Closed
Bug 504862
(CVE-2009-3988)
Opened 15 years ago
Closed 15 years ago
XSS due to window.dialogArguments accessible cross-domain (MSVR-09-0047 / ZDI-CAN-535)
Categories
(Core :: DOM: Core & HTML, defect, P1)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
status1.9.2 | --- | beta1-fixed |
blocking1.9.1 | --- | .8+ |
status1.9.1 | --- | .8-fixed |
People
(Reporter: bsterne, Assigned: jst)
References
Details
(Keywords: verified1.9.0.18, verified1.9.1, Whiteboard: [sg:moderate][needs 1.9.1 landing])
Attachments
(6 files, 3 obsolete files)
405 bytes,
text/html
|
Details | |
947 bytes,
text/html
|
Details | |
22.39 KB,
patch
|
mrbkap
:
review+
bzbarsky
:
superreview+
|
Details | Diff | Splinter Review |
1.12 KB,
patch
|
bzbarsky
:
review+
|
Details | Diff | Splinter Review |
20.19 KB,
patch
|
jst
:
review+
jst
:
superreview+
dveditz
:
approval1.9.1.8+
|
Details | Diff | Splinter Review |
32.56 KB,
patch
|
dveditz
:
approval1.9.0.18+
|
Details | Diff | Splinter Review |
This issue was reported to security@m.o by Microsoft Vulnerability Research. Credit should go to Hidetake Jo and Microsoft Vulnerability Research.
I can confirm in Firefox 3.5 that the properties of window.dialogArguments are accessible by script across domains. I will attach the testcases shortly. From the email:
-----
Title:
Name Cross-Domain window.dialogVaribles Initialization in Firefox 3.5 [MSVR-0047]
Description:
General mechanism for Cross-site scripting
It appears that Firefox 3.5 permits cross-domain initialization of window.dialogVariables. This behavior is unlike that of IE and Safari, and would allow exploit of XSS in web pages which assume that the page's dialogVariable can't be initialized in this way.
Technical details of exploit:
1. Find a page on the internet that is reading and using value from window.dialogArguments.
2. On evil.com create a page that calls window.showModalDialog (http://victim.com/page.xx <http://victim.com/page.xx> , ...);
2a. This allows you to initialize the window.dialogArguments on the victim domain.
3. Lure victim to the exploit page on evil.com
Finder(s):
Hidetake Jo and Microsoft Vulnerability Research.
Type of Issue:
Cross-domain initialization of window.dialogArguments enabling XSS exploits
Product(s) and version(s) that contain the bug:
Firefox 3.5
The finders have not tested against other versions of Firefox or against platforms other than Windows Vista Sp1
Special configuration requirements:
No special hardware or configuration is needed. The PoC has been demonstrated on a system with Windows Vista Sp1 + latest security updates (as of July 2009)
Reporter | ||
Comment 1•15 years ago
|
||
Reporter | ||
Updated•15 years ago
|
Whiteboard: [sg:high]
Comment 2•15 years ago
|
||
Do window arguments have to be a variant? Could we clamp them to be a string?
Assignee | ||
Comment 3•15 years ago
|
||
They have to be a variant.
Assignee | ||
Comment 4•15 years ago
|
||
This makes our behavior match IE's where we don't pass any arguments if the URI of the dialog is not same origin with the caller. This copies some ugly URI related code from the window watcher which I'd like to avoid, but I haven't found a cleaner way yet...
Assignee | ||
Comment 5•15 years ago
|
||
This is still a bit ugly, but a lot better, and probably about as good as it'll get here.
Attachment #389232 -
Attachment is obsolete: true
Attachment #389593 -
Flags: superreview?(bzbarsky)
Attachment #389593 -
Flags: review?(mrbkap)
Comment 6•15 years ago
|
||
Hrm. Is there a reason for doing it that way? Wouldn't it make more sense to store the principal the arguments come from as part of SetNewArguments and then do a check any time we're actually binding the arguments on the inner window, against the principal of said inner window? That would make sure that the arguments are set on an inner if and only if we're same-origin with it anyway (and hence could have just set it ourselves). Is there an obvious problem with that, other than needing a signature change on SetNewArguments to take the principal?
Comment 7•15 years ago
|
||
Boris: How would we deal with the returnValue bit, then?
Comment 8•15 years ago
|
||
Can we not examine the principal of the modal window after ShowAsModal returns and clear the returnValue if it's not same-origin with the opener principal?
Seems like that would be the smart thing to do anyway, in case the modal window gets navigated to another origin which then sets returnValue.
That said, if the modal origin is different, will caller even be able to get returnValue?
Comment 9•15 years ago
|
||
(In reply to comment #8)
> Can we not examine the principal of the modal window after ShowAsModal returns
> and clear the returnValue if it's not same-origin with the opener principal?
