Last Comment Bug 468581 - (CVE-2009-0354) XSS using a chrome XBL method and window.eval
: XSS using a chrome XBL method and window.eval
[sg:high] post 1.8-branch
: verified1.9.0.6, verified1.9.1
Product: Core
Classification: Components
Component: Security (show other bugs)
: unspecified
: x86 Windows XP
P1 normal (vote)
: mozilla1.9.1b3
Assigned To: Blake Kaplan (:mrbkap)
: David Keeler [:keeler] (use needinfo?)
Depends on:
  Show dependency treegraph
Reported: 2008-12-09 01:02 PST by moz_bug_r_a4
Modified: 2009-05-26 14:03 PDT (History)
10 users (show)
jst: blocking1.9.1+
dveditz: blocking1.9.0.6+
dveditz: wanted1.9.0.x+
dveditz: wanted1.8.1.x-
asac: wanted1.8.0.x-
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

Fix (953 bytes, patch)
2008-12-10 15:39 PST, Blake Kaplan (:mrbkap)
brendan: review+
dveditz: approval1.9.0.6+
Details | Diff | Splinter Review

Description User image moz_bug_r_a4 2008-12-09 01:02:06 PST

1260             if (obj != callerScopeChain) {
1261                 ok = js_CheckPrincipalsAccess(cx, obj,
1262                                               caller->script->principals,
1263                                               cx->runtime->atomState.evalAtom);
1264                 if (!ok)
1265                     goto out;
1267                 scopeobj = js_NewWithObject(cx, obj, callerScopeChain, -1);

caller->script->principals can be the wrong principal when caller is a cloned
function.  And, when obj_eval is called via XPC_XOW_FunctionWrapper, |obj| is a
window object not wrapped in XOW.  Thus, by using a chrome XBL method and
window.eval, it's possible to access properties of a cross-origin window.

fx2 is not vulnerable since fx2 has the security checks for the window object. 
(By using a chrome XBL method, it's possible to execute eval() with a
cross-origin window, but it's not possible to access properties of the
cross-origin window.)
Comment 2 User image Blake Kaplan (:mrbkap) 2008-12-09 01:04:16 PST
This is all me. I hate eval.
Comment 3 User image Daniel Veditz [:dveditz] 2008-12-09 11:29:14 PST
"high" impact for now, but should we find yet another way to load a chrome-privileged frame this would be rated "critical".
Comment 4 User image Blake Kaplan (:mrbkap) 2008-12-10 15:39:52 PST
Created attachment 352425 [details] [diff] [review]

A while ago, I went through all uses of '>principals' in JS to vet for this. I'm not sure how this slipped through the net.
Comment 5 User image Blake Kaplan (:mrbkap) 2008-12-19 15:56:35 PST
Comment 6 User image Samuel Sidler (old account; do not CC) 2009-01-05 07:56:16 PST
Blake, this still needs to land in 1.9.1, right? And does this patch apply to 1.9.0?
Comment 7 User image Blake Kaplan (:mrbkap) 2009-01-06 14:14:58 PST
Comment on attachment 352425 [details] [diff] [review]

This patch applies to the 1.9.0 branch as-is.
Comment 8 User image Daniel Veditz [:dveditz] 2009-01-07 15:07:26 PST
Comment on attachment 352425 [details] [diff] [review]

Approved for, a=dveditz for release-drivers.
Comment 9 User image Blake Kaplan (:mrbkap) 2009-01-07 23:18:50 PST
Fixed on the 1.9.0 branch.
Comment 10 User image Alexander Sack 2009-01-12 03:42:05 PST
not for 1.8.0 branch either.
Comment 11 User image Al Billings [:abillings] 2009-01-13 17:47:34 PST
Verified fixed for with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv: Gecko/2009011304 GranParadiso/3.0.6pre.
Comment 12 User image Blake Kaplan (:mrbkap) 2009-01-25 21:02:51 PST
Comment 13 User image Al Billings [:abillings] 2009-05-26 14:03:13 PDT
Verified fixed for 1.9.1 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1pre) Gecko/20090526 Shiretoko/3.5pre.

Note You need to log in before you can comment on or make changes to this bug.