Closed
Bug 796866
(CVE-2012-4210)
Opened 12 years ago
Closed 12 years ago
Arbitrary code execution from Style Inspector
Categories
(DevTools :: Inspector, defect, P1)
Tracking
(firefox16+ wontfix, firefox17+ verified, firefox18+ verified, firefox19+ verified, firefox-esr1017+ verified, firefox-esr17 verified)
People
(Reporter: marius.mlynski, Assigned: dcamp)
Details
(Keywords: csectype-priv-escalation, reporter-external, sec-critical, Whiteboard: [fixed-in-fx-team][adv-track-main17+][adv-track-esr17+])
Attachments
(4 files)
691 bytes,
application/java-archive
|
Details | |
576 bytes,
application/octet-stream
|
Details | |
1.24 KB,
patch
|
rcampbell
:
review+
lsblakk
:
approval-mozilla-aurora+
lsblakk
:
approval-mozilla-beta+
dveditz
:
sec-approval+
|
Details | Diff | Splinter Review |
1.31 KB,
patch
|
akeybl
:
approval-mozilla-esr10+
|
Details | Diff | Splinter Review |
It is possible to execute arbitrary code when a user inspects computed styles on a malicious website containing a specially crafted style sheet.
The problem lies in the function PropertyView_refresh in CssHtmlTree.jsm, which writes user-controlled CSS values to innerHTML without sanitizing the input. This paves the way for an HTML markup injection in the privileged context of chrome://browser/content/devtools/csshtmltree.xul
Reporter | ||
Updated•12 years ago
|
Attachment #666916 -
Attachment mime type: application/octet-stream → application/java-archive
Reporter | ||
Comment 1•12 years ago
|
||
Here's a generic PoC for all systems, it just throws Components.classes to the error console.
Updated•12 years ago
|
Comment 3•12 years ago
|
||
hunh!
so we should be doing a little scrubbing of javascript: uris in stylesheets, presumably.
Severity: normal → critical
Priority: -- → P1
Assignee | ||
Comment 4•12 years ago
|
||
Seem reasonable?
The only other uses of innerHTML in that file are to set it to "" to clear nodes.
Attachment #667611 -
Flags: review?(gavin.sharp)
Comment 5•12 years ago
|
||
Comment on attachment 667611 [details] [diff] [review]
textContent instead of innerHTML
ok by me based on our discussion earlier. gavin can extra r+ if he feels the need.
Attachment #667611 -
Flags: review?(gavin.sharp) → review+
Comment 6•12 years ago
|
||
TL;DR - I don't think we have a systemic set of failings, but we do have some things to think about.
From `grep -r innerHTML devtools`, most of the stuff was one of:
- tests
- rvalues
- foo.innerHTML = "";
I talked a few things over with dcamp, and didn't find any obviously exploitable holes.
In GCLI, are there any commands that expose user data via string concatenation? We're mostly safe because generally commands don't do that, and when they do, they use the template engine, which makes it safe (I think). Also we use innerHTML for menu elements. I'm more sure that that's safe, but want to think more about it for the future.
Also Orion:
- 3,257: (contentsDiv = this._htmlParent).innerHTML = contents;
- 9,497: widthDiv.innerHTML = annotation.html;
- 9,525: lineDiv.innerHTML = annotation.html;
- 9,572: lineDiv.innerHTML = annotation.html;
The last 3 look safe to me. I have no idea about the first.
Comment 7•12 years ago
|
||
(In reply to Dave Camp (:dcamp) from comment #4)
> Created attachment 667611 [details] [diff] [review]
> textContent instead of innerHTML
>
> Seem reasonable?
>
> The only other uses of innerHTML in that file are to set it to "" to clear
> nodes.
Yes, this is reasonable.
Assignee | ||
Comment 8•12 years ago
|
||
Comment on attachment 667611 [details] [diff] [review]
textContent instead of innerHTML
[Security approval request comment]
How easily can the security issue be deduced from the patch?
* Pretty easily.
Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
* The code itself is a bit of a bulls-eye.
Which older supported branches are affected by this flaw?
* All supported.
If not all supported branches, which bug introduced the flaw?
Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
* Not risky
How likely is this patch to cause regressions; how much testing does it need?
* Very unlikely, existing in-tree testing should be fine.
Attachment #667611 -
Flags: sec-approval?
Updated•12 years ago
|
Assignee: nobody → dcamp
status-firefox-esr10:
--- → affected
status-firefox16:
--- → affected
status-firefox17:
--- → affected
status-firefox18:
--- → affected
tracking-firefox-esr10:
--- → ?
tracking-firefox16:
--- → ?
tracking-firefox17:
--- → +
tracking-firefox18:
--- → +
Comment 9•12 years ago
|
||
Comment on attachment 667611 [details] [diff] [review]
textContent instead of innerHTML
We can't land this a few days before the release of Firefox 16 without potentially causing a re-spin. If there is one anyway maybe akeybl will approve it, but otherwise we should wait a couple of weeks (~ Oct 24?)
