Last Comment Bug 757128 - (CVE-2012-3973) Remote debugging is possible even when disabled if netmonitor is enabled
(CVE-2012-3973)
: Remote debugging is possible even when disabled if netmonitor is enabled
Status: RESOLVED FIXED
[advisory-tracking+][qa-]
: csectype-priv-escalation, sec-critical
Product: Firefox
Classification: Client Software
Component: Developer Tools: Debugger (show other bugs)
: 15 Branch
: x86 Mac OS X
: P1 blocker (vote)
: ---
Assigned To: Panos Astithas [:past]
:
Mentors:
Depends on:
Blocks: minotaur
  Show dependency treegraph
 
Reported: 2012-05-21 10:44 PDT by Mark Goodwin [:mgoodwin]
Modified: 2012-09-23 15:31 PDT (History)
8 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
+
unaffected
+
fixed
+
fixed
unaffected


Attachments

Description Mark Goodwin [:mgoodwin] 2012-05-21 10:44:36 PDT
Issue:
If remote debugging is disabled, but HTTPMonitor is enabled, a remote user can connect to and use the remote debug service.

STR:
1) Enable debugging (not remote) on the target
2) enable HTTPMonitor extension on target
3) From another host, connect remote debugger to <target>:2929
4) enjoy your debugging session

Remediation:
It would be nice to restrict what's possible based on more than just whether or not a debugger protocol listener is listening. We can discuss some possible ways of doing this.
Comment 1 Panos Astithas [:past] 2012-05-22 00:03:29 PDT
The HttpMonitor protocol implementation is just a proof of concept at this point. We are changing the way it attaches to the debugger server in bug 753401 and in my HttpMonitor fork at https://github.com/past/httpmonitor/. I definitely plan on having the HttpMonitor code honor the remote-enabled pref.

Other than that I'm not sure what else we could do. Extensions will always be able to unconditionally open the debugger server, or even their own socket, if they so wish. I've been thinking about a separate UI menu/button that launches the debugger server without the debugger frontend and a DebuggerServer API that goes along with it, but I believe this complicates the HttpMonitor UX for no real benefit. Any other ideas are welcome, of course.
Comment 2 Daniel Veditz [:dveditz] 2012-05-23 10:45:21 PDT
Proof of concept implementation or not, this is in mozilla-central a security hole that affects nightly users.
Comment 3 Mark Goodwin [:mgoodwin] 2012-05-24 08:28:04 PDT
(In reply to Daniel Veditz [:dveditz] from comment #2)
> Proof of concept implementation or not, this is in mozilla-central a
> security hole that affects nightly users.

Yes, although as discussed in IRC a user must both a) install the HTTPMonitor extension and b) enable serverMode via a pref in about:config.

What I'd like to see is a discussion of how we present the 'enable remote tools' option to users (I appreciate we're not quite ready for that UI piece yet - is there a separate bug for this?) - I just want to make sure there are no potential surprises for users that wish to make use of this feature.

Bug 755513 is probably also relevant to this discussion.
Comment 4 Panos Astithas [:past] 2012-05-29 05:52:08 PDT
The patch in bug 758696 fixes this hole, by having the server code take the remote-enabled flag into consideration before opening the socket. I still plan to help Honza change HttpMonitor to the new API in bug 753401 (and figure out a better UX), but this fix should plug this hole for others as well.
Comment 5 Daniel Veditz [:dveditz] 2012-05-31 13:26:01 PDT
Assigning to :past so security bugs have owners, but we expect bug 758696 to fix this.
Comment 6 Johnathan Nightingale [:johnath] 2012-06-04 06:33:54 PDT
(In reply to Daniel Veditz [:dveditz] from comment #5)
> Assigning to :past so security bugs have owners, but we expect bug 758696 to
> fix this.

bug 758696 has landed - is this resolved now?
Comment 7 Daniel Veditz [:dveditz] 2012-06-07 13:34:13 PDT
mgoodwin: is your initial concern addressed now?
Comment 8 Mark Goodwin [:mgoodwin] 2012-06-07 14:14:06 PDT
I've tested the normal remote debugging route (which I am satisfied is OK) but I've not completed testing the netmonitor listener yet (I've had problems getting netmonitor to work as intended in the latest nightly). I'll continue with this tomorrow morning (hopefully it'll all be sorted before California wakes up).
Comment 9 Mark Goodwin [:mgoodwin] 2012-06-08 06:06:55 PDT
I'm unable to test this in a conventional sense as the fix for bug 758696 broke the HTTPMonitor server code.

That said, it's apparent that it's no-longer possible to start a RemoteDebugger server without knowledge of the fact you're supposed to be explicit in allowing the connection. This is because the old style DebuggerServer.init(), will fail as invocations of an undefined _allowConnection can't succeed.
Comment 10 Alex Keybl [:akeybl] 2012-07-26 17:01:34 PDT
Also making the status flags match, given bug 758696 is resolved in 15.
Comment 11 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-08-21 15:15:20 PDT
Given comment 9, I'm not sure if and how QA can verify this fix; please advise.
Comment 12 Panos Astithas [:past] 2012-08-22 01:42:41 PDT
I don't think it makes much sense for QA to verify this, either. HTTPMonitor is not released yet, and if one were to build its current version from source, it wouldn't work at all (a pull request to properly fix HTTPMonitor is already submitted). Also note that no release version of Firefox has contained this bug, since the debugger is enabled in 15, where the fix for bug 758696 landed.
Comment 13 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-08-22 10:46:22 PDT
Thank you, Panos. Marking this bug [qa-].
Comment 14 Al Billings [:abillings] 2012-08-24 12:00:37 PDT
I assume that this is Firefox only and Thunderbird and Seamonkey would not be affected by this bug?
Comment 15 Panos Astithas [:past] 2012-08-24 14:26:17 PDT
(In reply to Al Billings [:abillings] from comment #14)
> I assume that this is Firefox only and Thunderbird and Seamonkey would not
> be affected by this bug?

HttpMonitor's install.rdf has the SeaMonkey targetAPplication ID, so if SeaMonkey ships the remote debugger server, it may be affected, in theory. Honza would know more than I do.

In practice, since no Firefox (and presumably SeaMonkey) release has ever contained this bug, and since HttpMonitor hasn't reached release status yet, I believe end users are not affected.
Comment 16 Al Billings [:abillings] 2012-08-27 11:42:14 PDT
(In reply to Panos Astithas [:past] from comment #15)

> In practice, since no Firefox (and presumably SeaMonkey) release has ever
> contained this bug, and since HttpMonitor hasn't reached release status yet,
> I believe end users are not affected.

Well, unless they installed the non-released version of the extension, which is available to the public.

Note You need to log in before you can comment on or make changes to this bug.