Bug 554449 (CVE-2010-3773)

Fix in bug 504021 can be circumvented

RESOLVED FIXED

Status

()

Core
XPConnect
RESOLVED FIXED
7 years ago
5 years ago

People

(Reporter: moz_bug_r_a4, Assigned: mrbkap)

Tracking

({testcase})

unspecified
x86
Windows XP
testcase
Points:
---

Firefox Tracking Flags

(blocking2.0 beta1+, blocking1.9.2 .13+, status1.9.2 .13-fixed, blocking1.9.1 .16+, status1.9.1 .16-fixed)

Details

(Whiteboard: [sg:critical][critsmash:resolved])

Attachments

(2 attachments)

(Reporter)

Description

7 years ago
In nsXPCWrappedJSClass::CallMethod, JS_GetMethod is called before pushing a
principal, and XPCConvert::JSData2Native is called after popping the principal.

On 1.9.0, in nsXPCWrappedJSClass::CallQueryInterfaceOnJSObject,
OBJ_GET_PROPERTY is called before pushing a principal.

1.9.0 is exploitable by bug 504021.  (On trunk/1.9.2/1.9.1, bug 504021 was
fixed by bug 503926.)

A testcase for bug 554448 (which is trunk-only) depends on this bug.
(Reporter)

Comment 1

7 years ago
Created attachment 434347 [details]
testcase (requires Firebug)

This uses bug 344495's trick.

This works on fx3.0.19 candidate.
Flags: blocking1.9.0.19?
Whiteboard: [sg:critical]
Comment on attachment 434347 [details]
testcase (requires Firebug)

What is the Firebug pattern you're abusing here? Something we're likely to see in other add-ons?
(Reporter)

Comment 3

7 years ago
(In reply to comment #2)
> (From update of attachment 434347 [details])
> What is the Firebug pattern you're abusing here? Something we're likely to see
> in other add-ons?

Please see bug 504021 comment 0.  Add-ons that access content xhr.on* could be
exploitable on 1.9.0.

Comment 4

7 years ago
1.9.0.x branch is EOL.
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → WONTFIX
Whiteboard: [sg:critical] → [sg:critical] 1.9.0.x and earlier
(Reporter)

Comment 5

7 years ago
Ah, I intended this bug to cover trunk and all branches.  Patches for trunk and
all branches in bug 504021 have flaws I described in the first paragraph of
comment 0.
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---
Assignee: nobody → mrbkap
Whiteboard: [sg:critical] 1.9.0.x and earlier → [sg:critical]
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
blocking2.0: --- → ?
blocking1.9.1: ? → needed
blocking1.9.2: ? → needed

Updated

7 years ago
blocking2.0: ? → beta1+

Updated

7 years ago
Keywords: testcase
Blake, can we get an ETA here?
(Assignee)

Comment 7

7 years ago
Created attachment 440367 [details] [diff] [review]
Proposed fix
Attachment #440367 - Flags: review?(jst)
(Assignee)

Comment 8

7 years ago
And note: that patch is m-c only... Older branches that call QI on content objects will need more patching.

Updated

7 years ago
Attachment #440367 - Flags: review?(jst) → review+
(Assignee)

Updated

7 years ago
Attachment #440367 - Flags: superreview?(peterv)
Attachment #440367 - Flags: superreview?(peterv) → superreview+

Updated

7 years ago
Whiteboard: [sg:critical] → [sg:critical][critsmash:patch]
(Assignee)

Comment 9

7 years ago
http://hg.mozilla.org/mozilla-central/rev/87ceb85b85df
Status: REOPENED → RESOLVED
Last Resolved: 7 years ago7 years ago
Resolution: --- → FIXED
status1.9.1: --- → wanted
status1.9.2: --- → wanted

Updated

7 years ago
Whiteboard: [sg:critical][critsmash:patch] → [sg:critical][critsmash:resolved]
blocking1.9.1: needed → .13+
blocking1.9.2: needed → .10+
Blake: you said this was "more involved" on the branches so now would be a good time to start working on it for the next set of releases.

