Arbitrary code execution with Flash plugin using bug 783260

VERIFIED FIXED

Status

()

Core
Security
VERIFIED FIXED
6 years ago
6 years ago

People

(Reporter: moz_bug_r_a4, Assigned: bholley)

Tracking

({sec-critical})

unspecified
x86
Windows XP
sec-critical
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox14 wontfix, firefox15 wontfix, firefox16 verified, firefox17 verified, firefox18 verified, firefox-esr1016+ verified)

Details

(Whiteboard: [sg:dupe 783260][advisory-tracking+])

(Reporter)

Description

6 years ago
Fx15,14,10 are exploitable as described in bug 783260 comment 6-8.
(Reporter)

Comment 1

6 years ago
Created attachment 653282 [details]
testcase 1 - the exploit code is called via NP_GetProperty.

This uses bug 344495's trick.
This works on fx15,14,10.
(Reporter)

Comment 2

6 years ago
Created attachment 653286 [details]
testcase 2 - the exploit code is called via NP_Invoke.

This uses bug 344495's trick.
This works on fx15,14,10.

Comment 3

6 years ago
How is this a different bug than bug 783260?
(Assignee)

Comment 4

6 years ago
(In reply to Benjamin Smedberg  [:bsmedberg] from comment #3)
> How is this a different bug than bug 783260?

Because it adds remote code execution exploits for it? I thought it was standard practice for moz_bug_r_a4 to put those in a separate bug.
(Reporter)

Comment 5

6 years ago
(In reply to Bobby Holley (:bholley) from comment #4)
> (In reply to Benjamin Smedberg  [:bsmedberg] from comment #3)
> > How is this a different bug than bug 783260?
> 
> Because it adds remote code execution exploits for it? I thought it was
> standard practice for moz_bug_r_a4 to put those in a separate bug.

Er, yes. I filed this bug to attach the testcases.
Depends on: 783260
Whiteboard: [sg:dupe 783260]
Setting tracking flags based on comment 0.
status-firefox-esr10: --- → affected
status-firefox14: --- → affected
status-firefox15: --- → affected
status-firefox16: --- → unaffected
status-firefox17: --- → unaffected
Keywords: sec-critical
Who can we assign this to in order to get traction?

Comment 8

6 years ago
bholley, although I'm pretty sure it's a straight dup. I don't understand the bit about the testcases.
Assignee: nobody → bobbyholley+bmo
(Assignee)

Comment 9

6 years ago
(In reply to Benjamin Smedberg  [:bsmedberg] from comment #8)
> bholley, although I'm pretty sure it's a straight dup. I don't understand
> the bit about the testcases.

Yes, it's a dupe. moz_bug_r_a4 has various tricks that we don't like to reveal when bugs are made public, so we try to post the remote code execution testcases in a separate bug sometimes (this is my understanding, at least).
status-firefox18: --- → unaffected
tracking-firefox-esr10: --- → ?
Summary: Arbitrary code execution with Flash plugin → Arbitrary code execution with Flash plugin using bug 783260
tracking-firefox-esr10: ? → 16+
Comment 9 is private: false
(Reporter)

Comment 10

6 years ago
(In reply to Bobby Holley (:bholley) from comment #9)
> (In reply to Benjamin Smedberg  [:bsmedberg] from comment #8)
> > bholley, although I'm pretty sure it's a straight dup. I don't understand
> > the bit about the testcases.
> 
> Yes, it's a dupe. moz_bug_r_a4 has various tricks that we don't like to
> reveal when bugs are made public, so we try to post the remote code
> execution testcases in a separate bug sometimes (this is my understanding,
> at least).

When attaching remote code execution testcases to a bug, if persons in that bug seem to be Mozilla staff or seem to already know tricks used by the testcases, I attach the testcases to that bug.  Otherwise, I attach the testcases to a separate bug because I can't create private comments/attachments.
(Assignee)

Comment 11

6 years ago
Resolving this fixed because bug 783260 is now fixed. I mentioned in that bug to verify the testcases here.
status-firefox-esr10: affected → fixed
status-firefox14: affected → wontfix
status-firefox15: affected → wontfix
Keywords: verifyme
I'm confused by the flags on this bug. Bug 783260 is ESR only and doesn't affect anything else. This bug, based on it, says it is won't fix for Firefox 14 and 15 and comments 1 and 2 repeat that this is exploitable on 14 and 15.

