Bug 572129 (CVE-2011-2984)

Arbitrary code execution via browser's tab element that was dropped on the content area

RESOLVED FIXED

Status

()

Core
Security
RESOLVED FIXED
7 years ago
6 years ago

People

(Reporter: moz_bug_r_a4, Assigned: smaug)

Tracking

(Depends on: 1 bug)

unspecified
x86
Windows XP
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(blocking2.0 final+, blocking1.9.2 .20+, status1.9.2 .20-fixed, blocking1.9.1 needed, status1.9.1 wanted)

Details

(Whiteboard: [sg:critical][stale][ccbr][partial fix in bug 572647][hardblocker][has patch])

Attachments

(3 attachments, 3 obsolete attachments)

(Reporter)

Description

7 years ago
If a user drag a browser's tab element and drop it on the content area, a
content-registered drop event listener can access the tab element and its
properties including privileged functions.

Only drop event listeners can access privileged objects without the security
check.
http://hg.mozilla.org/mozilla-central/file/2348611d0230/content/events/src/nsDOMDataTransfer.cpp#l455
(Reporter)

Comment 1

7 years ago
Created attachment 451291 [details]
testcase - Arbitrary code execution

This works on Firefox trunk, 3.6.* and 3.5.*.

(SeaMonkey does not store a tab element in a dataTransfer when a tab is
dragged.)
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
blocking2.0: --- → ?
status1.9.1: --- → wanted
status1.9.2: --- → wanted
Whiteboard: [sg:critical]

Updated

7 years ago
Whiteboard: [sg:critical] → [sg:critical][critsmash:investigating]
(Assignee)

Updated

7 years ago
Assignee: nobody → Olli.Pettay
blocking1.9.1: ? → .11+
blocking1.9.2: ? → .6+
There are two bugs here:
  * XPCConvert::NativeInterface2JSObject does not create COWs automatically. IMO we should fix this in another bug.
  * nsDOMDataTransfer::MozGetDataAt doesn't do anything to censor chrome objects from content getting at them. While having COWs would fix this bug, IMO it would be better to avoid exposing chrome objects to content at all from this API. Does that sound reasonable to people?
(and the first reason there means that bug 572130 can't save us here.)
(Assignee)

Updated

7 years ago
Depends on: 572647
(Assignee)

Comment 4

7 years ago
Sounds very reasonable, and that is what I was thinking too; we shouldn't 
expose chrome objects to content. I'm not quite sure how to filter out
chrome objects.

The first reason is the most important, though.
(Assignee)

Comment 5

7 years ago
Ah, we have principal for the TransferItems. We could use those.
And content shouldn't even know if there are items which it can't access.
(Assignee)

Comment 6

7 years ago
Though, perhaps there are cases like string data drop when content should
be able to access the data even if the principal is system principal.
...need to investigate.

Comment 7

7 years ago
>   * nsDOMDataTransfer::MozGetDataAt doesn't do anything to censor chrome
> objects from content getting at them. While having COWs would fix this bug, IMO
> it would be better to avoid exposing chrome objects to content at all from this
> API. Does that sound reasonable to people?

What are 'chrome objects'?

The only thing that should be prevented is dom objects that aren't accessible from the page the drop listener is in. I assumed that was already happening. Is that not the case?
(In reply to comment #7)
> What are 'chrome objects'?

Objects that are implicitly associated with a chrome "context." In the testcase here, the chrome object is the XUL tab element that is being dropped.

> The only thing that should be prevented is dom objects that aren't accessible
> from the page the drop listener is in. I assumed that was already happening. Is
> that not the case?

It is not, unfortunately. Bug 572647 will help, though.
(Assignee)

Comment 9

7 years ago
(In reply to comment #8)
> (In reply to comment #7)
> > What are 'chrome objects'?
> 
> Objects that are implicitly associated with a chrome "context."
But what objects are associated with chrome context?
All nsPIDOMEventTargets, sure, but what else?
All the JS implemented (implemented in chrome JS) objects?

Updated

7 years ago
Whiteboard: [sg:critical][critsmash:investigating] → [sg:critical][critsmash:investigating][sg:ccbr]
(Assignee)

Comment 10

7 years ago
So it is not clear to me what to do with this.
Bug 572647 would fix the security problem.

