The default bug view has changed. See this FAQ.
Bug 796866 (CVE-2012-4210)

Arbitrary code execution from Style Inspector

RESOLVED FIXED in Firefox 17

Status

()

Firefox
Developer Tools: Inspector
P1
critical
RESOLVED FIXED
5 years ago
3 years ago

People

(Reporter: Mariusz Mlynski, Assigned: dcamp)

Tracking

({csectype-priv-escalation, sec-critical})

15 Branch
Firefox 19
csectype-priv-escalation, sec-critical
Points:
---
Bug Flags:
sec-bounty +
in-testsuite ?

Firefox Tracking Flags

(firefox16+ wontfix, firefox17+ verified, firefox18+ verified, firefox19+ verified, firefox-esr1017+ verified, firefox-esr17 verified)

Details

(Whiteboard: [fixed-in-fx-team][adv-track-main17+][adv-track-esr17+])

Attachments

(4 attachments)

(Reporter)

Description

5 years ago
Created attachment 666916 [details]
An exploit for Windows, opens C:\Windows\System32\calc.exe

It is possible to execute arbitrary code when a user inspects computed styles on a malicious website containing a specially crafted style sheet.

The problem lies in the function PropertyView_refresh in CssHtmlTree.jsm, which writes user-controlled CSS values to innerHTML without sanitizing the input. This paves the way for an HTML markup injection in the privileged context of chrome://browser/content/devtools/csshtmltree.xul
(Reporter)

Updated

5 years ago
Attachment #666916 - Attachment mime type: application/octet-stream → application/java-archive
(Reporter)

Comment 1

5 years ago
Created attachment 666919 [details]
Proof of concept

Here's a generic PoC for all systems, it just throws Components.classes to the error console.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: csec-priv-escalation, sec-critical
hunh!

so we should be doing a little scrubbing of javascript: uris in stylesheets, presumably.
Severity: normal → critical
Priority: -- → P1
(Assignee)

Comment 4

5 years ago
Created attachment 667611 [details] [diff] [review]
textContent instead of innerHTML

Seem reasonable?

The only other uses of innerHTML in that file are to set it to "" to clear nodes.
Attachment #667611 - Flags: review?(gavin.sharp)
Comment on attachment 667611 [details] [diff] [review]
textContent instead of innerHTML

ok by me based on our discussion earlier. gavin can extra r+ if he feels the need.
Attachment #667611 - Flags: review?(gavin.sharp) → review+
TL;DR - I don't think we have a systemic set of failings, but we do have some things to think about.

From `grep -r innerHTML devtools`, most of the stuff was one of:
- tests
- rvalues
- foo.innerHTML = "";

I talked a few things over with dcamp, and didn't find any obviously exploitable holes.

In GCLI, are there any commands that expose user data via string concatenation? We're mostly safe because generally commands don't do that, and when they do, they use the template engine, which makes it safe (I think). Also we use innerHTML for menu elements. I'm more sure that that's safe, but want to think more about it for the future.

Also Orion:
- 3,257: (contentsDiv = this._htmlParent).innerHTML = contents; 
- 9,497: widthDiv.innerHTML = annotation.html; 
- 9,525: lineDiv.innerHTML = annotation.html; 
- 9,572: lineDiv.innerHTML = annotation.html; 
The last 3 look safe to me. I have no idea about the first.
(In reply to Dave Camp (:dcamp) from comment #4)
> Created attachment 667611 [details] [diff] [review]
> textContent instead of innerHTML
> 
> Seem reasonable?
> 
> The only other uses of innerHTML in that file are to set it to "" to clear
> nodes.

Yes, this is reasonable.
(Assignee)

Comment 8

5 years ago
Comment on attachment 667611 [details] [diff] [review]
textContent instead of innerHTML

[Security approval request comment]
How easily can the security issue be deduced from the patch?

* Pretty easily.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

* The code itself is a bit of a bulls-eye.

Which older supported branches are affected by this flaw?

* All supported.

If not all supported branches, which bug introduced the flaw?

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

* Not risky

How likely is this patch to cause regressions; how much testing does it need?

* Very unlikely, existing in-tree testing should be fine.
Attachment #667611 - Flags: sec-approval?
Assignee: nobody → dcamp
status-firefox-esr10: --- → affected
status-firefox16: --- → affected
status-firefox17: --- → affected
status-firefox18: --- → affected
tracking-firefox-esr10: --- → ?
tracking-firefox16: --- → ?
tracking-firefox17: --- → +
tracking-firefox18: --- → +
Comment on attachment 667611 [details] [diff] [review]
textContent instead of innerHTML

We can't land this a few days before the release of Firefox 16 without potentially causing a re-spin. If there is one anyway maybe akeybl will approve it, but otherwise we should wait a couple of weeks (~ Oct 24?)