Ah, right. I sort of forgot that we actually have a window by that point.
> That said, if the modal origin is different, will caller even be able to get
> returnValue?
Said getting happens in C++ (in ShowModalDialog) and is the return value from that function, so yes.
Updated•15 years ago
|
Attachment #389593 -
Flags: superreview?(bzbarsky) → superreview-
Reporter | ||
Comment 10•15 years ago
|
||
FYI, ZDI TippingPoint reported this to us today via security@m.o as ZDI-CAN-535.
Assignee | ||
Updated•15 years ago
|
Attachment #389593 -
Attachment is obsolete: true
Attachment #389593 -
Flags: review?(mrbkap)
Assignee | ||
Comment 11•15 years ago
|
||
This does what bz suggested, it stores the principal where the arguments came from, and checks when the dialog is dismissed whether the caller can access the last loaded document in the dialog before getting the return value out of it. Making those changes got a bit nasty. I had to pass the principals along with the arguments, which meant changing the interface nsIScriptGlobalObject which is what had the SetNewArguments() method, which IMO doesn't belong in that interface at all. So since I was changing that interface anyways, I decided to move that method to nsPIDOMWindow, and rename it to SetArguments(), as there's nothing new about the arguments AFAICT. Getting things to work right in the nsGlobalWindow where we create new inner windows and migrate arguments from one to another was fun too.
But this patch does work, fixes the security bug and some other bad bugs in this code as well, and I think this is the way we'd want to go here for now.
Attachment #394965 -
Flags: superreview?(bzbarsky)
Attachment #394965 -
Flags: review?(mrbkap)
Updated•15 years ago
|
Attachment #394965 -
Flags: review?(mrbkap) → review+
Comment 12•15 years ago
|
||
Comment on attachment 394965 [details] [diff] [review]
Updated fix.
>@@ -8988,7 +9033,14 @@ nsGlobalModalWindow::GetDialogArguments(
>- *aArguments = mArguments;
Good thing we're changing this code, eh? ;)
>+ if (mArgumentsOrigin &&
>+ NS_SUCCEEDED(mArgumentsOrigin->Subsumes(GetPrincipal(), &subsumes)) &&
>+ subsumes) {
Why this particular direction for the security check? When is this code even called?
Comment 13•15 years ago
|
||
With that check reversed as just discussed, looks good.
Updated•15 years ago
|
Attachment #394965 -
Flags: superreview?(bzbarsky) → superreview+
Updated•15 years ago
|
Alias: MSVR-0047 → MSVR-09-0047
Updated•15 years ago
|
Assignee: nobody → jst
Assignee | ||
Comment 14•15 years ago
|
||
Fix checked in.
http://hg.mozilla.org/mozilla-central/rev/105d89f1a33b
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 15•15 years ago
|
||
The fix didn't stick, mochitest failures. Must be due to a recent change in the patch...
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Comment 16•15 years ago
|
||
(In reply to comment #15)
> The fix didn't stick, mochitest failures. Must be due to a recent change in the
> patch...
Any update on this?
Flags: blocking1.9.2?
Updated•15 years ago
|
Flags: blocking1.9.2? → blocking1.9.2+
Priority: -- → P1
Comment 17•15 years ago
|
||
Sounds like this would be an easy thing to pick off right away. Can we get this patch updated and landed, please?
Assignee | ||
Comment 18•15 years ago
|
||
This is needed in addition to the previous patch for this to pass our tests. The reason for this is that there's a difference in the order of events when we're opening a modal dialog whose URL is a javascript: URI vs not. In the javascript: URI case we end up executing the JS in the URI before we've called SetNewDocument() on the global window, so a call to GetDialogArguments() can happen before the arguments are moved from the outer window to the inner window, whereas in the regular case where the content of a loaded URI asks for the dialog arguments we've already moved them to the inner.
This stuff really needs cleaning up at some point. Ideally we wouldn't attempt to share members with the dialog argument code we use for XUL dialogs, which I suspect would simplify this code a fair bit, or we should make some saner decisions regarding the time of availability of these arguments, etc. But for now, I'd just like to land this to get this blocker out of the way...
Attachment #404118 -
Flags: superreview?(bzbarsky)
Attachment #404118 -
Flags: review?(bzbarsky)
Comment 19•15 years ago
|
||
So with that last patch, if called on an outer we won't forward to the inner, right? That seems wrong somehow. Wouldn't we want to only skip forwarding if we have no inner?
I wonder whether it would make sense to have javascript: URIs trigger inner window creation before executing script. I'm a little surprised they don't already! But that can be a separate bug.
Updated•15 years ago
|
status1.9.1:
--- → wanted
Assignee | ||
Comment 20•15 years ago
|
||
After talking this over with bz (and sorting out some confusion regarding whether we need any additional changes at all), I think this is the way to go here. This makes it so that when opening a modal dialog and calling SetArguments() on it we make sure that we at that point set the arguments on the inner window if it has already been created. This passes mochitest.