Comment 11

7 years ago
Is it more likely to get a fix for bug 572647 than this bug? If so we'll track the other one for the branches

Comment 12

7 years ago
We're punting this out of .7/.11 for now, please let me know if it should be pulled back (or if bug 572647 should be on the branches instead)
blocking1.9.1: .11+ → needed
blocking1.9.2: .7+ → needed
Whiteboard: [sg:critical][critsmash:investigating][sg:ccbr] → [sg:critical][critsmash:investigating][ccbr]

Updated

7 years ago
Whiteboard: [sg:critical][critsmash:investigating][ccbr] → [sg:critical][critsmash:investigating][ccbr][critsmash:patch]
blocking2.0: ? → final+

Updated

7 years ago
Whiteboard: [sg:critical][critsmash:investigating][ccbr][critsmash:patch] → [sg:critical][critsmash:investigating][ccbr][critsmash:patch][fixed by bug 572647]

Updated

7 years ago
Whiteboard: [sg:critical][critsmash:investigating][ccbr][critsmash:patch][fixed by bug 572647] → [sg:critical][stale][ccbr][critsmash:patch][fixed by bug 572647]
(Assignee)

Comment 13

7 years ago
So the testcase doesn't seem to work on trunk, but does on branches.
Marcia, can you confirm comment 13?  If it's no longer repro on trunk, let's remove blocking status.
(Reporter)

Comment 15

7 years ago
I can reproduce the testcase on trunk fx-4.0b7pre-2010-10-06-04.
Yes, I can repro as well using  Mozilla/5.0 (Windows NT 5.1; rv:2.0b7pre) Gecko/20101006 Firefox/4.0b7pre.
If compartments fixes this then it should be fixed on tracemonkey by now. Need to verify that before we mark this one FIXED.

However we still need a different fix for branches.
Compartments might not have fixed it due to default-unsafe exposedProps...
(Reporter)

Comment 19

7 years ago
The testcase works on tracemonkey 2010-10-13-04.
What do you mean by "works"? Do you mean that you can still successfully get elevated privileges? Or do you mean that the browser successfully stops you?
(Reporter)

Comment 21

7 years ago
The testcase can still successfully get elevated privileges.

Updated

6 years ago
Whiteboard: [sg:critical][stale][ccbr][critsmash:patch][fixed by bug 572647] → [sg:critical][stale][ccbr][critsmash:patch][fixed by bug 572647] softblocker

Updated

6 years ago
Whiteboard: [sg:critical][stale][ccbr][critsmash:patch][fixed by bug 572647] softblocker → [sg:critical][stale][ccbr][critsmash:patch][fixed by bug 572647][softblocker]
This will actually be fixed by mrbkap's fix in bug 611485 (fixed in tracemonkey). Bug 572647 has been fixed for some time now, but it, as filed, wasn't quite enough to fix this issue as well.
(Reporter)

Comment 23

6 years ago
The old testcase was fixed.  But, this bug's problem is not fixed.  Content
code can still access a tab element and abuse its functions.
(Reporter)

Comment 24

6 years ago
Created attachment 509020 [details]
testcase 2 - Arbitrary code execution
(Assignee)

Comment 25

6 years ago
I can certainly reproduce the problem using testcase 2.
Blake, can we do a spot fix for this issue until COW's are default safe?
Assignee: Olli.Pettay → mrbkap
Whiteboard: [sg:critical][stale][ccbr][critsmash:patch][fixed by bug 572647][softblocker] → [sg:critical][stale][ccbr][critsmash:patch][fixed by bug 572647][hardblocker]
Not for FF4. The best I could come up with would be to try to flip "default safe" based on how content code got its hands on the chrome object in question.
Although, I guess we could try to avoid handing out chrome-compartment stuff to content from the drag/drop API... Not sure how hard that would be though or if it'd have other effects.

Updated

6 years ago
Whiteboard: [sg:critical][stale][ccbr][critsmash:patch][fixed by bug 572647][hardblocker] → [sg:critical][stale][ccbr][critsmash:patch][partial fix in bug 572647][hardblocker]
Created attachment 512386 [details] [diff] [review]
Possible fix

Neil, do you remember why this check was here? It seems to date all the way back to the original implementation.
Attachment #512386 - Flags: review?

