Last Comment Bug 765628 - (CVE-2012-4203) Bookmarklets on the new tab page are able to run privileged javascript
(CVE-2012-4203)
: Bookmarklets on the new tab page are able to run privileged javascript
Status: RESOLVED FIXED
[social engineering][adv-track-main17+]
: sec-moderate
Product: Firefox
Classification: Client Software
Component: General (show other bugs)
: 13 Branch
: All All
: -- normal (vote)
: Firefox 17
Assigned To: Tim Taubert [:ttaubert]
:
Mentors:
Depends on: 901586 790911
Blocks:
  Show dependency treegraph
 
Reported: 2012-06-17 16:35 PDT by kakzz.ng
Modified: 2014-01-10 10:42 PST (History)
6 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
affected
affected
+
fixed
unaffected


Attachments
calc.html (624 bytes, text/html)
2012-06-17 16:35 PDT, kakzz.ng
no flags Details
patch v1 (1.58 KB, patch)
2012-06-21 17:00 PDT, Tim Taubert [:ttaubert]
gavin.sharp: review-
Details | Diff | Review
patch v2 (7.53 KB, patch)
2012-06-23 03:25 PDT, Tim Taubert [:ttaubert]
gavin.sharp: review+
Details | Diff | Review

Description kakzz.ng 2012-06-17 16:35:57 PDT
Created attachment 633930 [details]
calc.html

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0
Build ID: 20120601173958

Steps to reproduce:

Clicking a javascript: url from the new tab page will run the script with full privileges. These javascript: urls are frequently used as 'bookmarklets' to run small javascript snippets. Were a malicious party able to socially engineer a user to bookmark a javscript bookmarklet and add it to the new FF13 "new tab page", when the user clicked the link from the new tab page privileged javascript would run.

The following is an example of privileged javascript which runs gcalctool on ubuntu: 

'javascript:var file = Components.classes["@mozilla.org/file/local;1"].createInstance(Components.interfaces.nsILocalFile);file.initWithPath("/usr/bin/gcalctool");var process = Components.classes["@mozilla.org/process/util;1"].createInstance(Components.interfaces.nsIProcess);process.init(file);var args = [];process.run(false, args, args.length);'

adding that url as a bookmark and launching it from the new tab page will run the native gcalctool executable. (For windows, change the path to a windows executable.)

I've attached a html page which demonstrates the steps a user would have to take.

I've marked the bug as security sensitive as bookmarklets are widely used.

Only tested on 32-bit firefox 13 running on ubuntu.
Comment 1 [On PTO until 6/29] 2012-06-18 06:49:38 PDT
I can't get this to work on Firefox 13 on OS X. I can add it to the quick-launch cell on the new tab page but it cannot be opened from there.
Comment 2 kakzz.ng 2012-06-19 00:44:56 PDT
Did you change the path to be the path to a valid executable on OS X? The example above will try to run the executable /usr/bin/gcalctool, which is probably not present in OS X.

I don't have a mac, but maybe this path will work: /Applications/Calculator.app/Contents/MacOS/Calculator ?

Similarly for windows (at least on XP): C:\WINDOWS\system32\calc.exe

Of course, you don't have to open a calculator, you can do anything privileged javascript can do.
Comment 3 [On PTO until 6/29] 2012-06-19 02:46:52 PDT
Ah, I wasn't paying attention to that line in the bookmarklet. Yeah, this is bad. :-)
Comment 4 [On PTO until 6/29] 2012-06-19 02:47:07 PDT
(Verified in Firefox 13.0.1)
Comment 5 :Gavin Sharp [email: gavin@gavinsharp.com] 2012-06-19 13:06:01 PDT
Hrm, I don't understand why this wouldn't have been fixed by bug 723808. Perhaps because of the way newtab loads URLs...
Comment 6 :Gavin Sharp [email: gavin@gavinsharp.com] 2012-06-19 13:12:12 PDT
Ah, so I think the newtab just inserts the links as normal <a href="">s. Which means that we probably have an explicit owner for the load (the current page), and so don't go through the "find an owner to inherit from" code that was changed by bug 723808?
Comment 7 Boris Zbarsky [:bz] (Out June 25-July 6) 2012-06-19 13:19:13 PDT
So... I can't reproduce.  In a debug trunk build, I get no script execution and a logged message about there being no principal to execute with, as expected per bug 723808.  In Firefox 13, I just get nothing happening, when using this bookmarklet:

javascript:var file = Components.classes["@mozilla.org/file/local;1"].createInstance(Components.interfaces.nsILocalFile);file.initWithPath("/Applications/Calculator.app/Contents/MacOS/Calculator");var process = Components.classes["@mozilla.org/process/util;1"].createInstance(Components.interfaces.nsIProcess);process.init(file);var args = [];process.run(false, args, args.length);

I did verify that the path involved, on its own, launches a calculator.

