Last Comment Bug 783260 - (CVE-2012-3991) Error: Error: Permission denied to access property 'toString' when open certain site
(CVE-2012-3991)
: Error: Error: Permission denied to access property 'toString' when open cert...
Status: VERIFIED FIXED
[sg:critical][advisory-tracking+]secu...
: sec-critical
Product: Core
Classification: Components
Component: Security: CAPS (show other bugs)
: 16 Branch
: x86 Windows 7
: -- normal (vote)
: ---
Assigned To: Bobby Holley (PTO through June 13)
:
Mentors:
Depends on: 754202
Blocks: 783957
  Show dependency treegraph
 
Reported: 2012-08-16 07:05 PDT by Alice0775 White
Modified: 2014-07-24 13:44 PDT (History)
15 users (show)
rforbes: sec‑bounty+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
wontfix
-
verified
-
verified
-
verified
16+
verified


Attachments
stack (9.76 KB, text/plain)
2012-08-16 12:44 PDT, Bobby Holley (PTO through June 13)
no flags Details
Push some princials on esr10 (5.52 KB, patch)
2012-09-05 22:50 PDT, Bobby Holley (PTO through June 13)
mrbkap: review+
akeybl: approval‑mozilla‑esr10+
Details | Diff | Review

Description Alice0775 White 2012-08-16 07:05:12 PDT
This appears in Aurora16.0a2 and Nightly17.0a1.
(The appearance of the page does not seem to have the problem in particular.)


Step To Reproduce:

1. Load http://ww2.noticiasmvs.com/entrevistas/primera-emision-con-carmen-aristegui/postura-de-mvs-sobre-rescate-banda-25-ghz-conferencia-de-prensa-139.html

Actual Results:
  The following error shown in Error Console
  Error: Permission denied to access property 'toString
Comment 1 Boris Zbarsky [:bz] 2012-08-16 09:44:50 PDT
Bobby, please take a look into this?  There's a good chance NPAPI is involved...
Comment 2 Bobby Holley (PTO through June 13) 2012-08-16 12:44:30 PDT
Created attachment 652523 [details]
stack

Attaching a stack.
Comment 3 Bobby Holley (PTO through June 13) 2012-08-16 13:17:41 PDT
The plugin, which lives in a youtube iframe, appears to be toString()-ing window.location of the cross-origin parent frame, which is being rightfully denied. I'm going to see what's different on beta.
Comment 4 Boris Zbarsky [:bz] 2012-08-16 13:28:46 PDT
I believe Flash does this on purpose, and bases part of their security policy on it or something....  So if it used to work, it needs to keep working.

How exactly is the plug-in doing this?  Is it just doing a NPN_LoadURI or whatever on a javascript: URI?
Comment 5 Boris Zbarsky [:bz] 2012-08-16 13:30:06 PDT
Oh, it's doing it via explicit NP_Invoke.  OK.
Comment 6 Bobby Holley (PTO through June 13) 2012-08-16 13:40:31 PDT
This is actually an sg:crit on beta. Awesome.
Comment 7 Bobby Holley (PTO through June 13) 2012-08-16 13:41:53 PDT
The call succeeds because the check for UniversalXPConnect returns true. The reason is that nsScriptSecurityManager::IsCapabilityEnabled doesn't find an fp (since there's no script code on the stack), and there's no principal pushed either. So it grants all privileges.
Comment 8 Bobby Holley (PTO through June 13) 2012-08-16 13:44:29 PDT
Ironically, this bug was reported because we _fixed_ the security hole here, via bug 754202. For beta and esr, we should probably push a principal somewhere.
Comment 9 Bobby Holley (PTO through June 13) 2012-08-16 13:51:01 PDT
So basically, NP_Invoke invokes methods by doing a GetProperty via JSAPI, testing if it's a function, and then invoking it. But because the GetProperty operation isn't scripted, our security wrappers are entirely bypassed when getting cross-origin properties, because they always succeed with the check for UniversalXPConnect. I think pushing a principal in do_Invoke will work, but I'm not sure if there are other callsites that are similarly vulnerable.