Updated

6 years ago
Attachment #512386 - Flags: review? → review?(enndeakin)

Comment 30

6 years ago
Comment on attachment 512386 [details] [diff] [review]
Possible fix

The line is there so that you can drop something from one source to another. Drag and drop wouldn't be particularly useful without this.
Attachment #512386 - Flags: review?(enndeakin) → review-
(Assignee)

Comment 31

6 years ago
Should we have some way to mark chrome only DataTransfer data items?
Or perhaps other way, if chrome wants to allow content to access the data,
it should mark the data somehow.
This all at least with "uncommon" data transfer formats.
Blake said he's got a patch in progress for limiting where chrome objects are handed out from drag n drop code. Blake, please provide an ETA for the patch.
Created attachment 514366 [details] [diff] [review]
Possible fix v2

So, the bug here is really that chrome objects don't behave according to the same origin model. This patch preserves the original behavior for content objects, but denies access to chrome objects that have been dropped.

A second thought: would it make sense in the future to return null instead of throwing here? This seems like a case where the API really means "give me what I asked for if I have access to it, otherwise I don't want to know."
Attachment #512386 - Attachment is obsolete: true
Attachment #514366 - Flags: review?(enndeakin)

Comment 34

6 years ago
Comment on attachment 514366 [details] [diff] [review]
Possible fix v2

But this patch has the same problem.

1. Open a page which listens for the drop event:
data:text/html,<body ondragover="return false" ondrop="event.preventDefault(); alert(event.dataTransfer.getData('text/plain'));">Drop here</body>

2. Drag text from the url field or another application onto it.
Actual: Security Exception
Expected: An alert with the dropped text.

Note that the mPrincipal isn't the principal of the thing being dragged, it's the principal of the caller that put it in the dataTransfer (although a native caller could theoretically use any principal).

You actually want to be checking the thing being dragged (stored in mData) to check if it can be accessed. For this specific bug about dropping tabs, that thing will be a <tab> element from chrome.
Attachment #514366 - Flags: review?(enndeakin) → review-
I'm not really interested in playing whack-a-mole like that. I give up.
Whiteboard: [sg:critical][stale][ccbr][critsmash:patch][partial fix in bug 572647][hardblocker] → [sg:critical][stale][ccbr][partial fix in bug 572647][hardblocker]
(In reply to comment #35)
> I'm not really interested in playing whack-a-mole like that. I give up.

Where does that put us then, gents?
(Assignee)

Comment 37

6 years ago
So if we end up blacklisting, do we know what all should be blacklisted.

Or, hmm, could we whilelist things which can be dropped using
system principal?
(Assignee)

Comment 38

6 years ago
What would happen if the drag started in the content page and
script there sets some data using application/x-moz-tabbrowser-tab?
(Assignee)

Comment 39

6 years ago
Enn, Gavin, do you happen to know what all drag formats chrome uses?
(Assignee)

Comment 40

6 years ago
Created attachment 514555 [details] [diff] [review]
Be very strict when handling common DOM objects as transfer data

This is not yet tested properly, but at least dropping files from
desktop to content works, d&d tabs works, d&d text from location bar to content page works etc.
Attachment #514555 - Flags: feedback?(enndeakin)

Updated

6 years ago
Whiteboard: [sg:critical][stale][ccbr][partial fix in bug 572647][hardblocker] → [sg:critical][stale][ccbr][partial fix in bug 572647][hardblocker][has patch]
(Assignee)

Comment 41

6 years ago
So the patch prevents dragging EventTarget objects from content to chrome
and vise versa. Are there cases when we would want to enable that?
(Assignee)

Updated

6 years ago
Attachment #514555 - Flags: review?(enndeakin)
Attachment #514555 - Flags: feedback?(gavin.sharp)
Attachment #514555 - Flags: feedback?(enndeakin)
(Assignee)

Comment 42

6 years ago
Comment on attachment 514555 [details] [diff] [review]
Be very strict when handling common DOM objects as transfer data

I really need feedback from those who know Firefox UI code.
Attachment #514555 - Flags: feedback?(dao)

Comment 43

6 years ago
Why is the mExplicitlySet flag needed?

> So the patch prevents dragging EventTarget objects from content to chrome
> and vise versa. Are there cases when we would want to enable that?

I don't think there is currently.

Don't we want to prevent access if the caller cannot access the node no matter whether it is chrome or not? For instance, a drag from one page to another?
(Assignee)

Comment 44

6 years ago
(In reply to comment #43)
> Don't we want to prevent access if the caller cannot access the node no matter
> whether it is chrome or not? For instance, a drag from one page to another?
Ah, probably. So not only currentIsSystem == dataIsSystem check, but also
principal subsumes check.

and ok, mExplicitlySet isn't probably needed after all...
(Assignee)

Comment 45

6 years ago
Created attachment 514576 [details] [diff] [review]
v2
Attachment #514555 - Attachment is obsolete: true
Attachment #514576 - Flags: review?(enndeakin)
Attachment #514576 - Flags: feedback?(gavin.sharp)
Attachment #514555 - Flags: review?(enndeakin)
Attachment #514555 - Flags: feedback?(gavin.sharp)
Attachment #514555 - Flags: feedback?(dao)
(Assignee)

Updated

6 years ago
Attachment #514576 - Flags: feedback?(dao)

Updated

6 years ago
Attachment #514576 - Flags: review?(enndeakin) → review+
Over to Olli who's working on the alternate fix here!
Assignee: mrbkap → Olli.Pettay
(Assignee)

Updated

6 years ago
Attachment #514576 - Flags: feedback?(gavin.sharp)
(Assignee)

Comment 47

6 years ago
Created attachment 514819 [details] [diff] [review]
a bit simpler per bz's comments on IRC
(Assignee)

Updated

6 years ago
Attachment #514576 - Attachment is obsolete: true
Attachment #514576 - Flags: feedback?(dao)
(Assignee)

Updated

6 years ago
Attachment #514819 - Flags: review?(bzbarsky)
Comment on attachment 514819 [details] [diff] [review]
a bit simpler per bz's comments on IRC

r=me
Attachment #514819 - Flags: review?(bzbarsky) → review+
(Assignee)

Comment 49

6 years ago
http://hg.mozilla.org/mozilla-central/rev/bc901af701c9
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
(Assignee)

Updated

6 years ago
Attachment #514819 - Flags: approval1.9.2.15?
Attachment #514819 - Flags: approval1.9.1.18?
Comment on attachment 514819 [details] [diff] [review]
a bit simpler per bz's comments on IRC

Approved for 1.9.2.15 and 1.9.1.18, a=dveditz for release-drivers
Attachment #514819 - Flags: approval1.9.2.15?
Attachment #514819 - Flags: approval1.9.2.15+
Attachment #514819 - Flags: approval1.9.1.18?
Attachment #514819 - Flags: approval1.9.1.18+
Comment on attachment 514819 [details] [diff] [review]
a bit simpler per bz's comments on IRC

Not sure why this didn't make it, but moving approvals forward since it missed.
Attachment #514819 - Flags: approval1.9.2.18+
Attachment #514819 - Flags: approval1.9.2.17+
Attachment #514819 - Flags: approval1.9.1.20+
Attachment #514819 - Flags: approval1.9.1.19+
Keywords: checkin-needed
Depends on: 661970
Depends on: 611485
blocking1.9.1: needed → .20+
blocking1.9.2: needed → .18+
Comment on attachment 514819 [details] [diff] [review]
a bit simpler per bz's comments on IRC

Doesn't compile on 1.9.2, will need a new patch.

  error: ‘class nsIScriptContext’ has no member named ‘GetObjectPrincipal’
Attachment #514819 - Flags: approval1.9.2.18-
Attachment #514819 - Flags: approval1.9.2.18+
Attachment #514819 - Flags: approval1.9.1.20-
Attachment #514819 - Flags: approval1.9.1.20+

Updated

6 years ago
Keywords: checkin-needed
Olli: still need that new patch.
blocking1.9.1: .20+ → needed
blocking1.9.2: .18+ → .19+
Summary: Content code can access a browser's tab element that was dropped on the content area → Arbitrary code execution via browser's tab element that was dropped on the content area
(Assignee)

Comment 54

6 years ago
Created attachment 549940 [details] [diff] [review]
GetObjectPrincipal method from trunk inline
Attachment #549940 - Flags: approval1.9.2.20?
Comment on attachment 549940 [details] [diff] [review]
GetObjectPrincipal method from trunk inline

Approved for 1.9.2.20, a=dveditz
Attachment #549940 - Flags: approval1.9.2.20? → approval1.9.2.20+
(Assignee)

Comment 56

6 years ago
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/ab26f1cefe55
status1.9.2: wanted → .20-fixed
Alias: CVE-2011-2984
Group: core-security
You need to log in before you can comment on or make changes to this bug.