Last Comment Bug 424733 - (CVE-2008-5023) [FIX]CSS -moz-binding property bypasses security checks on codebase principals
(CVE-2008-5023)
: [FIX]CSS -moz-binding property bypasses security checks on codebase principals
Status: RESOLVED FIXED
[sg:high]
: verified1.8.1.18, verified1.9.0.4
Product: Core
Classification: Components
Component: Security: CAPS (show other bugs)
: unspecified
: All All
: P1 normal (vote)
: ---
Assigned To: Boris Zbarsky [:bz] (still a bit busy)
:
: Selena Deckelmann :selenamarie :selena use ni?
Mentors:
http://crypto.stanford.edu/~collinj/r...
Depends on: 424488 472648
Blocks:
  Show dependency treegraph
 
Reported: 2008-03-23 21:39 PDT by Collin Jackson
Modified: 2009-01-08 13:42 PST (History)
14 users (show)
jst: blocking1.9.1-
mtschrep: blocking1.9-
samuel.sidler+old: blocking1.9.0.2-
samuel.sidler+old: blocking1.9.0.4+
jonas: wanted1.9.0.x+
samuel.sidler+old: blocking1.8.1.17-
samuel.sidler+old: blocking1.8.1.18+
dveditz: wanted1.8.1.x+
asac: blocking1.8.0.next?
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Turned out to be easier than I thought (1.11 KB, patch)
2008-08-25 12:51 PDT, Boris Zbarsky [:bz] (still a bit busy)
jonas: review+
jonas: superreview+
dveditz: approval1.9.0.4+
Details | Diff | Splinter Review
1.8 branch version (1.48 KB, patch)
2008-10-17 18:16 PDT, Boris Zbarsky [:bz] (still a bit busy)
dveditz: approval1.8.1.18+
Details | Diff | Splinter Review

Description Collin Jackson 2008-03-23 21:39:41 PDT
Following up on comment 9 on bug 424426 <https://bugzilla.mozilla.org/show_bug.cgi?id=424426#c9>, we did some testing and it appears that stylesheets don't invoke downgrading/blocking rules for codebase principals.

If a signed JAR includes <link rel="stylesheet" href="some_relative_path.css"> anywhere inside it, a malicious web site can replace the stylesheet using the JAR-switching technique originally described in comment #1 on bug 424426 <https://bugzilla.mozilla.org/show_bug.cgi?id=418996#c1>. The malicious stylesheet can then use the -moz-binding property to inject script into the page and hijack the signer's privileges.

The proof of concept is the "CSS" test case at <http://crypto.stanford.edu/~collinj/research/signed-scripts/more-relative-paths.html>.

It is likely that Flash and Java have similar problems.
Comment 1 Boris Zbarsky [:bz] (still a bit busy) 2008-03-23 22:02:33 PDT
ccing some more folks who might have bright ideas.  I really need to focus on thesis..

