Closed Bug 796866 (CVE-2012-4210) Opened 12 years ago Closed 12 years ago

Arbitrary code execution from Style Inspector

Categories

(DevTools :: Inspector, defect, P1)

15 Branch
defect

Tracking

(firefox16+ wontfix, firefox17+ verified, firefox18+ verified, firefox19+ verified, firefox-esr1017+ verified, firefox-esr17 verified)

RESOLVED FIXED
Firefox 19
Tracking Status
firefox16 + wontfix
firefox17 + verified
firefox18 + verified
firefox19 + verified
firefox-esr10 17+ verified
firefox-esr17 --- verified

People

(Reporter: marius.mlynski, Assigned: dcamp)

Details

(Keywords: csectype-priv-escalation, reporter-external, sec-critical, Whiteboard: [fixed-in-fx-team][adv-track-main17+][adv-track-esr17+])

Attachments

(4 files)

It is possible to execute arbitrary code when a user inspects computed styles on a malicious website containing a specially crafted style sheet. The problem lies in the function PropertyView_refresh in CssHtmlTree.jsm, which writes user-controlled CSS values to innerHTML without sanitizing the input. This paves the way for an HTML markup injection in the privileged context of chrome://browser/content/devtools/csshtmltree.xul
Attachment #666916 - Attachment mime type: application/octet-stream → application/java-archive
Attached file Proof of concept
Here's a generic PoC for all systems, it just throws Components.classes to the error console.
Status: UNCONFIRMED → NEW
Ever confirmed: true
hunh! so we should be doing a little scrubbing of javascript: uris in stylesheets, presumably.
Severity: normal → critical
Priority: -- → P1
Seem reasonable? The only other uses of innerHTML in that file are to set it to "" to clear nodes.
Attachment #667611 - Flags: review?(gavin.sharp)
Comment on attachment 667611 [details] [diff] [review] textContent instead of innerHTML ok by me based on our discussion earlier. gavin can extra r+ if he feels the need.
Attachment #667611 - Flags: review?(gavin.sharp) → review+
TL;DR - I don't think we have a systemic set of failings, but we do have some things to think about. From `grep -r innerHTML devtools`, most of the stuff was one of: - tests - rvalues - foo.innerHTML = ""; I talked a few things over with dcamp, and didn't find any obviously exploitable holes. In GCLI, are there any commands that expose user data via string concatenation? We're mostly safe because generally commands don't do that, and when they do, they use the template engine, which makes it safe (I think). Also we use innerHTML for menu elements. I'm more sure that that's safe, but want to think more about it for the future. Also Orion: - 3,257: (contentsDiv = this._htmlParent).innerHTML = contents; - 9,497: widthDiv.innerHTML = annotation.html; - 9,525: lineDiv.innerHTML = annotation.html; - 9,572: lineDiv.innerHTML = annotation.html; The last 3 look safe to me. I have no idea about the first.
(In reply to Dave Camp (:dcamp) from comment #4) > Created attachment 667611 [details] [diff] [review] > textContent instead of innerHTML > > Seem reasonable? > > The only other uses of innerHTML in that file are to set it to "" to clear > nodes. Yes, this is reasonable.
Comment on attachment 667611 [details] [diff] [review] textContent instead of innerHTML [Security approval request comment] How easily can the security issue be deduced from the patch? * Pretty easily. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? * The code itself is a bit of a bulls-eye. Which older supported branches are affected by this flaw? * All supported. If not all supported branches, which bug introduced the flaw? Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? * Not risky How likely is this patch to cause regressions; how much testing does it need? * Very unlikely, existing in-tree testing should be fine.
Attachment #667611 - Flags: sec-approval?
