Last Comment Bug 769108 - (CVE-2012-3965) Chrome-privileged about:newtab remains in the history chain
(CVE-2012-3965)
: Chrome-privileged about:newtab remains in the history chain
Status: RESOLVED FIXED
[advisory-tracking+]
: sec-critical
Product: Core
Classification: Components
Component: Document Navigation (show other bugs)
: 13 Branch
: All All
: -- critical (vote)
: mozilla16
Assigned To: Tim Taubert [:ttaubert] (on PTO, back Aug 29th)
:
Mentors:
Depends on: 724239
Blocks:
  Show dependency treegraph
 
Reported: 2012-06-27 17:12 PDT by Mariusz Mlynski
Modified: 2014-07-24 13:44 PDT (History)
8 users (show)
rforbes: sec‑bounty+
gavin.sharp: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
wontfix
+
wontfix
+
fixed
+
fixed
unaffected


Attachments
PoC for v13.0.1 (772 bytes, text/html)
2012-06-27 17:14 PDT, Mariusz Mlynski
no flags Details
PoC for v16.0a1 (870 bytes, text/html)
2012-06-27 17:15 PDT, Mariusz Mlynski
no flags Details
PoC v2 for v16.0a1 (622 bytes, application/java-archive)
2012-06-29 07:47 PDT, Mariusz Mlynski
no flags Details

Description Mariusz Mlynski 2012-06-27 17:12:32 PDT
When user opens a page from a new tab, by either typing in the URL bar or selecting one of the pinned/bookmarked sites, then any page subsequently loaded in this tab can spawn a new window and navigate itself back to about:newtab. This is inherently unsafe, because about:newtab is chrome-privileged, and content can use the obtained reference for privilege escalation attacks.
Comment 1 Mariusz Mlynski 2012-06-27 17:14:41 PDT
Created attachment 637316 [details]
PoC for v13.0.1

Arbitary code execution using the COW properties exposure trick from bug 768101. Exploit for v13.0.1, open from a new tab.
Comment 2 Mariusz Mlynski 2012-06-27 17:15:52 PDT
Created attachment 637317 [details]
PoC for v16.0a1

Exploit for Nightly.
Comment 3 Daniel Veditz [:dveditz] 2012-06-27 22:29:02 PDT
Given the resulting PoC I'm assigning sec-critical to this bug, but I think the critical bit is bug 768101. The about:newtab bit is more a sec-moderate waiting to turn another bug into a disaster.
Comment 5 :Gavin Sharp [email: gavin@gavinsharp.com] 2012-06-29 05:33:02 PDT
That exploit doesn't seem to work for me in my Mac Nightly build, FWIW.

For the moment, we should probably just fix bug 724239.
Comment 6 Mariusz Mlynski 2012-06-29 07:46:35 PDT
(In reply to :Gavin Sharp (use gavin@gavinsharp.com for email) from comment #5)
> That exploit doesn't seem to work for me in my Mac Nightly build, FWIW.

I've looked at the code and identified 2 possible problems:

1. The exploit opens "c:\Windows\System32\calc.exe", which is obviously not a good idea on Mac :-)
2. chromeWin's prototype may outlive the exploit window and the wrapper is GC collected, resulting in "can't access dead object" errors on repeated attempts to write properties on it.

Please check the corrected version and let me know if there are any errors in the console. I've checked with Nightly 2012-06-29 and it works fine, I can only test with Windows 7 though.
Comment 7 Mariusz Mlynski 2012-06-29 07:47:52 PDT
Created attachment 637906 [details]
PoC v2 for v16.0a1
Comment 8 :Gavin Sharp [email: gavin@gavinsharp.com] 2012-06-29 13:42:01 PDT
Ah, yeah - I didn't look closely at the source of the PoC :)

Tim: let's go with the approach in bug 724239 comment 6, and patch it in that bug. 

(Limi/UX are going to need to live without "back" functionality until we can make this page unprivileged.)
Comment 9 Daniel Veditz [:dveditz] 2012-07-05 13:33:32 PDT
CC'ing limi so he understands why we want to fix 724239 so badly.
Comment 10 Daniel Veditz [:dveditz] 2012-07-05 13:35:32 PDT
The patch in bug 724239 appears to be safe and limited enough to take in Beta (Firefox 14).
Comment 11 :Gavin Sharp [email: gavin@gavinsharp.com] 2012-07-12 09:47:30 PDT
FIXED by bug 724239.
Comment 12 :Gavin Sharp [email: gavin@gavinsharp.com] 2012-07-12 09:47:53 PDT
(In reply to Daniel Veditz [:dveditz] from comment #10)
> The patch in bug 724239 appears to be safe and limited enough to take in
> Beta (Firefox 14).

It was decided in that bug that we wouldn't take it for 14.

Note You need to log in before you can comment on or make changes to this bug.