Closed
Bug 522531
Opened 16 years ago
Closed 16 years ago
Firebug most likely exploitable due to jsdIValue.getProperty calls
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
WORKSFORME
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | alpha4+ |
People
(Reporter: bzbarsky, Unassigned)
Details
(Whiteboard: [sg:critical?][firebug-blocks])
jsdValue::GetProperty calls JSD_GetValueProperty which calls jsd_GetValueProperty, which does:
JS_GetUCProperty(cx, obj, nameChars, nameLen, &val)
where |obj| is whatever object is inside the jsdIValue (so quite possibly not wrapperized) and cx is a JSContext that the debugger service sets up in _newJSDContext.
In particular, cx does not have an associated nsIScriptContext, and its global object doesn't have an associated nsIPrincipal. If I read nsScriptSecurityManager::GetSubjectPrincipal correctly, if above JS_GetUCProperty triggers GetSubjectPrincipal calls they will come back with NS_OK and null, which means the caller will treat the subject principal as system.
Pretty sure this should be exploitable.
Flags: blocking1.9.2?
Flags: blocking1.9.0.16?
|
Reporter | |
Comment 1•16 years ago
|
||
Note that for extra fun we need to fix this without breaking Firebug in the process. Or update Firebug in sync.
blocking1.9.1: --- → ?
blocking2.0: --- → ?
|
||
Updated•16 years ago
|
blocking1.9.1: ? → needed
status1.9.1:
--- → wanted
|
|
||
Updated•16 years ago
|
Whiteboard: [sg:critical?]
|
|
||
Comment 3•16 years ago
|
||
I agree with comment #2.
boris, this sounds like an escalation vulnerability? Can scripts in content theoretically gain higher privilege because of this? Any other recommendations?
OS: Mac OS X → All
Hardware: x86 → All
Whiteboard: [sg:critical?] → [sg:critical?][firebug-p1]
|
|
||
Comment 4•16 years ago
|
||
As far as Firebug goes, bug 507448 fixes this. We only call the getProperty for arg names. (But don't close it, we need to fix sometime).
|
|
Reporter | |
Comment 5•16 years ago
|
||
> boris, this sounds like an escalation vulnerability?
The failure mode here is a web page running arbitrary script of its choice with the system principal.
|
|
||
Comment 6•16 years ago
|
||
(In reply to comment #4)
> As far as Firebug goes, bug 507448 fixes this. We only call the getProperty for
> arg names. (But don't close it, we need to fix sometime).
That bug hasn't landed on 1.9.2 yet, though blocking/approval has been requested. Is there likely to be a "better" fix for this in time for 1.9.2, or should we get that one marked as a blocker right now?
|
|
||
Comment 7•16 years ago
|
||
(In reply to comment #5)
> > boris, this sounds like an escalation vulnerability?
>
> The failure mode here is a web page running arbitrary script of its choice with
> the system principal.
right. full, backstage pass.
Does JJB's comment in #4 mitigate this? Sounds like we'll be able to fix in Firebug once patch in 507448 lands on branch, though unlikely we'll get a fix for 3.0/1.9.1.
Whiteboard: [sg:critical?][firebug-p1] → [sg:critical?][firebug-p1][firebug-blocks]
|
|
Reporter | |
Comment 8•16 years ago
|
||
> Is there likely to be a "better" fix for this in time for 1.9.2
I'm not competent to write one. We need to fix this inside jsd if we're going to get it fixed on the 1.9.0 and 1.9.1 branches, and I'm not quite sure how to go about doing that without breaking Firebug...
|
|
||
Comment 9•16 years ago
|
||
(In reply to comment #8)
> > Is there likely to be a "better" fix for this in time for 1.9.2
>
> I'm not competent to write one. We need to fix this inside jsd if we're going
> to get it fixed on the 1.9.0 and 1.9.1 branches, and I'm not quite sure how to
> go about doing that without breaking Firebug...
bz - Okay, so I think you're saying that, in the meantime, bug 507448 has to block then, right? And do you agree with John that bug 507448 should be enough to mitigate it, given Firebug's usage?
|
|
Reporter | |
Comment 10•16 years ago
|
||
Bug 507448 is a prerequisite for firebug usage changing so as to avoid calling the vulnerable function this bug is about. It's not enough on its own; firebug changes are needed too. Hence the last sentence of comment 4.
|
||
Updated•16 years ago
|
Flags: blocking1.9.2? → blocking1.9.2+
|
|
||
Comment 11•16 years ago
|
||
(In reply to comment #0)
> jsdValue::GetProperty calls JSD_GetValueProperty which calls
> jsd_GetValueProperty, which does:
>
> JS_GetUCProperty(cx, obj, nameChars, nameLen, &val)
>
> where |obj| is whatever object is inside the jsdIValue (so quite possibly not
> wrapperized) ...
So in the case of:
var pvalue = frame.scope.getProperty(argName);
we can replace it with:
var scope = XPCSafeJSObjectWrapper(frame.scope.getWrappedValue());
then
var pvalue = scope.argName;
safely correct?
(Firebug 1.5 wants to support Firefox 3.5, and bug 507448 will probably not reach that far back).
|
|
Reporter | |
Comment 12•16 years ago
|
||
> var scope = XPCSafeJSObjectWrapper(frame.scope.getWrappedValue());
> var pvalue = scope.argName;
I believe this should be safe, yes. Blake?
|
||
Comment 13•16 years ago
|
||
Yes, that should be safe.
|
|
||
Comment 14•16 years ago
|
||
so based on comment #11, we *could* fix this in Firebug code, but it's relying on a patch that won't make it back to 1.9.1, is this correct?
We need an owner for this bug.
|
|
||
Comment 15•16 years ago
|
||
Sorry I was not clear.
http://code.google.com/p/fbug/source/detail?r=4859
implements the change proposed in Comment 11. Therefore Firebug 1.5 does not need anything from this bug *and* it does not need 507448.
With the answer from comment 13, we don't need this bug for firebug 1.5. Since its too late for FF 3.6, I think we just move on.
Whiteboard: [sg:critical?][firebug-p1][firebug-blocks] → [sg:critical?][firebug-blocks]
|
|
||
Comment 16•16 years ago
|
||
Firebug can move on, but as this is an sg:critical bug I'm reluctant to close it with WONTFIX or WFM. Someone else should make that call.
|
|
Reporter | |
Comment 17•16 years ago
|
||
We should still fix jsd (either by making this API safe or removing it).
|
||
Comment 18•16 years ago
|
||
We should create a new bug for the JSD API removal/fixing, and close this one out, since Firebug is no longer exploitable. Removing blocking, at the least.
Flags: blocking1.9.2+ → blocking1.9.2-
|
|
Reporter | |
Comment 19•16 years ago
|
||
Filed bug 529835.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → WORKSFORME
|
||
Comment 20•16 years ago
|
||
blocking+ in case this is reopened for some reason
blocking2.0: ? → alpha4+
|
|
||
Comment 21•15 years ago
|
||
Please correct us if we've gotten it wrong, but it looks like we don't need this bug on the branches.
blocking1.9.1: needed → ---
status1.9.1:
wanted → ---
|
Assignee | |
Updated•14 years ago
|
Component: JavaScript Debugging/Profiling APIs → JavaScript Engine
|
||
Updated•10 years ago
|
Group: core-security → core-security-release
|
|
||
Updated•10 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•