Comment on attachment 667611 [details] [diff] [review] textContent instead of innerHTML We can't land this a few days before the release of Firefox 16 without potentially causing a re-spin. If there is one anyway maybe akeybl will approve it, but otherwise we should wait a couple of weeks (~ Oct 24?) We may find other instances of this anti-pattern we can fix at the same time all at once (mgoodwin is looking).
Whiteboard: take in a Fx16 respin, or wait until Oct 2x to land.
tracking for 17+, assuming it will land on 17 beta . we would not do a chemspill just for this bug but will leave tracking-16 ? so that we can take it as a ride along but even if we do a respin of 16 , we would not do a chemspill esr for this.
Whiteboard: take in a Fx16 respin, or wait until Oct 2x to land. → wait until after Oct 21 to land.
Whiteboard: wait until after Oct 21 to land.
Comment on attachment 667611 [details] [diff] [review] textContent instead of innerHTML sec-approval+, this can start landing now.
Attachment #667611 - Flags: sec-approval? → sec-approval+
Do we need to submerge this in another patch?
dveditz/abillings will be able to answer comment 12, but I just want to remind you that this will need to be nominated for uplift asap to make it into FF17.
Rob, I don't think we need to submerge it but I wouldn't say "no" either if there was something convenient to do so.
Comment on attachment 667611 [details] [diff] [review] textContent instead of innerHTML [Approval Request Comment] Bug caused by (feature/regressing bug #): Style Inspector initial landing User impact if declined: Security Testing completed (on m-c, etc.): none yet Risk to taking this patch (and alternatives if risky): Low-risk String or UUID changes made by this patch: None.
Attachment #667611 - Flags: approval-mozilla-beta?
Attachment #667611 - Flags: approval-mozilla-aurora?
Comment on attachment 667611 [details] [diff] [review] textContent instead of innerHTML approving for branch uplift - we'll want this for esr10 too, please nominate if this patch applies there cleanly or nom a different patch but we'll want this in the next esr10 build to ship alongside 17.
Attachment #667611 - Flags: approval-mozilla-beta?
Attachment #667611 - Flags: approval-mozilla-beta+
Attachment #667611 - Flags: approval-mozilla-aurora?
Attachment #667611 - Flags: approval-mozilla-aurora+
Attached patch esr10 fixSplinter Review
Minor rebase for esr10.
Attachment #676450 - Flags: approval-mozilla-esr10?
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Attachment #676450 - Flags: approval-mozilla-esr10? → approval-mozilla-esr10+
Whiteboard: [fixed-in-fx-team] → [fixed-in-fx-team][adv-track-main17+]
Should this have a test?
Flags: in-testsuite?
(In reply to Ryan VanderMeulen from comment #22) > Should this have a test? Yes.
Keywords: verifyme
I am using the first PoC, to open calculator on Windows. Confirmed exploit on build 2012-10-2, nightly Verified fixed on build 2012-11-6, nightly Verified fixed on build 2012-11-6, Aurora 18 Verified fixed on build 2012-11-6, Beta 17 However, this issue did not reproduce on 2012-10-24 ESR 10.0.10.
(In reply to Matt Wobensmith from comment #24) > However, this issue did not reproduce on 2012-10-24 ESR 10.0.10. Try switching between tags on the inspector bar.
Thanks Mariusz - that was helpful. I was able to reproduce on ESR 10.0.10 with some additional work.
Whiteboard: [fixed-in-fx-team][adv-track-main17+] → [fixed-in-fx-team][adv-track-main17+][adv-track-esr17+]
Alias: CVE-2012-4210
Confirmed fixed ESR 10.0.11 2102-11-14.
(In reply to Matt Wobensmith from comment #27) > Confirmed fixed ESR 10.0.11 2102-11-14. Thanks Matt. Can you also please check Firefox 17esr?
Confirmed fixed ESR 17.0, 2012-11-11.
Group: core-security
rforbes-bugspam-for-setting-that-bounty-flag-20130719
Flags: sec-bounty+
mass remove verifyme requests greater than 4 months old
Keywords: verifyme
Product: Firefox → DevTools
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: