Closed Bug 572129 (CVE-2011-2984) Opened 14 years ago Closed 13 years ago

Arbitrary code execution via browser's tab element that was dropped on the content area

Categories

(Core :: Security, defect)

x86
Windows XP
defect
Not set
normal

Tracking

()

RESOLVED FIXED
Tracking Status
blocking2.0 --- final+
blocking1.9.2 --- .20+
status1.9.2 --- .20-fixed
blocking1.9.1 --- needed
status1.9.1 --- wanted

People

(Reporter: moz_bug_r_a4, Assigned: smaug)

References

Details

(Whiteboard: [sg:critical][stale][ccbr][partial fix in bug 572647][hardblocker][has patch])

Attachments

(3 files, 3 obsolete files)

If a user drag a browser's tab element and drop it on the content area, a
content-registered drop event listener can access the tab element and its
properties including privileged functions.

Only drop event listeners can access privileged objects without the security
check.
http://hg.mozilla.org/mozilla-central/file/2348611d0230/content/events/src/nsDOMDataTransfer.cpp#l455
This works on Firefox trunk, 3.6.* and 3.5.*.

(SeaMonkey does not store a tab element in a dataTransfer when a tab is
dragged.)
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
blocking2.0: --- → ?
Whiteboard: [sg:critical]
Whiteboard: [sg:critical] → [sg:critical][critsmash:investigating]
Assignee: nobody → Olli.Pettay
blocking1.9.1: ? → .11+
blocking1.9.2: ? → .6+
There are two bugs here:
  * XPCConvert::NativeInterface2JSObject does not create COWs automatically. IMO we should fix this in another bug.
  * nsDOMDataTransfer::MozGetDataAt doesn't do anything to censor chrome objects from content getting at them. While having COWs would fix this bug, IMO it would be better to avoid exposing chrome objects to content at all from this API. Does that sound reasonable to people?
(and the first reason there means that bug 572130 can't save us here.)
Depends on: 572647
Sounds very reasonable, and that is what I was thinking too; we shouldn't 
expose chrome objects to content. I'm not quite sure how to filter out
chrome objects.

The first reason is the most important, though.
Ah, we have principal for the TransferItems. We could use those.
And content shouldn't even know if there are items which it can't access.
Though, perhaps there are cases like string data drop when content should
be able to access the data even if the principal is system principal.
...need to investigate.
>   * nsDOMDataTransfer::MozGetDataAt doesn't do anything to censor chrome
> objects from content getting at them. While having COWs would fix this bug, IMO
> it would be better to avoid exposing chrome objects to content at all from this
> API. Does that sound reasonable to people?

What are 'chrome objects'?

The only thing that should be prevented is dom objects that aren't accessible from the page the drop listener is in. I assumed that was already happening. Is that not the case?
(In reply to comment #7)
> What are 'chrome objects'?

Objects that are implicitly associated with a chrome "context." In the testcase here, the chrome object is the XUL tab element that is being dropped.

> The only thing that should be prevented is dom objects that aren't accessible
> from the page the drop listener is in. I assumed that was already happening. Is
> that not the case?

It is not, unfortunately. Bug 572647 will help, though.
(In reply to comment #8)
> (In reply to comment #7)
> > What are 'chrome objects'?
> 
> Objects that are implicitly associated with a chrome "context."
But what objects are associated with chrome context?
All nsPIDOMEventTargets, sure, but what else?
All the JS implemented (implemented in chrome JS) objects?
Whiteboard: [sg:critical][critsmash:investigating] → [sg:critical][critsmash:investigating][sg:ccbr]
So it is not clear to me what to do with this.
Bug 572647 would fix the security problem.
Is it more likely to get a fix for bug 572647 than this bug? If so we'll track the other one for the branches
We're punting this out of .7/.11 for now, please let me know if it should be pulled back (or if bug 572647 should be on the branches instead)
blocking1.9.1: .11+ → needed
blocking1.9.2: .7+ → needed
Whiteboard: [sg:critical][critsmash:investigating][sg:ccbr] → [sg:critical][critsmash:investigating][ccbr]
Whiteboard: [sg:critical][critsmash:investigating][ccbr] → [sg:critical][critsmash:investigating][ccbr][critsmash:patch]
blocking2.0: ? → final+
Whiteboard: [sg:critical][critsmash:investigating][ccbr][critsmash:patch] → [sg:critical][critsmash:investigating][ccbr][critsmash:patch][fixed by bug 572647]
Whiteboard: [sg:critical][critsmash:investigating][ccbr][critsmash:patch][fixed by bug 572647] → [sg:critical][stale][ccbr][critsmash:patch][fixed by bug 572647]
So the testcase doesn't seem to work on trunk, but does on branches.
Marcia, can you confirm comment 13?  If it's no longer repro on trunk, let's remove blocking status.
I can reproduce the testcase on trunk fx-4.0b7pre-2010-10-06-04.
Yes, I can repro as well using  Mozilla/5.0 (Windows NT 5.1; rv:2.0b7pre) Gecko/20101006 Firefox/4.0b7pre.
If compartments fixes this then it should be fixed on tracemonkey by now. Need to verify that before we mark this one FIXED.