Al, did you reproduce with Firefox 13?
Comment 8 Boris Zbarsky [:bz] (Out June 25-July 6) 2012-06-19 13:21:02 PDT
Ah.  I was clicking the button in the bookmarks toolbar.  Yeah, if you stick the URI in the page there will be no inheritance involved at all, so bug 723808 does not help.  What should probably happen is that adding a quick-launch cell should CheckLoadURI at least with DISALLOW_INHERIT_OWNER, and possibly with some sort of not-too-trusted source principal.  Do we want to allow dragging file:// URIs in there?  I guess we do...
Comment 9 Daniel Veditz [:dveditz] 2012-06-20 15:40:33 PDT
One could argue this is a power-user feature rather than a vulnerability, but I guess we should fix it because power-users have other options (a chrome scratchpad, for example) and this is plausible social-engineering target.
Comment 10 :Gavin Sharp [email: gavin@gavinsharp.com] 2012-06-21 15:47:14 PDT
Just adding a checkLoadURI call with DISALLOW_INHERIT_PRINCIPAL before adding pages to newtab sounds reasonable to me.

Tim, do you want to take this?
Comment 11 Tim Taubert [:ttaubert] 2012-06-21 16:42:16 PDT
Yes, taking.
Comment 12 Tim Taubert [:ttaubert] 2012-06-21 17:00:30 PDT
Created attachment 635532 [details] [diff] [review]
patch v1

Using checkLoadURIWithPrincipal(DISALLOW_INHERIT_PRINCIPAL) to decide whether to accept external drags.
Comment 13 :Gavin Sharp [email: gavin@gavinsharp.com] 2012-06-21 18:07:38 PDT
Comment on attachment 635532 [details] [diff] [review]
patch v1

spoke to Tim on IRC - approach looks fine, but we should have this apply to all links, not just drag&drop
Comment 14 Tim Taubert [:ttaubert] 2012-06-23 03:25:44 PDT
Created attachment 636057 [details] [diff] [review]
patch v2

Preventing 'bad links' from being dropped onto the grid and from appearing on the grid when included in history query results.

I included a test case for drag and drop. I couldn't really test the PlacesProvider filtering as that depends on bug 765235 being fixed.
Comment 15 Tim Taubert [:ttaubert] 2012-06-25 02:31:32 PDT
Just for reference, there is bug 739387 which seems to have some interest at least. Should the new tab page have been implemented as non-privileged (just like about:home) and communicate via messages to allow the inclusion of javascript: links?

Shouldn't be too hard to register it with the JSM in BrowserOnAboutPageLoad() and use messages to communicate with it.
Comment 16 :Gavin Sharp [email: gavin@gavinsharp.com] 2012-06-25 10:22:09 PDT
I just duped that to bug 728313, but yeah, if that's an easy fix I think it'd be a nice solution to these issues!
Comment 17 Tim Taubert [:ttaubert] 2012-06-25 10:41:30 PDT
(In reply to :Gavin Sharp (use gavin@gavinsharp.com for email) from comment #16)
> I just duped that to bug 728313, but yeah, if that's an easy fix I think
> it'd be a nice solution to these issues!

Took a quick stab at it today and looks like it's not as easy as I thought. I have no idea how to communicate between the content script and the actual web page. Also, unprivileged XUL files don't load as they're considered remote XUL.
Comment 18 :Gavin Sharp [email: gavin@gavinsharp.com] 2012-07-14 19:29:49 PDT
Comment on attachment 636057 [details] [diff] [review]
patch v2

Can you add a test for the PlacesProvider path? (I assume you've ensured that the drop test fails without the fix).

Duplicating the "extract URL" code from _pinDraggedSite in isValid is sub-optimal, can we factor that out somehow?
Comment 19 Tim Taubert [:ttaubert] 2012-07-16 15:34:40 PDT
(In reply to :Gavin Sharp (use gavin@gavinsharp.com for email) from comment #18)
> Can you add a test for the PlacesProvider path? (I assume you've ensured
> that the drop test fails without the fix).

Yes, the drop test fails without the fix. As per conversation on IRC: we can't test the PlacesProvider path as the navigation history will not allow us to add 'bad' links to it.

> Duplicating the "extract URL" code from _pinDraggedSite in isValid is
> sub-optimal, can we factor that out somehow?

Created a gDragDataHelper that contains this part of the code now.
Comment 20 Tim Taubert [:ttaubert] 2012-07-16 16:06:14 PDT
https://hg.mozilla.org/integration/fx-team/rev/c119555cd89a
Comment 21 Tim Taubert [:ttaubert] 2012-07-18 03:37:25 PDT
https://hg.mozilla.org/mozilla-central/rev/c119555cd89a
Comment 22 Tracy Walker [:tracy] 2014-01-10 10:42:09 PST
mass remove verifyme requests greater than 4 months old

Note You need to log in before you can comment on or make changes to this bug.