Attachment #404945 -
Flags: review?(bzbarsky)
Assignee | ||
Updated•15 years ago
|
Attachment #404118 -
Attachment is obsolete: true
Attachment #404118 -
Flags: superreview?(bzbarsky)
Attachment #404118 -
Flags: review?(bzbarsky)
Updated•15 years ago
|
Attachment #404945 -
Flags: review?(bzbarsky) → review+
Comment 21•15 years ago
|
||
Comment on attachment 404945 [details] [diff] [review]
Better additional fix.
r=bzbarsky
Assignee | ||
Comment 22•15 years ago
|
||
Fixed on trunk.
http://hg.mozilla.org/mozilla-central/rev/526f516cbd46
http://hg.mozilla.org/mozilla-central/rev/d96ffc8c2749 (forgot to add the tests)
Status: REOPENED → RESOLVED
Closed: 15 years ago → 15 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 23•15 years ago
|
||
status1.9.2:
--- → beta1-fixed
Updated•15 years ago
|
blocking1.9.1: needed → .5+
Whiteboard: [sg:high] → [sg:moderate] also reported as ZDI-CAN-535
Comment 24•15 years ago
|
||
Johnny, can you work up a combined 1.9.1 patch for this bug (or just check if the 1.9.2 one applies)?
Updated•15 years ago
|
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.16+
Reporter | ||
Comment 25•15 years ago
|
||
This also affects 1.9.0. Johnny, can you please land the fix there as well?
Updated•15 years ago
|
Alias: MSVR-09-0047
Summary: XSS due to window.dialogArguments accessible cross-domain → XSS due to window.dialogArguments accessible cross-domain (MSVR-09-0047 / ZDI-CAN-535)
Whiteboard: [sg:moderate] also reported as ZDI-CAN-535 → [sg:moderate]
Comment 26•15 years ago
|
||
Johnny: We really need a patch here. Code freeze for 1.9.0 and 1.9.1 is November 10 at 11:59pm.
Updated•15 years ago
|
Whiteboard: [sg:moderate] → [needs 1.9.1/1.9.0 patch or approval request by jst][sg:moderate]
Assignee | ||
Comment 27•15 years ago
|
||
This is applied w/o any real problems to 1.9.1, but I had to create a new nsPIDOMWindow_1_9_1 interface to maintain interface compatibility.
Attachment #410897 -
Flags: superreview+
Attachment #410897 -
Flags: review+
Attachment #410897 -
Flags: approval1.9.1.6?
Assignee | ||
Comment 28•15 years ago
|
||
Oh, and passes mochitest locally when applied to 1.9.1.
Comment 29•15 years ago
|
||
(In reply to comment #27)
What about 1.9.0?
Comment 30•15 years ago
|
||
Comment on attachment 410897 [details] [diff] [review]
Fix for 1.9.1
Approved for 1.9.1.6, a=dveditz for release-drivers
Attachment #410897 -
Flags: approval1.9.1.6? → approval1.9.1.6+
Comment 31•15 years ago
|
||
Johnny: Please don't forget a 1.9.0 patch here.
Updated•15 years ago
|
Whiteboard: [needs 1.9.1/1.9.0 patch or approval request by jst][sg:moderate] → [needs 1.9.0 patch or approval request by jst][needs 1.9.1 landing][sg:moderate]
Assignee | ||
Comment 32•15 years ago
|
||
Updated•15 years ago
|
Whiteboard: [needs 1.9.0 patch or approval request by jst][needs 1.9.1 landing][sg:moderate] → [needs 1.9.0 patch or approval request by jst][sg:moderate]
Assignee | ||
Comment 33•15 years ago
|
||
Clearing 1.9.0 blocking flag since this feature didn't ship until 1.9.1.
Flags: blocking1.9.0.16+
Assignee | ||
Updated•15 years ago
|
Flags: wanted1.9.0.x+
Updated•15 years ago
|
Whiteboard: [needs 1.9.0 patch or approval request by jst][sg:moderate] → [sg:moderate]
Comment 34•15 years ago
|
||
Restoring flags. Johnny was misinformed. :)
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.16+
Updated•15 years ago
|
Whiteboard: [sg:moderate] → [needs 1.9.0 patch or approval request by jst][sg:moderate]
Updated•15 years ago
|
Flags: wanted1.8.1.x-
Assignee | ||
Comment 36•15 years ago
|
||
This is going through try server right now, passes the relevant tests locally.
Assignee | ||
Comment 37•15 years ago
|
||
Comment on attachment 411872 [details] [diff] [review]
1.9.0 patch
Requesting approval for this patch, even though I just actually landed this thinking that it was already approved. So, let me know if this is all good, or if I should back this out of CVS.