However we still need a different fix for branches.
Compartments might not have fixed it due to default-unsafe exposedProps...
The testcase works on tracemonkey 2010-10-13-04.
What do you mean by "works"? Do you mean that you can still successfully get elevated privileges? Or do you mean that the browser successfully stops you?
The testcase can still successfully get elevated privileges.
Whiteboard: [sg:critical][stale][ccbr][critsmash:patch][fixed by bug 572647] → [sg:critical][stale][ccbr][critsmash:patch][fixed by bug 572647] softblocker
Whiteboard: [sg:critical][stale][ccbr][critsmash:patch][fixed by bug 572647] softblocker → [sg:critical][stale][ccbr][critsmash:patch][fixed by bug 572647][softblocker]
This will actually be fixed by mrbkap's fix in bug 611485 (fixed in tracemonkey). Bug 572647 has been fixed for some time now, but it, as filed, wasn't quite enough to fix this issue as well.
The old testcase was fixed.  But, this bug's problem is not fixed.  Content
code can still access a tab element and abuse its functions.
I can certainly reproduce the problem using testcase 2.
Blake, can we do a spot fix for this issue until COW's are default safe?
Assignee: Olli.Pettay → mrbkap
Whiteboard: [sg:critical][stale][ccbr][critsmash:patch][fixed by bug 572647][softblocker] → [sg:critical][stale][ccbr][critsmash:patch][fixed by bug 572647][hardblocker]
Not for FF4. The best I could come up with would be to try to flip "default safe" based on how content code got its hands on the chrome object in question.
Although, I guess we could try to avoid handing out chrome-compartment stuff to content from the drag/drop API... Not sure how hard that would be though or if it'd have other effects.
Whiteboard: [sg:critical][stale][ccbr][critsmash:patch][fixed by bug 572647][hardblocker] → [sg:critical][stale][ccbr][critsmash:patch][partial fix in bug 572647][hardblocker]
Attached patch Possible fix (obsolete) — Splinter Review
Neil, do you remember why this check was here? It seems to date all the way back to the original implementation.
Attachment #512386 - Flags: review?
Attachment #512386 - Flags: review? → review?(enndeakin)
Comment on attachment 512386 [details] [diff] [review]
Possible fix

The line is there so that you can drop something from one source to another. Drag and drop wouldn't be particularly useful without this.
Attachment #512386 - Flags: review?(enndeakin) → review-
Should we have some way to mark chrome only DataTransfer data items?
Or perhaps other way, if chrome wants to allow content to access the data,
it should mark the data somehow.
This all at least with "uncommon" data transfer formats.
Blake said he's got a patch in progress for limiting where chrome objects are handed out from drag n drop code. Blake, please provide an ETA for the patch.
Attached patch Possible fix v2Splinter Review
So, the bug here is really that chrome objects don't behave according to the same origin model. This patch preserves the original behavior for content objects, but denies access to chrome objects that have been dropped.

A second thought: would it make sense in the future to return null instead of throwing here? This seems like a case where the API really means "give me what I asked for if I have access to it, otherwise I don't want to know."
Attachment #512386 - Attachment is obsolete: true
Attachment #514366 - Flags: review?(enndeakin)
Comment on attachment 514366 [details] [diff] [review]
Possible fix v2

But this patch has the same problem.

1. Open a page which listens for the drop event:
data:text/html,<body ondragover="return false" ondrop="event.preventDefault(); alert(event.dataTransfer.getData('text/plain'));">Drop here</body>

2. Drag text from the url field or another application onto it.
Actual: Security Exception
Expected: An alert with the dropped text.

Note that the mPrincipal isn't the principal of the thing being dragged, it's the principal of the caller that put it in the dataTransfer (although a native caller could theoretically use any principal).

You actually want to be checking the thing being dragged (stored in mData) to check if it can be accessed. For this specific bug about dropping tabs, that thing will be a <tab> element from chrome.
Attachment #514366 - Flags: review?(enndeakin) → review-
I'm not really interested in playing whack-a-mole like that. I give up.
Whiteboard: [sg:critical][stale][ccbr][critsmash:patch][partial fix in bug 572647][hardblocker] → [sg:critical][stale][ccbr][partial fix in bug 572647][hardblocker]
(In reply to comment #35)
> I'm not really interested in playing whack-a-mole like that. I give up.

Where does that put us then, gents?
So if we end up blacklisting, do we know what all should be blacklisted.