As an aside, "bug X comment Y" will get properly linkified to point to that comment by Bugzila.
Comment 2 Mike Schroepfer 2008-03-25 12:06:11 PDT
DVeditz can you take this one?
Comment 3 Mike Schroepfer 2008-04-08 20:42:58 PDT
DVeditz (over email) indicated that we could take this on a dot release since the attack surface is somewhat limited and we are out of time.  If I've misrepresented or anyone otherwise disagrees please do re-nom.   
Comment 4 Jonas Sicking (:sicking) No longer reading bugmail consistently 2008-04-09 13:30:16 PDT
So what are we actually planning on doing here? Simply downgrade the principal when a signed jar sinlks to an unsigned stylesheet? The downgrade resulting in removed urlbar indicator and removed lock icon. And removed ability to request elevated privileges?
Comment 5 Adam Barth 2008-04-09 13:33:13 PDT
Downgrading the principal doesn't really work; see Bug 424426.  We should probably do the same thing we do for scripts: block loading the resource if it has a different codebase principal.
Comment 6 Samuel Sidler (old account; do not CC) 2008-08-11 11:44:46 PDT
Boris, can you take a look at this?
Comment 7 Samuel Sidler (old account; do not CC) 2008-08-14 16:11:19 PDT
This should block 1.9.0.2 but it doesn't look like any progress has been made so it'll probably get pushed...
Comment 8 Samuel Sidler (old account; do not CC) 2008-08-21 22:03:08 PDT
Pushing this out since it's unlikely to make it, per bz.
Comment 9 Boris Zbarsky [:bz] (still a bit busy) 2008-08-25 12:51:35 PDT
Created attachment 335410 [details] [diff] [review]
Turned out to be easier than I thought
Comment 10 Jonas Sicking (:sicking) No longer reading bugmail consistently 2008-09-10 23:56:32 PDT
Wouldn't it be better to block loading of XBL entirely instead if the page is signed? The AllowScripts thing is mostly there as a leftover from when we tried to stop scripts in skins and ideally should be removed.
Comment 11 Boris Zbarsky [:bz] (still a bit busy) 2008-09-11 07:38:20 PDT
You mean if the page is signed and the XBL is not?  I think we want to allow loading XBL from the same jar.... the problem is that we don't know at load start time whether it's signed, no?

We use AllowScripts to enforce the "JS enabled" preference for untrusted XBL, so I doubt it's going away any time soon...
Comment 12 Johnny Stenback (:jst, jst@mozilla.com) 2008-09-24 16:30:10 PDT
On second thought, not blocking on this.
Comment 13 Daniel Veditz [:dveditz] 2008-10-16 16:50:06 PDT
Jonas: were you waiting for a new patch or is Boris's answer OK?
Comment 14 Jonas Sicking (:sicking) No longer reading bugmail consistently 2008-10-17 15:57:38 PDT
Comment on attachment 335410 [details] [diff] [review]
Turned out to be easier than I thought

Ok, given that it's this simple.
Comment 15 Boris Zbarsky [:bz] (still a bit busy) 2008-10-17 18:15:28 PDT
Pushed changeset 7fb158704fe9.
Comment 16 Boris Zbarsky [:bz] (still a bit busy) 2008-10-17 18:15:51 PDT
Comment on attachment 335410 [details] [diff] [review]
Turned out to be easier than I thought

This applies as-is to the 1.9 branch.
Comment 17 Boris Zbarsky [:bz] (still a bit busy) 2008-10-17 18:16:07 PDT
Created attachment 343670 [details] [diff] [review]
1.8 branch version
Comment 18 Daniel Veditz [:dveditz] 2008-10-20 11:27:04 PDT
Comment on attachment 335410 [details] [diff] [review]
Turned out to be easier than I thought

Approved for 1.9.0.4, a=dveditz for release-drivers
Comment 19 Daniel Veditz [:dveditz] 2008-10-20 11:27:17 PDT
Comment on attachment 343670 [details] [diff] [review]
1.8 branch version

Approved for 1.8.1.18, a=dveditz for release-drivers
Comment 20 Boris Zbarsky [:bz] (still a bit busy) 2008-10-21 13:26:25 PDT
Fixed on both branches.
Comment 21 Al Billings [:abillings] 2008-10-21 14:46:27 PDT
Is there a good way to verify this fix?
Comment 22 Boris Zbarsky [:bz] (still a bit busy) 2008-10-21 18:13:34 PDT
Following the directions in comment 0 and the site linked from it?
Comment 23 Al Billings [:abillings] 2008-10-22 12:22:04 PDT
Doh.

Verified for 1.9.0.4 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.4pre) Gecko/2008102204 GranParadiso/3.0.4pre using the testcase on the site

Verified for 1.8.1.18 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.18pre) Gecko/2008102203 BonEcho/2.0.0.18pre.

Note You need to log in before you can comment on or make changes to this bug.