691 bytes, application/java-archive
576 bytes, application/octet-stream
1.24 KB, patch
|Details | Diff | Splinter Review|
1.31 KB, patch
|Details | Diff | Splinter Review|
Created attachment 666916 [details] An exploit for Windows, opens C:\Windows\System32\calc.exe It is possible to execute arbitrary code when a user inspects computed styles on a malicious website containing a specially crafted style sheet. The problem lies in the function PropertyView_refresh in CssHtmlTree.jsm, which writes user-controlled CSS values to innerHTML without sanitizing the input. This paves the way for an HTML markup injection in the privileged context of chrome://browser/content/devtools/csshtmltree.xul
Created attachment 666919 [details] Proof of concept Here's a generic PoC for all systems, it just throws Components.classes to the error console.
Created attachment 667611 [details] [diff] [review] textContent instead of innerHTML Seem reasonable? The only other uses of innerHTML in that file are to set it to "" to clear nodes.
Comment on attachment 667611 [details] [diff] [review] textContent instead of innerHTML ok by me based on our discussion earlier. gavin can extra r+ if he feels the need.
TL;DR - I don't think we have a systemic set of failings, but we do have some things to think about. From `grep -r innerHTML devtools`, most of the stuff was one of: - tests - rvalues - foo.innerHTML = ""; I talked a few things over with dcamp, and didn't find any obviously exploitable holes. In GCLI, are there any commands that expose user data via string concatenation? We're mostly safe because generally commands don't do that, and when they do, they use the template engine, which makes it safe (I think). Also we use innerHTML for menu elements. I'm more sure that that's safe, but want to think more about it for the future. Also Orion: - 3,257: (contentsDiv = this._htmlParent).innerHTML = contents; - 9,497: widthDiv.innerHTML = annotation.html; - 9,525: lineDiv.innerHTML = annotation.html; - 9,572: lineDiv.innerHTML = annotation.html; The last 3 look safe to me. I have no idea about the first.
(In reply to Dave Camp (:dcamp) from comment #4) > Created attachment 667611 [details] [diff] [review] > textContent instead of innerHTML > > Seem reasonable? > > The only other uses of innerHTML in that file are to set it to "" to clear > nodes. Yes, this is reasonable.
Comment on attachment 667611 [details] [diff] [review] textContent instead of innerHTML [Security approval request comment] How easily can the security issue be deduced from the patch? * Pretty easily. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? * The code itself is a bit of a bulls-eye. Which older supported branches are affected by this flaw? * All supported. If not all supported branches, which bug introduced the flaw? Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? * Not risky How likely is this patch to cause regressions; how much testing does it need? * Very unlikely, existing in-tree testing should be fine.
Comment on attachment 667611 [details] [diff] [review] textContent instead of innerHTML We can't land this a few days before the release of Firefox 16 without potentially causing a re-spin. If there is one anyway maybe akeybl will approve it, but otherwise we should wait a couple of weeks (~ Oct 24?) We may find other instances of this anti-pattern we can fix at the same time all at once (mgoodwin is looking).
tracking for 17+, assuming it will land on 17 beta . we would not do a chemspill just for this bug but will leave tracking-16 ? so that we can take it as a ride along but even if we do a respin of 16 , we would not do a chemspill esr for this.
Comment on attachment 667611 [details] [diff] [review] textContent instead of innerHTML sec-approval+, this can start landing now.
Do we need to submerge this in another patch?
dveditz/abillings will be able to answer comment 12, but I just want to remind you that this will need to be nominated for uplift asap to make it into FF17.
Rob, I don't think we need to submerge it but I wouldn't say "no" either if there was something convenient to do so.
Comment on attachment 667611 [details] [diff] [review] textContent instead of innerHTML [Approval Request Comment] Bug caused by (feature/regressing bug #): Style Inspector initial landing User impact if declined: Security Testing completed (on m-c, etc.): none yet Risk to taking this patch (and alternatives if risky): Low-risk String or UUID changes made by this patch: None.
Comment on attachment 667611 [details] [diff] [review] textContent instead of innerHTML approving for branch uplift - we'll want this for esr10 too, please nominate if this patch applies there cleanly or nom a different patch but we'll want this in the next esr10 build to ship alongside 17.
Created attachment 676450 [details] [diff] [review] esr10 fix Minor rebase for esr10.
Should this have a test?
(In reply to Ryan VanderMeulen from comment #22) > Should this have a test? Yes.
I am using the first PoC, to open calculator on Windows. Confirmed exploit on build 2012-10-2, nightly Verified fixed on build 2012-11-6, nightly Verified fixed on build 2012-11-6, Aurora 18 Verified fixed on build 2012-11-6, Beta 17 However, this issue did not reproduce on 2012-10-24 ESR 10.0.10.
(In reply to Matt Wobensmith from comment #24) > However, this issue did not reproduce on 2012-10-24 ESR 10.0.10. Try switching between tags on the inspector bar.
Thanks Mariusz - that was helpful. I was able to reproduce on ESR 10.0.10 with some additional work.
Confirmed fixed ESR 10.0.11 2102-11-14.
(In reply to Matt Wobensmith from comment #27) > Confirmed fixed ESR 10.0.11 2102-11-14. Thanks Matt. Can you also please check Firefox 17esr?
Confirmed fixed ESR 17.0, 2012-11-11.
mass remove verifyme requests greater than 4 months old