Last Comment Bug 554449 - (CVE-2010-3773) Fix in bug 504021 can be circumvented
(CVE-2010-3773)
: Fix in bug 504021 can be circumvented
Status: RESOLVED FIXED
[sg:critical][critsmash:resolved]
: testcase
Product: Core
Classification: Components
Component: XPConnect (show other bugs)
: unspecified
: x86 Windows XP
: -- normal (vote)
: ---
Assigned To: Blake Kaplan (:mrbkap) (please use needinfo!)
:
Mentors:
Depends on:
Blocks: 560466
  Show dependency treegraph
 
Reported: 2010-03-23 14:02 PDT by moz_bug_r_a4
Modified: 2012-04-17 10:49 PDT (History)
10 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
beta1+
.13+
.13-fixed
.16+
.16-fixed


Attachments
Proposed fix (3.97 KB, patch)
2010-04-20 15:48 PDT, Blake Kaplan (:mrbkap) (please use needinfo!)
jst: review+
peterv: superreview+
christian: approval1.9.2.13+
christian: approval1.9.1.16+
Details | Diff | Review
Backport for 1.9.0 (2.13 KB, patch)
2010-12-08 08:13 PST, Mike Hommey [:glandium]
jst: review+
mrbkap: superreview+
Details | Diff | Review

Description moz_bug_r_a4 2010-03-23 14:02:20 PDT
In nsXPCWrappedJSClass::CallMethod, JS_GetMethod is called before pushing a
principal, and XPCConvert::JSData2Native is called after popping the principal.

On 1.9.0, in nsXPCWrappedJSClass::CallQueryInterfaceOnJSObject,
OBJ_GET_PROPERTY is called before pushing a principal.

1.9.0 is exploitable by bug 504021.  (On trunk/1.9.2/1.9.1, bug 504021 was
fixed by bug 503926.)

A testcase for bug 554448 (which is trunk-only) depends on this bug.
Comment 1 moz_bug_r_a4 2010-03-23 14:04:38 PDT
Created attachment 434347 [details]
testcase (requires Firebug)

This uses bug 344495's trick.

This works on fx3.0.19 candidate.
Comment 2 Daniel Veditz [:dveditz] 2010-03-23 22:55:50 PDT
Comment on attachment 434347 [details]
testcase (requires Firebug)

What is the Firebug pattern you're abusing here? Something we're likely to see in other add-ons?
Comment 3 moz_bug_r_a4 2010-03-23 23:32:27 PDT
(In reply to comment #2)
> (From update of attachment 434347 [details])
> What is the Firebug pattern you're abusing here? Something we're likely to see
> in other add-ons?

Please see bug 504021 comment 0.  Add-ons that access content xhr.on* could be
exploitable on 1.9.0.
Comment 4 Jesse Ruderman 2010-04-06 13:25:26 PDT
1.9.0.x branch is EOL.
Comment 5 moz_bug_r_a4 2010-04-06 23:59:27 PDT
Ah, I intended this bug to cover trunk and all branches.  Patches for trunk and
all branches in bug 504021 have flaws I described in the first paragraph of
comment 0.
Comment 6 Damon Sicore (:damons) 2010-04-20 13:42:42 PDT
Blake, can we get an ETA here?
Comment 7 Blake Kaplan (:mrbkap) (please use needinfo!) 2010-04-20 15:48:41 PDT
Created attachment 440367 [details] [diff] [review]
Proposed fix
Comment 8 Blake Kaplan (:mrbkap) (please use needinfo!) 2010-04-20 15:56:25 PDT
And note: that patch is m-c only... Older branches that call QI on content objects will need more patching.
Comment 9 Blake Kaplan (:mrbkap) (please use needinfo!) 2010-04-27 16:40:34 PDT
http://hg.mozilla.org/mozilla-central/rev/87ceb85b85df
Comment 10 Daniel Veditz [:dveditz] 2010-08-23 10:39:12 PDT
Blake: you said this was "more involved" on the branches so now would be a good time to start working on it for the next set of releases.
Comment 11 Blake Kaplan (:mrbkap) (please use needinfo!) 2010-11-18 15:07:12 PST
Comment on attachment 440367 [details] [diff] [review]
Proposed fix

This actually applies as-is to these two branches. I must have been confusing this bug with another one.
Comment 12 Blake Kaplan (:mrbkap) (please use needinfo!) 2010-11-18 15:07:53 PST
(that being said, I'm having trouble reproducing the exploit on my 1.9.2 tree, I wonder if a change in Firebug is masking the problem)
Comment 13 christian 2010-11-18 15:13:06 PST
Comment on attachment 440367 [details] [diff] [review]
Proposed fix

a=LegNeato for 1.9.2.13 and 1.9.1.16. Please submit by the end of today PST.
Comment 14 moz_bug_r_a4 2010-11-18 17:51:52 PST
(In reply to comment #12)
> (that being said, I'm having trouble reproducing the exploit on my 1.9.2 tree,
> I wonder if a change in Firebug is masking the problem)

The testcase in this bug worked only on 1.9.0 branch.

Please see bug 560466.  A testcase in bug 560466 depends on this bug.
Comment 16 Mike Hommey [:glandium] 2010-12-08 08:13:29 PST
Created attachment 496155 [details] [diff] [review]
Backport for 1.9.0

So, interestingly, this backport does fix bug 560466, but not this one. Am I missing something?
Comment 17 Johnny Stenback (:jst, jst@mozilla.com) 2010-12-08 10:03:18 PST
Comment on attachment 496155 [details] [diff] [review]
Backport for 1.9.0

Looks good to me, but mrbkap should have a look as well, and may know why this may not fix this bug but fixes bug 560466.
Comment 18 moz_bug_r_a4 2010-12-09 01:05:43 PST
(In reply to comment #16)
> So, interestingly, this backport does fix bug 560466, but not this one. Am I
> missing something?

1.9.0 needs to fix nsXPCWrappedJSClass::CallQueryInterfaceOnJSObject (or fix
bug 503926) to stop the testcase in this bug.
Comment 19 Mike Hommey [:glandium] 2010-12-09 04:02:32 PST
(In reply to comment #18)
> 1.9.0 needs to fix nsXPCWrappedJSClass::CallQueryInterfaceOnJSObject (or fix
> bug 503926) to stop the testcase in this bug.

Applying the patch from bug 503926 fixes the issue, indeed. What is strange is that bug 503926 was supposed to be required to fix CVE-2010-0179 (bug 504021), which was fixed in 1.9.0.19, but bug 503926 isn't in 1.9.0.19.
Comment 20 moz_bug_r_a4 2010-12-09 22:52:20 PST
Please see bug 504021 comment #19, #55, #56.  The 1.9.0 patch modified 
nsXPCWrappedJSClass::CallQueryInterfaceOnJSObject instead of fixing bug 503926.
Comment 21 Al Billings [:abillings] 2012-04-16 17:04:41 PDT
Blake gave this a superreview+ on January 29, 2012. Are we doing something further with this bug?
Comment 22 :Ms2ger 2012-04-17 00:49:51 PDT
Apart from not refreshing the bug and moving it to another component? :)
Comment 23 Al Billings [:abillings] 2012-04-17 10:49:59 PDT
Damn it. This is the second time that this has happened. I'm blaming some interaction of Nightly and Bugzilla here. I certainly didn't specifically select any components to change.

Note You need to log in before you can comment on or make changes to this bug.