How did 16 wind up unaffected and if 14 and 15 are affected, why doesn't bug 783260 say the same?
(Assignee)

Comment 13

6 years ago
(In reply to Al Billings [:abillings] from comment #12)
> I'm confused by the flags on this bug. Bug 783260 is ESR only and doesn't
> affect anything else. This bug, based on it, says it is won't fix for
> Firefox 14 and 15 and comments 1 and 2 repeat that this is exploitable on 14
> and 15.
> 
> How did 16 wind up unaffected and if 14 and 15 are affected

Because bug 754202 landed for 16.

>  why doesn't bug 783260 say the same?

It did, modulo the fact that status-15 was blank. I just explicitly wontfixed this there.

Anyway, the point here is that this bug only affects 15 and esr10.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Whiteboard: [sg:dupe 783260] → [sg:dupe 783260][advisory-tracking+]
(In reply to Bobby Holley (:bholley) from comment #13)
> Anyway, the point here is that this bug only affects 15 and esr10.

Since this is a security bug we prefer marking it "fixed" rather than "unaffected" since we did check in code that fixed it (bug 754202) on mozilla-central
status-firefox16: unaffected → fixed
status-firefox17: unaffected → fixed
status-firefox18: unaffected → fixed
Depends on: 754202
Kamil, can you please test the testcases attached to this bug to verify it's fixed? It should be fixed in the latest Firefox 16, 17, 18, and esr10 builds. Thank you.
Went through the following builds to make sure that the reported issue is reproducible using Firefox 10,14,15:

Firefox 10(Issue Reproduced): http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/10.0.2/win32/en-US/
- Ran TestCase#1 and received the following prompt: "JS frame :: x :: <TOP_LEVEL> :: line 3"
- Ran TestCase#2 and received the following prompt: "JS frame :: x :: <TOP_LEVEL> :: line 3"
- For both TestCase#1 and TestCase#2, received no error messages in the error console

Firefox 14 (Issue Reproduced): http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/14.0.1/win32/en-US/
- Ran TestCase#1 and received the following prompt: "JS frame :: x :: <TOP_LEVEL> :: line 3"
- Ran TestCase#2 and received the following prompt: "JS frame :: x :: <TOP_LEVEL> :: line 3"
- For both TestCase#1 and TestCase#2, received no error messages in the error console

Firefox 15 (Issue Reproduced): http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/15.0.1/win32/en-US/
- Ran TestCase#1 and received the following prompt: "JS frame :: x :: <TOP_LEVEL> :: line 3"
- Ran TestCase#2 and received the following prompt: "JS frame :: x :: <TOP_LEVEL> :: line 3"
- For both TestCase#1 and TestCase#2, received the following in the error console:
"Error: Exposing chrome JS objects to content without __exposedProps__ is insecure and deprecated. See https://developer.mozilla.org/en/XPConnect_wrappers for more information."

Went through the following builds to ensure that the above issue has been fixed in Firefox 16,17,18,esr10:

Firefox 16 (No Issue): http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/16.0.2/win32/en-US/
- Ran TestCase#1 and didn't receive a prompt message as in Firefox 10,14,15
- Ran TestCase#2 and didn't receive a prompt message as in Firefox 10,14,15
- For both TestCase#1 and TestCase#2, received the following in the error console:
"Error: TypeError: can't redefine non-configurable property 'top'"

Firefox 17 (No Issue): http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/17.0/win32/en-US/
- Ran TestCase#1 and didn't receive a prompt message as in Firefox 10,14,15
- Ran TestCase#2 and didn't receive a prompt message as in Firefox 10,14,15
- Both TestCase#1 and TestCase#2 produced several syntax error related to the test cases (.html files)

Firefox 18 (No Issue): http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/18.0b1/win32/en-US/
- Ran TestCase#1 and didn't receive a prompt message as in Firefox 10,14,15
- Ran TestCase#2 and didn't receive a prompt message as in Firefox 10,14,15
- Both TestCase#1 and TestCase#2 produced several syntax error related to the test cases (.html files)

Firefox esr10 (No Issue): http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/latest-10.0esr/win32/en-US/
- Ran TestCase#1 and didn't receive a prompt message as in Firefox 10,14,15
- Ran TestCase#2 and didn't receive a prompt message as in Firefox 10,14,15
- Both TestCase#1 and TestCase#2 produced several syntax error related to the test cases (.html files)
Thanks a lot, Kamil!
Status: RESOLVED → VERIFIED
status-firefox-esr10: fixed → verified
status-firefox16: fixed → verified
status-firefox17: fixed → verified
status-firefox18: fixed → verified
Keywords: verifyme
Group: core-security
You need to log in before you can comment on or make changes to this bug.