We may find other instances of this anti-pattern we can fix at the same time all at once (mgoodwin is looking).
Whiteboard: take in a Fx16 respin, or wait until Oct 2x to land.
tracking for 17+, assuming it will land on 17 beta . we would not do a chemspill just for this bug but will leave tracking-16 ? so that we can take it as a ride along but even if we do a respin of 16 , we would not do a chemspill esr for this.
tracking-firefox-esr10: ? → 17+

Updated

5 years ago
tracking-firefox-esr10: 17+ → ---
tracking-firefox16: ? → +
Whiteboard: take in a Fx16 respin, or wait until Oct 2x to land. → wait until after Oct 21 to land.
status-firefox16: affected → wontfix
status-firefox19: --- → affected
tracking-firefox19: --- → +
Whiteboard: wait until after Oct 21 to land.
Comment on attachment 667611 [details] [diff] [review]
textContent instead of innerHTML

sec-approval+, this can start landing now.
Attachment #667611 - Flags: sec-approval? → sec-approval+
Do we need to submerge this in another patch?
dveditz/abillings will be able to answer comment 12, but I just want to remind you that this will need to be nominated for uplift asap to make it into FF17.
Rob, I don't think we need to submerge it but I wouldn't say "no" either if there was something convenient to do so.
(Assignee)

Comment 15

5 years ago
Comment on attachment 667611 [details] [diff] [review]
textContent instead of innerHTML

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Style Inspector initial landing
User impact if declined: Security
Testing completed (on m-c, etc.): none yet 
Risk to taking this patch (and alternatives if risky): Low-risk
String or UUID changes made by this patch: None.
Attachment #667611 - Flags: approval-mozilla-beta?
Attachment #667611 - Flags: approval-mozilla-aurora?
Comment on attachment 667611 [details] [diff] [review]
textContent instead of innerHTML

approving for branch uplift - we'll want this for esr10 too, please nominate if this patch applies there cleanly or nom a different patch but we'll want this in the next esr10 build to ship alongside 17.
Attachment #667611 - Flags: approval-mozilla-beta?
Attachment #667611 - Flags: approval-mozilla-beta+
Attachment #667611 - Flags: approval-mozilla-aurora?
Attachment #667611 - Flags: approval-mozilla-aurora+
(Assignee)

Comment 17

5 years ago
https://hg.mozilla.org/integration/fx-team/rev/aab5d5178047
Whiteboard: [fixed-in-fx-team]
(Assignee)

Comment 18

5 years ago
https://hg.mozilla.org/releases/mozilla-aurora/rev/76bf1b9bb1d0
https://hg.mozilla.org/releases/mozilla-beta/rev/52dc10beff66
status-firefox17: affected → fixed
status-firefox18: affected → fixed
(Assignee)

Comment 19

5 years ago
Created attachment 676450 [details] [diff] [review]
esr10 fix

Minor rebase for esr10.
Attachment #676450 - Flags: approval-mozilla-esr10?
(Assignee)

Comment 20

5 years ago
https://hg.mozilla.org/mozilla-central/rev/aab5d5178047
Status: NEW → RESOLVED
Last Resolved: 5 years ago
status-firefox19: affected → fixed
tracking-firefox-esr10: --- → ?
Resolution: --- → FIXED

Updated

4 years ago
tracking-firefox-esr10: ? → 17+

Updated

4 years ago
Attachment #676450 - Flags: approval-mozilla-esr10? → approval-mozilla-esr10+
Whiteboard: [fixed-in-fx-team] → [fixed-in-fx-team][adv-track-main17+]
https://hg.mozilla.org/releases/mozilla-esr10/rev/b271fc88cf09
status-firefox-esr10: affected → fixed
status-firefox-esr17: --- → fixed
Target Milestone: --- → Firefox 19
Should this have a test?
Flags: in-testsuite?
(In reply to Ryan VanderMeulen from comment #22)
> Should this have a test?

Yes.
Keywords: verifyme
I am using the first PoC, to open calculator on Windows.  

Confirmed exploit on build 2012-10-2, nightly
Verified fixed on build 2012-11-6, nightly
Verified fixed on build 2012-11-6, Aurora 18
Verified fixed on build 2012-11-6, Beta 17

However, this issue did not reproduce on 2012-10-24 ESR 10.0.10.
status-firefox17: fixed → verified
status-firefox18: fixed → verified
status-firefox19: fixed → verified
(Reporter)

Comment 25

4 years ago
(In reply to Matt Wobensmith from comment #24)
> However, this issue did not reproduce on 2012-10-24 ESR 10.0.10.

Try switching between tags on the inspector bar.
Thanks Mariusz - that was helpful. I was able to reproduce on ESR 10.0.10 with some additional work.
Whiteboard: [fixed-in-fx-team][adv-track-main17+] → [fixed-in-fx-team][adv-track-main17+][adv-track-esr17+]
Alias: CVE-2012-4210
Confirmed fixed ESR 10.0.11 2102-11-14.
(In reply to Matt Wobensmith from comment #27)
> Confirmed fixed ESR 10.0.11 2102-11-14.

Thanks Matt. Can you also please check Firefox 17esr?
status-firefox-esr10: fixed → verified
Confirmed fixed ESR 17.0, 2012-11-11.
status-firefox-esr17: fixed → verified
Group: core-security
rforbes-bugspam-for-setting-that-bounty-flag-20130719
Flags: sec-bounty+
mass remove verifyme requests greater than 4 months old
Keywords: verifyme
You need to log in before you can comment on or make changes to this bug.