Updated

7 years ago
blocking1.9.1: .14+ → .15+
blocking1.9.2: .11+ → .12+
(Assignee)

Comment 11

7 years ago
Comment on attachment 440367 [details] [diff] [review]
Proposed fix

This actually applies as-is to these two branches. I must have been confusing this bug with another one.
Attachment #440367 - Flags: approval1.9.2.13?
Attachment #440367 - Flags: approval1.9.1.16?
(Assignee)

Comment 12

7 years ago
(that being said, I'm having trouble reproducing the exploit on my 1.9.2 tree, I wonder if a change in Firebug is masking the problem)

Comment 13

7 years ago
Comment on attachment 440367 [details] [diff] [review]
Proposed fix

a=LegNeato for 1.9.2.13 and 1.9.1.16. Please submit by the end of today PST.
Attachment #440367 - Flags: approval1.9.2.13?
Attachment #440367 - Flags: approval1.9.2.13+
Attachment #440367 - Flags: approval1.9.1.16?
Attachment #440367 - Flags: approval1.9.1.16+
(Reporter)

Comment 14

7 years ago
(In reply to comment #12)
> (that being said, I'm having trouble reproducing the exploit on my 1.9.2 tree,
> I wonder if a change in Firebug is masking the problem)

The testcase in this bug worked only on 1.9.0 branch.

Please see bug 560466.  A testcase in bug 560466 depends on this bug.
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/81f0ff4d3cbb
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/eab9c1dd1f17
status1.9.1: wanted → .16-fixed
status1.9.2: wanted → .13-fixed
Blocks: 560466
Alias: CVE-2010-3773
Created attachment 496155 [details] [diff] [review]
Backport for 1.9.0

So, interestingly, this backport does fix bug 560466, but not this one. Am I missing something?
Attachment #496155 - Flags: review?(jst)
Comment on attachment 496155 [details] [diff] [review]
Backport for 1.9.0

Looks good to me, but mrbkap should have a look as well, and may know why this may not fix this bug but fixes bug 560466.
Attachment #496155 - Flags: superreview?(mrbkap)
Attachment #496155 - Flags: review?(jst)
Attachment #496155 - Flags: review+
(Reporter)

Comment 18

7 years ago
(In reply to comment #16)
> So, interestingly, this backport does fix bug 560466, but not this one. Am I
> missing something?

1.9.0 needs to fix nsXPCWrappedJSClass::CallQueryInterfaceOnJSObject (or fix
bug 503926) to stop the testcase in this bug.
(In reply to comment #18)
> 1.9.0 needs to fix nsXPCWrappedJSClass::CallQueryInterfaceOnJSObject (or fix
> bug 503926) to stop the testcase in this bug.

Applying the patch from bug 503926 fixes the issue, indeed. What is strange is that bug 503926 was supposed to be required to fix CVE-2010-0179 (bug 504021), which was fixed in 1.9.0.19, but bug 503926 isn't in 1.9.0.19.
(Reporter)

Comment 20

7 years ago
Please see bug 504021 comment #19, #55, #56.  The 1.9.0 patch modified 
nsXPCWrappedJSClass::CallQueryInterfaceOnJSObject instead of fixing bug 503926.
Group: core-security
Flags: blocking1.9.0.19?
(Assignee)

Updated

6 years ago
Attachment #496155 - Flags: superreview?(mrbkap) → superreview+
Blake gave this a superreview+ on January 29, 2012. Are we doing something further with this bug?
Assignee: mrbkap → nobody
Component: XPConnect → XP Toolkit/Widgets: XUL
QA Contact: xpconnect → xptoolkit.xul
Apart from not refreshing the bug and moving it to another component? :)
Assignee: nobody → mrbkap
Component: XP Toolkit/Widgets: XUL → XPConnect
QA Contact: xptoolkit.xul → xpconnect
Damn it. This is the second time that this has happened. I'm blaming some interaction of Nightly and Bugzilla here. I certainly didn't specifically select any components to change.
You need to log in before you can comment on or make changes to this bug.