request.
> Follow-up:  34991641
Why ISO-2022-JP decoder fails if it encounters a empty sequence?
Some Japanese mail subjects are *completely* garbled even if the empty sequence is at end of the subject.
Other encoders seem to fallback to U+FFFD. Why ONLY the Japanese encoder fails?
Attached file Testcase using ESC ( J 
Moreover, the fix is incomplete.
I could cause XSS attack against Firefox 2.0.0.9 using empty sequences.
Attached patch Patch (obsolete) — Splinter Review 
This will fix both problems.
Assignee: smontagu → VYV03354
Status: RESOLVED → ASSIGNED
Attachment #289168 - Flags: superreview?(dveditz)
Attachment #289168 - Flags: review?(smontagu)
Attachment #289168 - Flags: approval1.9?
Attachment #289168 - Flags: approval1.8.1.11?
Attachment #289168 - Flags: approval1.8.1.10?
Attachment #289168 - Flags: approval1.8.0.14?
Resolution: FIXED → ---
Keywords: fixed1.8.0.14, verified1.8.1.8
Flags: blocking1.8.1.10?
Comment on attachment 289168 [details] [diff] [review]
Patch

Could you add an automated testcase to this patch, so this problem doesn't accidentally reappear in the future?
Attached file automated test (obsolete) — 
Flags: blocking1.8.1.11?

    
    

    
  
Comment on attachment 289168 [details] [diff] [review]
Patch

Clearing the approval1.9 flag because reviews are not complete.  once you get code review please re-nominate

        Attachment #289168 -
        Flags: approval1.9?

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patch incorporated into a test (obsolete)
        — Splinter Review
      

    


  

        Attachment #289168 -
        Attachment is obsolete: true

        Attachment #289188 -
        Attachment is obsolete: true

        Attachment #290136 -
        Flags: review?(smontagu)

        Attachment #289168 -
        Flags: superreview?(dveditz)

        Attachment #289168 -
        Flags: review?(smontagu)

        Attachment #289168 -
        Flags: approval1.8.1.11?

        Attachment #289168 -
        Flags: approval1.8.1.10?

        Attachment #289168 -
        Flags: approval1.8.0.14?

    
    

    
  
Fx 2.0.0.10 released
Flags: blocking1.8.1.10?

    
    

    
  
Comment on attachment 290136 [details] [diff] [review]
patch incorporated into a test

>             } else if ('J' == *src)  {
>               mState = mState_JISX0201_1976Roman;
>+              if (mRunLength == 0) {
>+                if((dest+1) >= destEnd)
>+                  goto error1;
>+                *dest++ = 0xFFFD;
>+              }

This is going to put in U+FFFD whenever we shift from ASCII to JIS-X Roman, no? That seems wrong to me. Maybe the condition should be
  if (mRunLength == 0 && mLastLegalState != mState_ASCII)
?

>             } else {
>               // XXX We need to  decide how to handle \ and ~ here
>               // we may need a if statement here for '\' and '~' 
>               // to map them to Yen and Overbar
>               *dest++ = (PRUnichar) *src;
>-              ++mRunLength;

And removing this line is going to cause U+FFFD whenever we shift back from JIS-X Roman to ASCII

        Attachment #290136 -
        Flags: review?(smontagu) → review-

    
    

    
  
Some Thunderbird users, including myself, have confirmed the garbled message subjects since 2.0.0.9.
Keywords: jp-critical

    
    

    
  
(In reply to comment #26)
> (From update of attachment 290136 [details] [diff] [review])
> This is going to put in U+FFFD whenever we shift from ASCII to JIS-X Roman, no?
> That seems wrong to me. Maybe the condition should be
>   if (mRunLength == 0 && mLastLegalState != mState_ASCII)
> ?
I know it's technically wrong, but we have no choice to avoid XSS with sequnces such as "<" ESC "(" "J" "script".

> And removing this line is going to cause U+FFFD whenever we shift back from
> JIS-X Roman to ASCII
Ditto. it's required to avoid XSS with sequences such as ESC "(" "J" "<" ESC "(" "B" "script".

