Closed
Bug 386695
Opened 17 years ago
Closed 17 years ago
PAC privilege escalation using exception objects came from outside of sandbox
Categories
(Core :: Security, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: moz_bug_r_a4, Assigned: mrbkap)
References
Details
(Keywords: fixed1.8.0.15, fixed1.8.1.12, Whiteboard: [sg:moderate] critical when PAC is used, testcase reveals 344495)
Attachments
(1 file)
1.14 KB,
patch
|
jst
:
review+
jst
:
superreview+
dveditz
:
approval1.8.1.12+
asac
:
approval1.8.0.next+
|
Details | Diff | Splinter Review |
When FindProxyForURL() is being called, exception objects are created in a
context that is trying to load a url.
function FindProxyForURL(url, host) {
try { new XPCNativeWrapper(); } // or Components.lookupMethod(), etc.
catch (e) { x = e; }
}
x is an exception object came from a web page, chrome (browser.xul), or the
safe context (hidden window).
An object that has the system principal or the hidden window's principal can be
used to defeat the XPCSafeJSObjectWrapper in proxyAlert() and dnsResolve().
(Actual exploit code relies on other security bugs.)
Reporter | ||
Comment 1•17 years ago
|
||
Reporter | ||
Comment 2•17 years ago
|
||
Would bug 386635 fix this?
Assignee | ||
Comment 3•17 years ago
|
||
Without trying it, I suspect that bug 386635 will fix this -- but that's based on seeing that this exploit depends on the toString hack (covered by bug 372075). That said, this is a hole in the sandbox that we should plug, and the hole is that we associate JSContexts with principals. The bug (I believe) is here:
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/js/src/xpconnect/src/xpcthrower.cpp&rev=1.28&root=/cvsroot&mark=273-274#265
Since the context is PAC context here, we'll gladly get the global chrome window and use its constructor for the exception object. IMO, we should be calling JS_GetScopeChain (or a non-mutating version thereof).
Assignee | ||
Comment 4•17 years ago
|
||
I'm not sure if this actually fixes the bug -- this is in a tree with a patch for bug 386635. It seems like we're (correctly, I think) throwing the error much earlier, but I'm going to hold off on asking for reviews until I have a chance to test more.
Assignee: dveditz → mrbkap
Status: NEW → ASSIGNED
Assignee | ||
Comment 5•17 years ago
|
||
One potential problem with the patch is that we'll now throw an exception if we use XPCThrower with no JS on the stack. I'm not sure if that's a problem or not, though.
Comment 6•17 years ago
|
||
So trying to use the JSAPI from C, say, on XPCWrappedNative options, could lead to that?
I guess it'll be an exception while trying to throw an exception, so not too terrible, perhaps...
Assignee | ||
Comment 7•17 years ago
|
||
(In reply to comment #6)
> So trying to use the JSAPI from C, say, on XPCWrappedNative options, could lead
> to that?
Yeah. If it turns out to be a problem, it's pretty easy to use JS_FrameIterator to avoid the problem and fall back on the current behavior.
Assignee | ||
Comment 8•17 years ago
|
||
Comment on attachment 271164 [details] [diff] [review]
Potential fix
Yeah, this works the way I was hoping.
Attachment #271164 -
Flags: superreview?(jst)
Attachment #271164 -
Flags: review?(jst)
Updated•17 years ago
|
Attachment #271164 -
Flags: superreview?(jst)
Attachment #271164 -
Flags: superreview+
Attachment #271164 -
Flags: review?(jst)
Attachment #271164 -
Flags: review+
Assignee | ||
Comment 9•17 years ago
|
||
Fix checked into trunk.
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 10•17 years ago
|
||
I backed this out -- JS_GetScopeChain is asserting.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee | ||
Comment 12•17 years ago
|
||
I checked this patch back in.
Status: ASSIGNED → RESOLVED
Closed: 17 years ago → 17 years ago
Resolution: --- → FIXED
Updated•17 years ago
|
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Whiteboard: [sg:moderate] critical when PAC is used
Updated•17 years ago
|
Flags: in-testsuite?
Updated•17 years ago
|
Flags: blocking1.8.1.12?
Comment 13•17 years ago
|
||
I think mrbkap said this one was good to go on the branch (no XOW dependency). Please correct if not true.
Flags: blocking1.8.1.12? → blocking1.8.1.12+
Assignee | ||
Comment 14•17 years ago
|
||
Comment on attachment 271164 [details] [diff] [review]
Potential fix
This patch applies to the 1.8 branch as-is.
Attachment #271164 -
Flags: approval1.8.1.12?
Comment 15•17 years ago
|
||
Comment on attachment 271164 [details] [diff] [review]
Potential fix
approved for 1.8.1.12, a=dveditz for release-drivers
Attachment #271164 -
Flags: approval1.8.1.12? → approval1.8.1.12+
Reporter | ||
Comment 17•17 years ago
|
||
I forgot to mention that the testcase in comment #1 uses bug 344495's trick.
Updated•17 years ago
|
Depends on: 344495
Whiteboard: [sg:moderate] critical when PAC is used → [sg:moderate] critical when PAC is used, testcase reveals 344495
Updated•17 years ago
|
Group: security
Comment 18•17 years ago
|
||
Comment on attachment 271164 [details] [diff] [review]
Potential fix
a=asac for 1.8.0.15
(unmodified distro patch)
Attachment #271164 -
Flags: approval1.8.0.15+
Comment 19•17 years ago
|
||
MOZILLA_1_8_0_BRANCH:
Checking in js/src/xpconnect/src/xpcthrower.cpp;
/cvsroot/mozilla/js/src/xpconnect/src/xpcthrower.cpp,v <-- xpcthrower.cpp
new revision: 1.25.36.1; previous revision: 1.25
done
Keywords: fixed1.8.0.15
You need to log in
before you can comment on or make changes to this bug.
Description
•