Attachment #411872 -
Flags: approval1.9.0.16?
Comment 38•15 years ago
|
||
Comment on attachment 411872 [details] [diff] [review]
1.9.0 patch
Approved for 1.9.0.16, a=dveditz for release-drivers
Attachment #411872 -
Flags: approval1.9.0.16? → approval1.9.0.16+
Updated•15 years ago
|
Keywords: fixed1.9.0.16
Whiteboard: [needs 1.9.0 patch or approval request by jst][sg:moderate] → [sg:moderate]
Comment 39•15 years ago
|
||
Verified fixed for 1.9.1.6 using testcase and build Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.6pre) Gecko/20091119 Shiretoko/3.5.6pre (.NET CLR 3.5.30729).
Verified for 1.9.0.16 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.16pre) Gecko/2009111921 GranParadiso/3.0.16pre (.NET CLR 3.5.30729).
Comment 40•15 years ago
|
||
This caused a leak on 1.9.1: bug 528133.
Comment 41•15 years ago
|
||
Talked this over with Johnny. We need to backout this fix across all branches and respin both releases without it. (This *should* be causing a leak on 1.9.0, per him, but isn't for some reason.)
Johnny, please back this out on... 1.9.1, 1.9.0, GECKO1916_20091130_RELBRANCH (hg), and GECKO190_20091130_RELBRANCH (cvs).
Assignee | ||
Comment 42•15 years ago
|
||
Backed out in all those 4 places :(
Comment 43•15 years ago
|
||
Johnny, you should make sure this doesn't affect 1.9.2 somehow (despite not seeing it right now) because if we need to back it out there, we need to do so ASAP.
blocking1.9.1: .6+ → .7+
status1.9.1:
.6-fixed → ---
Flags: blocking1.9.0.16+ → blocking1.9.0.17+
Keywords: verified1.9.0.16,
verified1.9.1
Assignee | ||
Comment 44•15 years ago
|
||
Yeah, but I don't think I can do that before I understand this leak, as there is no evidence on 1.9.2 of a leak like the one we see in 1.9.1 with this patch.
Comment 45•15 years ago
|
||
The leaks are due to bug 508774, which was fixed on trunk before 1.9.2 branched, but after 1.9.1. I've asked for approval on the patch in bug 508774.
Depends on: 508774
Assignee | ||
Comment 46•15 years ago
|
||
Thanks Peter for figuring that out!
Comment 47•15 years ago
|
||
Comment on attachment 410897 [details] [diff] [review]
Fix for 1.9.1
Approved for 1.9.1.7, a=dveditz for release-drivers
Attachment #410897 -
Flags: approval1.9.1.6+ → approval1.9.1.7+
Comment 48•15 years ago
|
||
Comment on attachment 411872 [details] [diff] [review]
1.9.0 patch
Approved for 1.9.0.16, a=dveditz for release-drivers
Please land bug 508774 first
Attachment #411872 -
Flags: approval1.9.0.16+ → approval1.9.0.17+
Comment 49•15 years ago
|
||
(dveditz of course meant 1.9.0.17 as evidenced by the flag.)
Updated•15 years ago
|
status1.9.1:
--- → wanted
Updated•15 years ago
|
Whiteboard: [sg:moderate] → [sg:moderate][needs 1.9.1 landing]
Comment 51•15 years ago
|
||
(In reply to comment #39)
> Verified fixed for 1.9.1.6 using testcase and build Mozilla/5.0 (Windows; U;
> Windows NT 5.1; en-US; rv:1.9.1.6pre) Gecko/20091119 Shiretoko/3.5.6pre (.NET
> CLR 3.5.30729).
Al, I have problems to reproduce this issue with Firefox 3.5.7. Given the revoked flags we have backed-out the fix for 3.5.7 and the failure should be visible. Can you please verify it with 3.5.8pre?
Comment 52•15 years ago
|
||
The first testcase repros cleanly in 1.9.1.7 but the second one ("testcase reads window.dialogArguments from other domain") returns "undefined" for both values. This is the fixed behavior. The first testcase does the same in 1.9.1.8 (and no longer displays the dialog about injection).
This is fixed in 1.9.1.8, verified with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8pre) Gecko/20100201 Shiretoko/3.5.8pre (.NET CLR 3.5.30729).
Keywords: verified1.9.1
Comment 53•15 years ago
|
||
The same behavior happens on 1.9.0 as what I saw in 1.9.1. Verified fixed in 1.9.1.8 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.16pre) Gecko/2010020215 GranParadiso/3.0.18pre (.NET CLR 3.5.30729).
Keywords: fixed1.9.0.18 → verified1.9.0.18
Updated•15 years ago
|
Alias: CVE-2010-0161
Updated•15 years ago
|
Alias: CVE-2010-0161 → CVE-2009-3988
Updated•15 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•