Closed
Bug 757128
(CVE-2012-3973)
Opened 13 years ago
Closed 12 years ago
Remote debugging is possible even when disabled if netmonitor is enabled
Categories
(DevTools :: Debugger, defect, P1)
Tracking
(blocking-kilimanjaro:+, firefox14 unaffected, firefox15+ fixed, firefox16+ fixed, firefox-esr10 unaffected)
RESOLVED
FIXED
blocking-kilimanjaro | + |
Tracking | Status | |
---|---|---|
firefox14 | --- | unaffected |
firefox15 | + | fixed |
firefox16 | + | fixed |
firefox-esr10 | --- | unaffected |
People
(Reporter: mgoodwin, Assigned: past)
References
Details
(Keywords: csectype-priv-escalation, sec-critical, Whiteboard: [advisory-tracking+][qa-])
Issue:
If remote debugging is disabled, but HTTPMonitor is enabled, a remote user can connect to and use the remote debug service.
STR:
1) Enable debugging (not remote) on the target
2) enable HTTPMonitor extension on target
3) From another host, connect remote debugger to <target>:2929
4) enjoy your debugging session
Remediation:
It would be nice to restrict what's possible based on more than just whether or not a debugger protocol listener is listening. We can discuss some possible ways of doing this.
Assignee | ||
Comment 1•13 years ago
|
||
The HttpMonitor protocol implementation is just a proof of concept at this point. We are changing the way it attaches to the debugger server in bug 753401 and in my HttpMonitor fork at https://github.com/past/httpmonitor/. I definitely plan on having the HttpMonitor code honor the remote-enabled pref.
Other than that I'm not sure what else we could do. Extensions will always be able to unconditionally open the debugger server, or even their own socket, if they so wish. I've been thinking about a separate UI menu/button that launches the debugger server without the debugger frontend and a DebuggerServer API that goes along with it, but I believe this complicates the HttpMonitor UX for no real benefit. Any other ideas are welcome, of course.
Comment 2•13 years ago
|
||
Proof of concept implementation or not, this is in mozilla-central a security hole that affects nightly users.
Severity: normal → blocker
blocking-kilimanjaro: --- → +
status-firefox-esr10:
--- → unaffected
status-firefox14:
--- → unaffected
status-firefox15:
--- → affected
tracking-firefox15:
--- → +
Keywords: sec-critical
Reporter | ||
Comment 3•13 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #2)
> Proof of concept implementation or not, this is in mozilla-central a
> security hole that affects nightly users.
Yes, although as discussed in IRC a user must both a) install the HTTPMonitor extension and b) enable serverMode via a pref in about:config.
What I'd like to see is a discussion of how we present the 'enable remote tools' option to users (I appreciate we're not quite ready for that UI piece yet - is there a separate bug for this?) - I just want to make sure there are no potential surprises for users that wish to make use of this feature.
Bug 755513 is probably also relevant to this discussion.
Assignee | ||
Comment 4•13 years ago
|
||
The patch in bug 758696 fixes this hole, by having the server code take the remote-enabled flag into consideration before opening the socket. I still plan to help Honza change HttpMonitor to the new API in bug 753401 (and figure out a better UX), but this fix should plug this hole for others as well.
Comment 5•13 years ago
|
||
Assigning to :past so security bugs have owners, but we expect bug 758696 to fix this.
Assignee: nobody → past
Depends on: 758696
Assignee | ||
Updated•13 years ago
|
Status: NEW → ASSIGNED
Priority: -- → P1
Comment 6•12 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #5)
> Assigning to :past so security bugs have owners, but we expect bug 758696 to
> fix this.
bug 758696 has landed - is this resolved now?
Comment 7•12 years ago
|
||
mgoodwin: is your initial concern addressed now?
status-firefox16:
--- → affected
tracking-firefox16:
--- → +
Reporter | ||
Comment 8•12 years ago
|
||
I've tested the normal remote debugging route (which I am satisfied is OK) but I've not completed testing the netmonitor listener yet (I've had problems getting netmonitor to work as intended in the latest nightly). I'll continue with this tomorrow morning (hopefully it'll all be sorted before California wakes up).
Reporter | ||
Comment 9•12 years ago
|
||
I'm unable to test this in a conventional sense as the fix for bug 758696 broke the HTTPMonitor server code.
That said, it's apparent that it's no-longer possible to start a RemoteDebugger server without knowledge of the fact you're supposed to be explicit in allowing the connection. This is because the old style DebuggerServer.init(), will fail as invocations of an undefined _allowConnection can't succeed.
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Comment 10•12 years ago
|
||
Also making the status flags match, given bug 758696 is resolved in 15.
Updated•12 years ago
|
Whiteboard: [advisory-tracking+]
Comment 11•12 years ago
|
||
Given comment 9, I'm not sure if and how QA can verify this fix; please advise.
Keywords: verifyme
Whiteboard: [advisory-tracking+] → [advisory-tracking+][qa?]
Assignee | ||
Comment 12•12 years ago
|
||
I don't think it makes much sense for QA to verify this, either. HTTPMonitor is not released yet, and if one were to build its current version from source, it wouldn't work at all (a pull request to properly fix HTTPMonitor is already submitted). Also note that no release version of Firefox has contained this bug, since the debugger is enabled in 15, where the fix for bug 758696 landed.
Comment 13•12 years ago
|
||
Thank you, Panos. Marking this bug [qa-].
Whiteboard: [advisory-tracking+][qa?] → [advisory-tracking+][qa-]
Updated•12 years ago
|
Alias: CVE-2012-3973
Comment 14•12 years ago
|
||
I assume that this is Firefox only and Thunderbird and Seamonkey would not be affected by this bug?
Assignee | ||
Comment 15•12 years ago
|
||
(In reply to Al Billings [:abillings] from comment #14)
> I assume that this is Firefox only and Thunderbird and Seamonkey would not
> be affected by this bug?
HttpMonitor's install.rdf has the SeaMonkey targetAPplication ID, so if SeaMonkey ships the remote debugger server, it may be affected, in theory. Honza would know more than I do.
In practice, since no Firefox (and presumably SeaMonkey) release has ever contained this bug, and since HttpMonitor hasn't reached release status yet, I believe end users are not affected.
Comment 16•12 years ago
|
||
(In reply to Panos Astithas [:past] from comment #15)
> In practice, since no Firefox (and presumably SeaMonkey) release has ever
> contained this bug, and since HttpMonitor hasn't reached release status yet,
> I believe end users are not affected.
Well, unless they installed the non-released version of the extension, which is available to the public.
Updated•12 years ago
|
Group: core-security
Keywords: csec-priv-escalation
Updated•6 years ago
|
Product: Firefox → DevTools
You need to log in
before you can comment on or make changes to this bug.
Description
•