Or, hmm, could we whilelist things which can be dropped using
system principal?
What would happen if the drag started in the content page and
script there sets some data using application/x-moz-tabbrowser-tab?
Enn, Gavin, do you happen to know what all drag formats chrome uses?
This is not yet tested properly, but at least dropping files from
desktop to content works, d&d tabs works, d&d text from location bar to content page works etc.
Attachment #514555 - Flags: feedback?(enndeakin)
Whiteboard: [sg:critical][stale][ccbr][partial fix in bug 572647][hardblocker] → [sg:critical][stale][ccbr][partial fix in bug 572647][hardblocker][has patch]
So the patch prevents dragging EventTarget objects from content to chrome
and vise versa. Are there cases when we would want to enable that?
Attachment #514555 - Flags: review?(enndeakin)
Attachment #514555 - Flags: feedback?(gavin.sharp)
Attachment #514555 - Flags: feedback?(enndeakin)
Comment on attachment 514555 [details] [diff] [review]
Be very strict when handling common DOM objects as transfer data

I really need feedback from those who know Firefox UI code.
Attachment #514555 - Flags: feedback?(dao)
Why is the mExplicitlySet flag needed?

> So the patch prevents dragging EventTarget objects from content to chrome
> and vise versa. Are there cases when we would want to enable that?

I don't think there is currently.

Don't we want to prevent access if the caller cannot access the node no matter whether it is chrome or not? For instance, a drag from one page to another?
(In reply to comment #43)
> Don't we want to prevent access if the caller cannot access the node no matter
> whether it is chrome or not? For instance, a drag from one page to another?
Ah, probably. So not only currentIsSystem == dataIsSystem check, but also
principal subsumes check.

and ok, mExplicitlySet isn't probably needed after all...
Attached patch v2 (obsolete) — Splinter Review
Attachment #514555 - Attachment is obsolete: true
Attachment #514576 - Flags: review?(enndeakin)
Attachment #514576 - Flags: feedback?(gavin.sharp)
Attachment #514555 - Flags: review?(enndeakin)
Attachment #514555 - Flags: feedback?(gavin.sharp)
Attachment #514555 - Flags: feedback?(dao)
Attachment #514576 - Flags: feedback?(dao)
Attachment #514576 - Flags: review?(enndeakin) → review+
Over to Olli who's working on the alternate fix here!
Assignee: mrbkap → Olli.Pettay
Attachment #514576 - Flags: feedback?(gavin.sharp)
Attachment #514576 - Attachment is obsolete: true
Attachment #514576 - Flags: feedback?(dao)
Attachment #514819 - Flags: review?(bzbarsky)
Comment on attachment 514819 [details] [diff] [review]
a bit simpler per bz's comments on IRC

r=me
Attachment #514819 - Flags: review?(bzbarsky) → review+
http://hg.mozilla.org/mozilla-central/rev/bc901af701c9
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Attachment #514819 - Flags: approval1.9.2.15?
Attachment #514819 - Flags: approval1.9.1.18?
Comment on attachment 514819 [details] [diff] [review]
a bit simpler per bz's comments on IRC

Approved for 1.9.2.15 and 1.9.1.18, a=dveditz for release-drivers
Attachment #514819 - Flags: approval1.9.2.15?
Attachment #514819 - Flags: approval1.9.2.15+
Attachment #514819 - Flags: approval1.9.1.18?
Attachment #514819 - Flags: approval1.9.1.18+
Comment on attachment 514819 [details] [diff] [review]
a bit simpler per bz's comments on IRC

Not sure why this didn't make it, but moving approvals forward since it missed.
Attachment #514819 - Flags: approval1.9.2.18+
Attachment #514819 - Flags: approval1.9.2.17+
Attachment #514819 - Flags: approval1.9.1.20+
Attachment #514819 - Flags: approval1.9.1.19+
Depends on: 611485
blocking1.9.1: needed → .20+
blocking1.9.2: needed → .18+
Comment on attachment 514819 [details] [diff] [review]
a bit simpler per bz's comments on IRC

Doesn't compile on 1.9.2, will need a new patch.

  error: ‘class nsIScriptContext’ has no member named ‘GetObjectPrincipal’
Attachment #514819 - Flags: approval1.9.2.18-
Attachment #514819 - Flags: approval1.9.2.18+
Attachment #514819 - Flags: approval1.9.1.20-
Attachment #514819 - Flags: approval1.9.1.20+
Keywords: checkin-needed
Olli: still need that new patch.
blocking1.9.1: .20+ → needed
blocking1.9.2: .18+ → .19+
Summary: Content code can access a browser's tab element that was dropped on the content area → Arbitrary code execution via browser's tab element that was dropped on the content area
Comment on attachment 549940 [details] [diff] [review]
GetObjectPrincipal method from trunk inline

Approved for 1.9.2.20, a=dveditz
Attachment #549940 - Flags: approval1.9.2.20? → approval1.9.2.20+
Alias: CVE-2011-2984
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: