IETab exposes its entire API to web pages

RESOLVED FIXED

Status

RESOLVED FIXED
10 years ago
3 years ago

People

(Reporter: gaubugzilla, Unassigned)

Tracking

Details

(URL)

Attachments

(1 attachment)

(Reporter)

Description

10 years ago
Created attachment 360695 [details]
PoC exploit

In the file content/ietabOverlay.js, there is a method assignJSObject:

   if (contentDocument && contentDocument.getElementById('IETab')) {
      var ietab = contentDocument.getElementById('IETab');
      if (ietab.wrappedJSObject) ietab = ietab.wrappedJSObject;
      ietab.requestTarget = gIeTab;
   }

This is meant to be used only by the extension's own chrome document that acts as a wrapper for the IE plugin. However, any web page containing an element with ID "IETab" will get access to gIeTab object as well. Proof-of-concept exploit attached - install IE Tab 1.5.20081203 and open that the exploit page, it will open http://google.com/ in an Internet Explorer tab using addIeTab() method (nice way to exploit Internet Explorer bugs from Firefox). This API was never meant to be called by untrusted code so I am sure that there are many other ways to abuse it as well (e.g. addBookmarkMenuitem() can probably be used to run JavaScript code in chrome context and goDoCommand() method also looks very promising).

Comment 1

10 years ago
The developer has been emailed

Comment 2

10 years ago
Hello Wladimir,

I've changed the code on assignJSObject() to fix this security problem:

if (aDoc instanceof HTMLDocument) {
   var aBrowser = getBrowser().getBrowserForDocument(aDoc);
   if (aBrowser && aBrowser.currentURI && aBrowser.currentURI.spec.indexOf(gIeTabChromeStr) == 0) {
      if (aDoc && aDoc.getElementById('IETab')) {
         var ietab = aDoc.getElementById('IETab');
         if (ietab.wrappedJSObject) ietab = ietab.wrappedJSObject;
         ietab.requestTarget = gIeTab;
      }
   }
}

Dear Rey,
The new version has been uploaded to AMO, please help to review it.

Thank you.
(Reporter)

Comment 3

10 years ago
I checked version 1.5.20090207, that issue seems to be fixed (both instances of it). IE Tab will now only accept the page as "its own" if the URL matches.
(Reporter)

Updated

10 years ago
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED
(Assignee)

Updated

3 years ago
Product: addons.mozilla.org → addons.mozilla.org Graveyard
(Reporter)

Comment 4

3 years ago
I think that this should be public by now.
Flags: needinfo?(jorge)
Group: client-services-security
Flags: needinfo?(jorge)
You need to log in before you can comment on or make changes to this bug.