Closed Bug 770431 Opened 7 years ago Closed 7 years ago

Arbitrary code execution using bug 768101 and bug 770429

Categories

(Core :: Security, defect)

x86
Windows XP
defect
Not set

Tracking

()

RESOLVED FIXED
Tracking Status
firefox14 --- wontfix
firefox15 + fixed
firefox16 + fixed
firefox17 + fixed
firefox18 + fixed
firefox-esr10 15+ fixed

People

(Reporter: moz_bug_r_a4, Assigned: bholley)

References

Details

(Keywords: sec-critical, Whiteboard: [advisory-tracking+])

By using bug 768101's trick, content can take advantage of bug 770429 and perform a privilege escalation attack without user interaction.
Attached file testcase
This works on fx10-16.
Presumably, this will be fixed with my fix for bug 770431 (the actual patches are in bug 760109).
Assigning to Bobby for book keeping and double checking the fix.
Assignee: nobody → bobbyholley+bmo
Did those changes end up fixing this problem?
The testcase doesn't seem to do much on my OS X machine with Firefox 14.0.1 or current nightly. I get a blank iframe on a page.
Let's wait for this to be fixed on trunk before tracking for a specific ESR version again.

Bobby - can you try to see if you have better luck than Al?
Oh nevermind, bug 760109 has an approval request. We'll leave this at 15+.
bug 760109 is landed in 15 and ESR 10.0.7 (15+) but there's still some work here for bug 768101 coming for 16 so bumping up the esr tracking flag for the next release.
This may now be fixed in Firefox 18 since bug 768101 might be. This testcase probably no longer works (I get Error: Access to 'chrome://browser/content/browser.xul' from script denied) because bug 770429 was fixed.

I guess we might as well call this fixed and if there are unfixed variations they can go into new bugs.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Whiteboard: [advisory-tracking+]
calling this fixed in 15 because it's using 768101 to abuse bug 770429, and that was fixed in 15.
Group: core-security
You need to log in before you can comment on or make changes to this bug.