Maybe bsmedberg or jst can tell me if there are other analogous situations in the plugin code.
Comment 10 Bobby Holley (PTO through June 13) 2012-08-16 13:57:09 PDT
Actually, is it even worth writing a patch against beta? The code freeze already happened, right? Maybe just against ESR10?
Comment 11 Bobby Holley (PTO through June 13) 2012-08-16 14:02:44 PDT
This is totally up moz_bug_r_a4's alley.
Comment 12 Benjamin Smedberg [:bsmedberg] 2012-08-16 14:08:33 PDT
I think that all of the raw JSAPI usage here is within nsJSNPRuntime.cpp, and I would guess that we would also need to push for any other NPRuntime usage which could be setup by the plugin while content JS is on the stack (which is all NPRuntime usage), so:

hasmethod (maybe?)
invoke
invokeDefault
hasProperty
getProperty
setProperty
removeProperty
enumerate
construct
Comment 13 Bobby Holley (PTO through June 13) 2012-08-16 14:15:31 PDT
(In reply to Benjamin Smedberg  [:bsmedberg] [away 27-July until 7-Aug] from comment #12)
> I think that all of the raw JSAPI usage here is within nsJSNPRuntime.cpp,
> and I would guess that we would also need to push for any other NPRuntime
> usage which could be setup by the plugin while content JS is on the stack

Do you mean "while no content JS is on the stack"?
Comment 14 Boris Zbarsky [:bz] 2012-08-16 14:22:49 PDT
Wait.  Isn't this the plug-in trying to get top.location.toString() or something?  Again, should that be allowed cross-site?  I guess it shouldn't, probably, unless Flash depends on it working.
Comment 15 Bobby Holley (PTO through June 13) 2012-08-16 14:39:56 PDT
(In reply to Boris Zbarsky (:bz) [In and out Aug 1 - 10, out Aug 11-20] from comment #14)
> Wait.  Isn't this the plug-in trying to get top.location.toString() or
> something?

Yes.

> Again, should that be allowed cross-site?

Not per our current security policy, no.

> I guess it shouldn't, probably, unless Flash depends on it working.

Not sure how we could sanely special-case that, but I'm not a plugin expert.
Comment 16 Johnny Stenback (:jst, jst@mozilla.com) 2012-08-16 15:31:03 PDT
(In reply to Bobby Holley (:bholley) from comment #15)
> (In reply to Boris Zbarsky (:bz) [In and out Aug 1 - 10, out Aug 11-20] from
> comment #14)
[...]
> > I guess it shouldn't, probably, unless Flash depends on it working.
> 
> Not sure how we could sanely special-case that, but I'm not a plugin expert.

It should *not* be permitted across origins, and never has been, so no special casing needed here. Flash merely wants to know whether it's embedding in the a same origin top window or not, or that's at least my understanding, and throwing an exception at them when they do that check across origins is fine.
Comment 17 Al Billings [:abillings] 2012-08-23 13:28:56 PDT
Can we assign someone to work on this, Johnny?
Comment 18 Bobby Holley (PTO through June 13) 2012-08-23 13:35:50 PDT
I believe this only needs to be patched on esr10. I was going to work on it this week but didn't have time. :-(

Basically all that needs to happen is to call nsScriptSecurityManager::{Push,Pop}ContextPrincipal at each of NPJSRuntime callsites listed in comment 12.
Comment 19 Johnny Stenback (:jst, jst@mozilla.com) 2012-08-23 14:17:59 PDT
Bobby will write the patch for this one, thanks!
Comment 20 Bobby Holley (PTO through June 13) 2012-09-05 22:50:36 PDT
Created attachment 658789 [details] [diff] [review]
Push some princials on esr10

Prepared a patch for esr10 that fixes the testcases in bug 783957. Flagging mrbkap for review.
Comment 21 Blake Kaplan (:mrbkap) (please use needinfo!) 2012-09-06 19:10:05 PDT
Comment on attachment 658789 [details] [diff] [review]
Push some princials on esr10

Whew, this is subtle. Good riddance to UniversalXPConnect!
Comment 22 Bobby Holley (PTO through June 13) 2012-09-06 22:51:36 PDT
Comment on attachment 658789 [details] [diff] [review]
Push some princials on esr10

[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration:
User impact if declined: security vulnerabilities
Fix Landed on Version: This patch is esr10-only.
Risk to taking this patch (and alternatives if risky): Low risk 
String or UUID changes made by this patch: None

See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.
Comment 23 Bobby Holley (PTO through June 13) 2012-09-14 03:20:07 PDT
https://hg.mozilla.org/releases/mozilla-esr10/rev/ee8351424c56

Verification can be done with the testcase in bug 783957.
Comment 24 Bobby Holley (PTO through June 13) 2012-09-25 12:05:13 PDT
I'm resolving this FIXED given that it only affected esr10.
Comment 26 Daniel Veditz [:dveditz] 2012-10-01 14:07:46 PDT
This bug was originally filed as a regression of bug 754202, but that initial symptom is essentially "wontfix" or "invalid" and the bug turned into an unknown security issue that had been fixed as a side-effect of bug 754202. "Depends on" 754202 rather than "blocks" more accurately reflects what actually happened here.