And of course, we need to avoid "JIS-X Roman to JIS-X Roman" sequences.
Do you have a good idea to prevent these attacks?

    
    

    
  
Microsoft found regressions in their patch and won't be releasing their fix until February. Please embargo until at least then.
Whiteboard: [sg:moderate] embargo until Dec 2007 (comment 16), longtest → [sg:moderate] embargo until Feb 2008 (comment 29), longtest
Flags: blocking1.8.0.14? → blocking1.8.0.15?

    
    

    
  
Comment on attachment 278301 [details] [diff] [review]
addressed review comments

Minusing this patch for the 1.8.0 branch due to Thunderbird regressions.

        Attachment #278301 -
        Flags: approval1.8.0.14+ → approval1.8.0.14-

    
    

    
  


  
I removed a testcase because this version will FAIL the test.

        Attachment #290136 -
        Attachment is obsolete: true

        Attachment #291406 -
        Flags: review?(smontagu)

    
    

    
  

      
      
      
      

        Attached file
          
        new manual testcase
      

    


  
New patch is vulnerable to this test.
I'll file a followup bug about this problem when this bug is resolved again.

    
    

    
  
I'm sorry, I need more time to think about "the right thing" to do here. We should certainly fix the Thunderbird regression, but I'm not sure what to about the vulnerabilities with ASCII to JIS-X Roman sequences. Unlike the sequences that my original patch was designed to prevent, these sequences are completely legal ISO-2022-JP

    
    

    
  
(In reply to comment #33)
Your patch refuses ASCII to ASCII sequences that are also completely valid per BNF defined in RFC 1468.
There is no point to allow switching between JIS Roman and ASCII.
BTW, my new patch will fix only the Thunderbird regression which is urgent for Japanese users. So I proposed filing a new bug to consider about remaining problem.
Another BTW, bug 406777 may become a solution.

    
    

    
  
Comment on attachment 291406 [details] [diff] [review]
resolved review comment

OK, that's fair enough. r=smontagu

        Attachment #291406 -
        Flags: superreview?(dveditz)

        Attachment #291406 -
        Flags: review?(smontagu)

        Attachment #291406 -
        Flags: review+
Depends on: 407161

    
    

    
  
Covering the regression in this bug obscures the fact that real problems were fixed in previous releases, including charsets that do not appear to suffer from this regression. I filed bug 407161 to cover the regression and to track landing the patch we're reviewing in this bug (future patches, if necessary, should go in the regression bug).

(In reply to comment #32)
> New patch is vulnerable to this test.
> I'll file a followup bug about this problem when this bug is resolved again.

If it's not going to be handled along with this patch (now bug 407161) go ahead and file the new bug now and make it block 407161. And I guess in that case remove the 'XSS variant' bit from the bug 407161 title

Status: ASSIGNED → RESOLVED
Closed: 17 years ago17 years ago
Keywords: verified1.8.1.8
Resolution: --- → FIXED

    
    

    
  
Comment on attachment 291406 [details] [diff] [review]
resolved review comment

sr=dveditz

        Attachment #291406 -
        Flags: superreview?(dveditz)

        Attachment #291406 -
        Flags: superreview+

        Attachment #291406 -
        Flags: approval1.8.1.12?

        Attachment #291406 -
        Flags: approval1.9?

    
    

    
  
Comment on attachment 291406 [details] [diff] [review]
resolved review comment

copied patch into regression bug for purposes of approval, not sure it'll get found correctly here (see "Dan misses follow-up patch and causes FF2.0.0.11" debacle).

        Attachment #291406 -
        Flags: approval1.9?

        Attachment #291406 -
        Flags: approval1.8.1.12?
Flags: blocking1.8.1.12?
Flags: blocking1.8.0.15? → blocking1.8.0.15+

    
    

    
  
Any updates from other vendors?

    
    

    
  
(In reply to comment #39)
> Any updates from other vendors?
Before that, did we prepare to make the vulnerability public?
The issue I mentioned in comment #28 is not fixed yet.
Is it appropriate to filter out completely valid sequences?
Group: security
Depends on: 449578

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: