Closed Bug 612835 Opened 9 years ago Closed 9 years ago

Arbitrary code execution using InstallTrigger

Categories

(Core :: Security, defect)

x86
All
defect
Not set

Tracking

()

VERIFIED FIXED
Tracking Status
blocking2.0 --- betaN+
status1.9.2 --- unaffected
status1.9.1 --- unaffected

People

(Reporter: moz_bug_r_a4, Assigned: mrbkap)

Details

(Keywords: regression, Whiteboard: [sg:critical] from compartments [hardblocker] fixed-in-tracemonkey [fx4-fixed-bugday] )

Attachments

(1 file, 1 obsolete file)

This is a regression from landing of compartments.

Methods of InstallTrigger are exploitable.  With the attached testcase, when an
untrusted function is called via a proxy, the subject principal is the system
principal.
Attached file testcase
Attached patch Oops (obsolete) — Splinter Review
Thanks for finding this. Rather embarrassing.
Assignee: nobody → mrbkap
Status: NEW → ASSIGNED
Attachment #491146 - Flags: review?(gal)
blocking2.0: --- → ?
Needs a test...
blocking2.0: ? → betaN+
Flags: in-testsuite?
Comment on attachment 491146 [details] [diff] [review]
Oops

Oops.
Attachment #491146 - Flags: review?(gal) → review+
Keywords: regression
Whiteboard: [sg:critical] from compartments
blocking2.0: betaN+ → ---
OS: Windows XP → All
blocking2.0: --- → betaN+
http://hg.mozilla.org/tracemonkey/rev/cd4718b986c8
Whiteboard: [sg:critical] from compartments → [sg:critical] from compartments fixed-in-tracemonkey
http://hg.mozilla.org/mozilla-central/rev/cd4718b986c8
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
This got backed out.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Whiteboard: [sg:critical] from compartments fixed-in-tracemonkey → [sg:critical] from compartments
For the record, this needs a bunch more work per mrbkap.
Whiteboard: [sg:critical] from compartments → [sg:critical] from compartments, hardblocker
Attachment #491146 - Attachment is obsolete: true
Whiteboard: [sg:critical] from compartments, hardblocker → [sg:critical] from compartments [hardblocker]
Fixed by bug 611485.
Whiteboard: [sg:critical] from compartments [hardblocker] → [sg:critical] from compartments [hardblocker] fixed-in-tracemonkey
Fix for bug 611485 landed in a tracemonkey merge.
Status: REOPENED → RESOLVED
Closed: 9 years ago9 years ago
Resolution: --- → FIXED
Verified bad behavior in Firefox 4 b10 and fix in b11 build (Mozilla/5.0
(Macintosh; Intel Mac OS X 10.6; rv:2.0b11) Gecko/20100101 Firefox/4.0b11)
using attached testcase.
Status: RESOLVED → VERIFIED
Whiteboard: [sg:critical] from compartments [hardblocker] fixed-in-tracemonkey → [sg:critical] from compartments [hardblocker] fixed-in-tracemonkey [fx4-fixed-bugday]
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.