The default bug view has changed. See this FAQ.
Bug 793121 (CVE-2012-4195)

nsLocation::CheckURL can use the wrong principal

RESOLVED FIXED

Status

()

Core
Security
RESOLVED FIXED
5 years ago
4 years ago

People

(Reporter: moz_bug_r_a4, Assigned: bholley)

Tracking

(4 keywords)

unspecified
x86
Windows XP
csectype-priv-escalation, csectype-sop, regression, sec-high
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox15 unaffected, firefox16+ fixed, firefox17+ fixed, firefox18+ verified, firefox19+ verified, firefox-esr10 unaffected)

Details

(Whiteboard: fix in bug 801305)

(Reporter)

Description

5 years ago
This is a regression from bug 754202. (fx16,17,18 are affected.)

When a chrome code calls an untrusted function via CrossCompartmentWrapper/WaiveXrayWrapper, GetSubjectPrincipal returns a content principal, but GetPrincipalAndFrame returns the system principal.  nsLocation::CheckURL gets an owner principal by calling GetCxSubjectPrincipalAndFrame, which calls GetPrincipalAndFrame.  

By using this bug, content can perform an XSS attack, and if there is an extension that exposes a chrome window to content, content can run arbitrary code with chrome privileges.
(Reporter)

Comment 1

5 years ago
Created attachment 663341 [details]
testcase 1 - XSS

This tries to get cookies for www.mozilla.org.
(Reporter)

Comment 2

5 years ago
Created attachment 663342 [details]
testcase 2 - arbitrary code execution with Error Console
Blocks: 754202
tracking-firefox16: --- → ?
tracking-firefox17: --- → ?
tracking-firefox18: --- → ?
Keywords: regression
status-firefox-esr10: --- → unaffected
status-firefox15: --- → unaffected
status-firefox16: --- → affected
status-firefox17: --- → affected
status-firefox18: --- → affected
Keywords: sec-critical

Updated

5 years ago
Assignee: nobody → bobbyholley+bmo
tracking-firefox16: ? → +
tracking-firefox17: ? → +
tracking-firefox18: ? → +
I decided to do this work over in public over in bug 797204, since the security issue at hand is non-obvious.
We've already gone to build with beta6 so the window on 16 landings has closed. Wontfixing for 16.
status-firefox16: affected → wontfix
Keywords: csec-priv-escalation, csec-sop
Whiteboard: fix in bug 797204
fixed on trunk in bug 797204
https://hg.mozilla.org/mozilla-central/rev/238f3986fe71
https://hg.mozilla.org/mozilla-central/rev/c5760a66bfcf
https://hg.mozilla.org/mozilla-central/rev/798a316ebfaa
https://hg.mozilla.org/mozilla-central/rev/94317b3cb4d5
Status: NEW → RESOLVED
Last Resolved: 5 years ago
status-firefox19: --- → fixed
tracking-firefox19: --- → +
Resolution: --- → FIXED
Re-noming for 16 in case we consider this fix for a 16.0.2 "location cleanup" chemspill. In light of bug 801305 though it might be incomplete and/or regression prone; Firefox 17 might be as early as we want to push it.
status-firefox16: wontfix → affected
tracking-firefox16: + → ?
bug 797204 has the uplift approvals, just need them to land on branches.
(In reply to Lukas Blakk [:lsblakk] from comment #7)
> bug 797204 has the uplift approvals, just need them to land on branches.

Unfortunately we determined that bug 797204 doesn't fix this bug. I've got more targeted patches over in bug 801305.

Updated

5 years ago
tracking-firefox16: ? → +
Whiteboard: fix in bug 797204 → fix in bug 801305

Comment 9

5 years ago
(In reply to Bobby Holley (:bholley) from comment #8)
> (In reply to Lukas Blakk [:lsblakk] from comment #7)
> > bug 797204 has the uplift approvals, just need them to land on branches.
> 
> Unfortunately we determined that bug 797204 doesn't fix this bug. I've got
> more targeted patches over in bug 801305.

Can we mark FF17-19 as fixed now that bug 801305 has landed?
Alias: CVE-2012-4195
Depends on: 801305
Created attachment 675226 [details]
Testcase 1 -- XSS (updated)

The original XSS testcase doesn't work because www.mozilla.org now has an X-Frame-Options header to prevent framing. This is functionally equivalent, at least until blog.mozilla.org does the same thing.
I'm downgrading to sec-high because it's not at the moment a known drive-by exploit. addons are already on dangerous ground using unwrapped DOM objects and should not be injecting content that way.
Keywords: sec-critical → sec-high
bug 801305 hadn't been checked in on branches when comment 9 was asked, but it has now and I've verified the fix in Nightly and Aurora.
status-firefox16: affected → fixed
status-firefox17: affected → fixed
status-firefox18: affected → verified
status-firefox19: fixed → verified
Group: core-security
You need to log in before you can comment on or make changes to this bug.