Closed
Bug 705651
(CVE-2012-0446)
Opened 13 years ago
Closed 13 years ago
Frame scripts that access untrusted objects are exploitable
Categories
(Core :: Security, defect)
Tracking
()
VERIFIED
FIXED
mozilla11
| Tracking | Status | |
|---|---|---|
| firefox8 | --- | wontfix |
| firefox9 | --- | wontfix |
| firefox10 | + | verified |
| firefox11 | + | verified |
| firefox-esr10 | --- | unaffected |
| status1.9.2 | --- | unaffected |
People
(Reporter: moz_bug_r_a4, Assigned: smaug)
References
Details
(Keywords: verified-beta, Whiteboard: [sg:critical][qa!][secr:dveditz])
Attachments
(4 files)
|
31.65 KB,
image/jpeg
|
Details | |
|
8.49 KB,
patch
|
mrbkap
:
review+
|
Details | Diff | Splinter Review |
|
8.37 KB,
patch
|
Details | Diff | Splinter Review | |
|
8.49 KB,
patch
|
christian
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
screenshot of testcase 3
Frame scripts run on the special JS context for which we call SetSecurityManagerForJSContext with flags=0, thus if a frame script calls into an untrusted function, XPConnect does not do proper security checks.
|
Reporter | |
Comment 4•13 years ago
|
||
|
Assignee | |
Comment 5•13 years ago
|
||
Nice :(
mrbkap, what kinds of flags can be passed to SetSecurityManagerForJSContext?
There is no documentation in nsIXPConnect nor in nsXPConnect.cpp
Assignee: nobody → bugs
|
|
Assignee | |
Comment 6•13 years ago
|
||
I'm pretty sure 0 is passed because it is (or was) passed also here
http://mxr.mozilla.org/mozilla2.0/source/dom/src/threads/nsDOMThreadService.cpp#1075
|
|
Assignee | |
Comment 7•13 years ago
|
||
Ahaa, some documentation is here
http://mxr.mozilla.org/mozilla-central/source/js/xpconnect/idl/nsIXPCSecurityManager.idl#61
Should I pass HOOK_ALL ?
|
||
Comment 8•13 years ago
|
||
Hey Olli. I don't think you actually need to call SetSecurityManagerForJSContext at all. That function is useful if a given context needs to use a different security manager from the rest of the runtime. However, in most cases, we can just use the one that's installed on XPConnect itself. On the other hand, using HOOK_ALL would also fix this bug.
|
|
Assignee | |
Comment 9•13 years ago
|
||
Create a helper method.
Attachment #577535 -
Flags: review?(mrbkap)
|
|
||
Comment 10•13 years ago
|
||
Comment on attachment 577535 [details] [diff] [review]
patch
Review of attachment 577535 [details] [diff] [review]:
-----------------------------------------------------------------
I mentioned on IRC that the reason that web workers got away with this (before the recent rewrite) is that they truly used object capabilities to protect themselves. Furthermore, they couldn't use the script security manager off the main thread, and therefore wanted to *prevent* calls to the SSM. Because there was nothing around to protect, this was safe.
::: content/base/src/nsFrameMessageManager.cpp
@@ +840,5 @@
> +
> + JSAutoRequest ar(cx);
> + nsIXPConnect* xpc = nsContentUtils::XPConnect();
> + const PRUint32 flags = nsIXPConnect::INIT_JS_STANDARD_CLASSES |
> + /*nsIXPConnect::OMIT_COMPONENTS_OBJECT ? |*/
I doubt you want this flag. It's only useful if you want to cut the scripts you're going to be running off from XPCOM entirely.
|
|
||
Updated•13 years ago
|
Attachment #577535 -
Flags: review?(mrbkap) → review+
|
|
Assignee | |
Comment 11•13 years ago
|
||
Yeah, that flag has been there since the beginning when it wasn't sure whether we want to
expose components to frame scripts or let them do only simpler things.
I'll remove that.
|
|
Assignee | |
Comment 12•13 years ago
|
||
|
|
Assignee | |
Comment 13•13 years ago
|
||
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Comment 14•13 years ago
|
||
I'll prepare patches for aurora and beta.
tracking-firefox10:
--- → ?
tracking-firefox9:
--- → ?
|
|
Assignee | |
Comment 15•13 years ago
|
||
The only difference to trunk is that trunk doesn't have
| JSOPTION_JIT
Attachment #578220 -
Flags: approval-mozilla-aurora?
|
|
Assignee | |
Updated•13 years ago
|
Attachment #578220 -
Attachment description: for aurota → for aurora
|
|
Assignee | |
Comment 16•13 years ago
|
||
In beta there is also JS_SetScriptStackQuota and JSOPTION_ANONFUNFIX |
|
||
Comment 17•13 years ago
|
||
Now tracking for FF9/10, and added the sec-review-needed keyword. Please address possible risk for taking on aurora/beta.
tracking-firefox8:
--- → +
Keywords: sec-review-needed
|
||
Comment 18•13 years ago
|
||
There is little risk here, we should take this for aurora (fx10)
Keywords: sec-review-needed → sec-review-complete
Whiteboard: [qa+] → [sg:critical][qa+][secr:dveditz]
|
|
||
Comment 19•13 years ago
|
||
little risk from the patch, I mean! It's a bad security hole that's probably exploitable through several addons and definitely exploitable through an XSS on AMO.
Attachment #578220 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
|
Assignee | |
Comment 20•13 years ago
|
||
status-firefox10:
--- → fixed
|
||
Updated•13 years ago
|
status-firefox11:
--- → fixed
status-firefox8:
--- → wontfix
status-firefox9:
--- → wontfix
tracking-firefox11:
--- → +
Target Milestone: --- → mozilla11
|
|
||
Updated•13 years ago
|
status1.9.2:
--- → unaffected
|
|
||
Updated•13 years ago
|
Alias: CVE-2012-0446
|
||
Comment 22•13 years ago
|
||
Verified fixed in Firefox Aurora.
|
|
||
Updated•13 years ago
|
Whiteboard: [sg:critical][qa+][secr:dveditz] → [sg:critical][qa!][secr:dveditz]
|
|
||
Updated•13 years ago
|
|
|
||
Updated•13 years ago
|
Group: core-security
|
|
||
Updated•12 years ago
|
Flags: sec-review+
You need to log in
before you can comment on or make changes to this bug.
Description
•