Bug 754202 regressed IsCapabilityEnabled

RESOLVED FIXED

Status

()

Core
Security
--
blocker
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: moz_bug_r_a4, Assigned: bholley)

Tracking

({regression, sec-critical, testcase})

Trunk
x86
Windows XP
regression, sec-critical, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox15 unaffected, firefox16+ fixed, firefox-esr10 unaffected)

Details

(Whiteboard: [advisory-tracking-] new in Fx 16)

(Reporter)

Description

6 years ago
When there is no frame, the result of IsCapabilityEnabled is always true.  This is not good since event listeners can be called with no frame.
(Reporter)

Comment 1

6 years ago
Created attachment 631400 [details]
testcase - arbitrary code execution

This uses bug 344495's trick.
This works on trunk.
Over to Bobby.
Assignee: nobody → bobbyholley+bmo
mmmm... did we have no tests for this?

Comment 4

6 years ago
Hmm, the testcase doesn't work for me on trunk...
(Assignee)

Comment 5

6 years ago
(In reply to Boris Zbarsky (:bz) from comment #3)
> mmmm... did we have no tests for this?

That used moz_bug_r_a4's stack frame trick? I wasn't sure those were ever checked in.
(Assignee)

Updated

6 years ago
Blocks: 763129
We don't want to check in tests demonstrating the exploit, but often the specific problem can be demonstrated without using that trick (sometimes requires a chrome testcase to show the wrong thing is getting used/returned in places).
Blocks: 754202
Keywords: regression, sec-critical, testcase
Severity: normal → blocker
status-firefox-esr10: --- → unaffected
status-firefox15: --- → unaffected
status-firefox16: --- → affected
tracking-firefox16: --- → +
Blocks: 758344
This should be fixed by the backout in bug 754202 comment 41 right? I don't think it makes sense to leave open in case we reland it, but of course we should test it again.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Whiteboard: new in Fx 16
I can't get this testcase to do anything on pre-fix trunk builds. The only thing I see that is different pre and post fix on my mozilla central builds is that pre-fix has the following in the webconsole:

[12:02:01.330] Error: Permission denied for <https://bug762920.bugzilla.mozilla.org> to get property XPCComponents.utils

I see the same whether I load it locally or from bugzilla, as in above. Do we have something that repros that issue?
(Assignee)

Comment 9

6 years ago
There should be a specific window, between when bug 754202 landed and when it was backed out, where you should get an alert popup (indicating that the exploit was successful).
Yeah, I thought I had it. I'll keep digging.
All right. I was a day off last time. Bug repro's in 6/9 Mozilla Central build and was fixed after back out off bug 754202.
Status: RESOLVED → VERIFIED
bug 754202 has relanded so it'd be safest to reverify this bug.
Status: VERIFIED → RESOLVED
Last Resolved: 6 years ago6 years ago
status-firefox16: affected → fixed
Whiteboard: new in Fx 16 → [advisory-tracking+] new in Fx 16
Whiteboard: [advisory-tracking+] new in Fx 16 → [advisory-tracking-] new in Fx 16
Group: core-security
You need to log in before you can comment on or make changes to this bug.