Thanks for reporting this, Alice -- would not have found the lurking security problem otherwise.
Comment 28 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-11-22 13:20:24 PST
Kamil, can you please make an attempt at verifying this is fixed?
Comment 29 Kamil Jozwiak [:kjozwiak] 2012-11-26 11:10:19 PST
Went through the bug and reproduced it with all the versions that we listed above:

Aurora16.0a2 (Reproduced): http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/08/2012-08-01-04-20-10-mozilla-aurora/
Nightly17.0a1 (Reproduced): http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/09/2012-09-01-04-20-09-mozilla-aurora/
Firefox Build 16.0.2 (Reproduced): http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/16.0.2/win32/en-US/
Firefox Build 17.0 (Reproduced): http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/17.0/win32/en-US/
Firefox Build 18.0b1 (Reproduced): http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/18.0b1/win32/en-US/
Firefox Build 10.0.11esrpre (Reproduced): http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-mozilla-esr10/

I went through all those builds using the following OS's:
- Windows 7 Home Premium SP1 x64 (Reproduced)
- Windows 7 Home Premium SP1 x86 (Reproduced)
- Windows 8 x86 (Reproduced)

I think the issue has something to do with Adobe Flash (as mentioned in the ticket several times), when Flash isn't installed on the target computer, you will receive the following error in the console:
- TypeError: this.obj is undefined

Once Adobe Flash is installed (in this case, version 11.5.502.110) and Firefox is re-installed, I receive the following error in the console:
- Error: Permission denied to access property 'toString'

I've also created a short video that can be found in the link below to show the issue occurring (being reproduced) on Windows 8 x86 on Firefox 17.0:
- http://screencast.com/t/mJn6tbPhUATa
Comment 30 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-11-26 11:32:09 PST
Thanks a lot Kamil!

Bobby, given these results, I'm not sure how we can verify this is fixed. Please advise.
Comment 31 Bobby Holley (PTO through June 13) 2012-12-05 17:51:29 PST
Anthony - Throwing the "Permission Denied" is an indicator that the security issue is fixed. The bug summary here is a little confusing, because it was filed as a regression in Aurora but actually indicated that there was a security vulnerability in Beta/Release (that is to say, those _should_ have been throwing the security exception, but they weren't).
Comment 32 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-12-06 11:10:25 PST
Kamil, can you please confirm which of the builds you tested gave a Permission Denied error and which did not? Thanks.
Comment 33 Kamil Jozwiak [:kjozwiak] 2012-12-13 21:00:41 PST
Windows 7 Home Premium x86:

Firefox Build 16.0.2 - http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/16.0.2/win32/en-US/
Aurora16.0a2 - http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/08/2012-08-01-04-20-10-mozilla-aurora/
Firefox Build 17.0 - http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/17.0/win32/en-US/
Nightly17.0a1 - http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/09/2012-09-01-04-20-09-mozilla-aurora/
Firefox Build 18.0b1 - http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/18.0b1/win32/en-US/
Firefox Build 10.0.11esrpre - http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-mozilla-esr10/

Received "Error: Permission denied to access property 'toString'" on all the above builds

Windows 7 Home Premium x64:

Firefox Build 16.0.2 - http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/16.0.2/win32/en-US/
Aurora16.0a2 - http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/08/2012-08-01-04-20-10-mozilla-aurora/
Firefox Build 17.0 - http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/17.0/win32/en-US/
Nightly17.0a1 - http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/09/2012-09-01-04-20-09-mozilla-aurora/
Firefox Build 18.0b1 - http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/18.0b1/win32/en-US/
Firefox Build 10.0.11esrpre - http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-mozilla-esr10/

Received "Error: Permission denied to access property 'toString'" on all the above builds

Windows 8 x86:

Firefox Build 16.0.2 - http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/16.0.2/win32/en-US/
Aurora16.0a2 - http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/08/2012-08-01-04-20-10-mozilla-aurora/
Firefox Build 17.0 - http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/17.0/win32/en-US/
Nightly17.0a1 - http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/09/2012-09-01-04-20-09-mozilla-aurora/
Firefox Build 18.0b1 - http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/18.0b1/win32/en-US/
Firefox Build 10.0.11esrpre - http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-mozilla-esr10/

Received "Error: Permission denied to access property 'toString'" on all the above builds
Comment 34 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-12-14 13:44:36 PST
Thank you Kamil.

Bobby, based on Kamil's results and your clarification in comment 31, I think this can be marked verified. Do you agree?
Comment 35 Bobby Holley (PTO through June 13) 2012-12-14 15:21:54 PST
(In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #34)
> Thank you Kamil.
> 
> Bobby, based on Kamil's results and your clarification in comment 31, I
> think this can be marked verified. Do you agree?

Yep.
Comment 36 Raymond Forbes[:rforbes] 2013-07-19 18:47:24 PDT
rforbes-bugspam-for-setting-that-bounty-flag-20130719

Note You need to log in before you can comment on or make changes to this bug.