We may find other instances of this anti-pattern we can fix at the same time all at once (mgoodwin is looking).
Updated•12 years ago
|
Whiteboard: take in a Fx16 respin, or wait until Oct 2x to land.
Comment 10•12 years ago
|
||
tracking for 17+, assuming it will land on 17 beta . we would not do a chemspill just for this bug but will leave tracking-16 ? so that we can take it as a ride along but even if we do a respin of 16 , we would not do a chemspill esr for this.
Updated•12 years ago
|
tracking-firefox-esr10:
17+ → ---
Updated•12 years ago
|
Whiteboard: take in a Fx16 respin, or wait until Oct 2x to land. → wait until after Oct 21 to land.
Updated•12 years ago
|
status-firefox19:
--- → affected
tracking-firefox19:
--- → +
Whiteboard: wait until after Oct 21 to land.
Comment 11•12 years ago
|
||
Comment on attachment 667611 [details] [diff] [review]
textContent instead of innerHTML
sec-approval+, this can start landing now.
Attachment #667611 -
Flags: sec-approval? → sec-approval+
Comment 12•12 years ago
|
||
Do we need to submerge this in another patch?
Comment 13•12 years ago
|
||
dveditz/abillings will be able to answer comment 12, but I just want to remind you that this will need to be nominated for uplift asap to make it into FF17.
Comment 14•12 years ago
|
||
Rob, I don't think we need to submerge it but I wouldn't say "no" either if there was something convenient to do so.
Assignee | ||
Comment 15•12 years ago
|
||
Comment on attachment 667611 [details] [diff] [review]
textContent instead of innerHTML
[Approval Request Comment]
Bug caused by (feature/regressing bug #): Style Inspector initial landing
User impact if declined: Security
Testing completed (on m-c, etc.): none yet
Risk to taking this patch (and alternatives if risky): Low-risk
String or UUID changes made by this patch: None.
Attachment #667611 -
Flags: approval-mozilla-beta?
Attachment #667611 -
Flags: approval-mozilla-aurora?
Comment 16•12 years ago
|
||
Comment on attachment 667611 [details] [diff] [review]
textContent instead of innerHTML
approving for branch uplift - we'll want this for esr10 too, please nominate if this patch applies there cleanly or nom a different patch but we'll want this in the next esr10 build to ship alongside 17.
Attachment #667611 -
Flags: approval-mozilla-beta?
Attachment #667611 -
Flags: approval-mozilla-beta+
Attachment #667611 -
Flags: approval-mozilla-aurora?
Attachment #667611 -
Flags: approval-mozilla-aurora+
Assignee | ||
Comment 17•12 years ago
|
||
Whiteboard: [fixed-in-fx-team]
Assignee | ||
Comment 18•12 years ago
|
||
Assignee | ||
Comment 19•12 years ago
|
||
Minor rebase for esr10.
Attachment #676450 -
Flags: approval-mozilla-esr10?
Assignee | ||
Comment 20•12 years ago
|
||
Updated•12 years ago
|
Updated•12 years ago
|
Attachment #676450 -
Flags: approval-mozilla-esr10? → approval-mozilla-esr10+
Updated•12 years ago
|
Whiteboard: [fixed-in-fx-team] → [fixed-in-fx-team][adv-track-main17+]
Comment 21•12 years ago
|
||
status-firefox-esr17:
--- → fixed
Target Milestone: --- → Firefox 19
Comment 23•12 years ago
|
||
(In reply to Ryan VanderMeulen from comment #22)
> Should this have a test?
Yes.
Comment 24•12 years ago
|
||
I am using the first PoC, to open calculator on Windows.
Confirmed exploit on build 2012-10-2, nightly
Verified fixed on build 2012-11-6, nightly
Verified fixed on build 2012-11-6, Aurora 18
Verified fixed on build 2012-11-6, Beta 17
However, this issue did not reproduce on 2012-10-24 ESR 10.0.10.
Reporter | ||
Comment 25•12 years ago
|
||
(In reply to Matt Wobensmith from comment #24)
> However, this issue did not reproduce on 2012-10-24 ESR 10.0.10.
Try switching between tags on the inspector bar.
Comment 26•12 years ago
|
||
Thanks Mariusz - that was helpful. I was able to reproduce on ESR 10.0.10 with some additional work.
Updated•12 years ago
|
Whiteboard: [fixed-in-fx-team][adv-track-main17+] → [fixed-in-fx-team][adv-track-main17+][adv-track-esr17+]
Updated•12 years ago
|
Alias: CVE-2012-4210
Comment 27•12 years ago
|
||
Confirmed fixed ESR 10.0.11 2102-11-14.
Comment 28•12 years ago
|
||
(In reply to Matt Wobensmith from comment #27)
> Confirmed fixed ESR 10.0.11 2102-11-14.
Thanks Matt. Can you also please check Firefox 17esr?
Comment 29•12 years ago
|
||
Confirmed fixed ESR 17.0, 2012-11-11.
Updated•12 years ago
|
Group: core-security
Updated•7 years ago
|
Product: Firefox → DevTools
Updated•9 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•