Closed
Bug 407289
Opened 17 years ago
Closed 17 years ago
XPCNativeWrapper calls untrusted functions during construction
Categories
(Core :: XPConnect, defect, P2)
Core
XPConnect
Tracking
()
VERIFIED
FIXED
People
(Reporter: moz_bug_r_a4, Assigned: mrbkap)
Details
(Keywords: verified1.8.1.12, Whiteboard: [sg:critical])
Attachments
(1 file, 1 obsolete file)
1.39 KB,
patch
|
jst
:
review+
brendan
:
superreview+
|
Details | Diff | Splinter Review |
The fix for bug 399298 can be circumvented, since a getter for .prototype can be called in js_GetClassPrototype.
Updated•17 years ago
|
Assignee: dveditz → nobody
Component: Security → XPConnect
Flags: blocking1.9?
Flags: blocking1.8.1.12?
OS: Windows XP → All
QA Contact: toolkit → xpconnect
Hardware: PC → All
Whiteboard: [sg:critical]
Reporter | ||
Comment 1•17 years ago
|
||
This uses bug 344495's trick. This works on trunk, fx2.0.0.x, fx1.5.0.x, sm-trunk, sm1.1.x and sm1.0.x.
Assignee | ||
Comment 2•17 years ago
|
||
This is slightly different than bug 399298. In that bug XPCNativeWrappers had an evil prototype. In this bug, we're actually calling untrusted functions (in this case via a getter) from a trusted context. I think I know how to fix this, but it's going to be a few days before I'll get a chance to code it up.
Assignee: nobody → mrbkap
Summary: The fix for bug 399298 can be circumvented by using .prototype getter → XPCNativeWrapper calls untrusted functions during construction
Updated•17 years ago
|
Flags: blocking1.9? → blocking1.9+
Priority: -- → P2
Assignee | ||
Comment 3•17 years ago
|
||
So, the problem is that we're still looking for XPCNativeWrapper in our parent's scope and getting properties off of the return value. Since those properties can have getters, this runs arbitrary code and we're vulnerable to bug 344495 style attacks. This patch makes us use the context's global object or currently running stack frame to find the XPCNativeWrapper prototype. I *think* this should be safe because we try to only run trusted code on trusted contexts. We fix up the parent to be what it should be after the fact, so this shouldn't break any trust contracts.
Attachment #293170 -
Flags: superreview?(brendan)
Attachment #293170 -
Flags: review?(jst)
Assignee | ||
Comment 4•17 years ago
|
||
Sorry, that last patch was missing a ::JS_SetParent.
Attachment #293170 -
Attachment is obsolete: true
Attachment #293171 -
Flags: superreview?(brendan)
Attachment #293171 -
Flags: review?(jst)
Attachment #293170 -
Flags: superreview?(brendan)
Attachment #293170 -
Flags: review?(jst)
Comment 5•17 years ago
|
||
Comment on attachment 293171 [details] [diff] [review] Right patch JS_NewObject API considered harmful, eh? If you can phrase it crisply and propose a better API, please do file a bug on that. Thanks, /be
Attachment #293171 -
Flags: superreview?(brendan) → superreview+
Updated•17 years ago
|
Attachment #293171 -
Flags: review?(jst) → review+
Assignee | ||
Comment 6•17 years ago
|
||
Fix checked into trunk. I filed bug 408871 on the JS_NewObject pain.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Updated•17 years ago
|
Flags: in-testsuite?
Updated•17 years ago
|
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.12?
Flags: blocking1.8.1.12+
Assignee | ||
Comment 7•17 years ago
|
||
Fixed on the 1.8 branch as part of the patch in bug 399298.
Keywords: fixed1.8.1.12
Comment 8•17 years ago
|
||
Verified in Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.12) Gecko/2008012822 Firefox/2.0.0.12 with attached testcase. No issues and the case reproduces cleanly in 2.0.0.11. I also verified it in trunk with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9b3pre) Gecko/2008012804 Minefield/3.0b3pre.
Keywords: fixed1.8.1.12 → verified1.8.1.12
Updated•17 years ago
|
Status: RESOLVED → VERIFIED
Updated•16 years ago
|
Group: security
You need to log in
before you can comment on or make changes to this bug.
Description
•