Closed
Bug 825697
(CVE-2013-0795)
Opened 12 years ago
Closed 12 years ago
Components.lookupMethod allows calling of SOW functions
Categories
(Core :: XPConnect, defect)
Tracking
()
People
(Reporter: codycrews00, Assigned: bholley)
References
Details
(4 keywords, Whiteboard: [adv-main20+][adv-esr1705+])
Attachments
(3 files)
1.63 KB,
text/html
|
Details | |
1.66 KB,
patch
|
mrbkap
:
review+
akeybl
:
approval-mozilla-aurora+
akeybl
:
approval-mozilla-beta+
akeybl
:
approval-mozilla-esr17+
akeybl
:
approval-mozilla-b2g18+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
2.24 KB,
patch
|
mrbkap
:
review+
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20121231 Firefox/20.0
Build ID: 20121231030859
Steps to reproduce:
Called Components.lookupMethod to obtain the cloneNode method of a SOW protected node.
Actual results:
I obtained a clone of the node specified in Components.lookupMethod.
Expected results:
Components.lookupMethod should throw an exception as it did in ff 17.
Reporter | ||
Updated•12 years ago
|
Attachment #696815 -
Attachment mime type: text/plain → text/html
Assignee | ||
Comment 1•12 years ago
|
||
(In reply to codyc from comment #0)
> Components.lookupMethod should throw an exception as it did in ff 17.
Are you sure it wasn't 16? I reimplemented lookupMethod in 17 (bug 774245), and clearly messed this one up. :-(
Assignee: nobody → bobbyholley+bmo
Component: Untriaged → XPConnect
Product: Firefox → Core
Reporter | ||
Comment 2•12 years ago
|
||
I was only making a comparison to using lookupMethod to bypass SOW's, so I'm not entirely sure. I believe this has been a problem on and off since around ff13/14 and I assume that's why its already been reimplemented(maybe?) I know that in 17 I was already playing with accessing methods on SOW's using it with practically no success.
Updated•12 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assignee | ||
Updated•12 years ago
|
Flags: sec-bounty?
Assignee | ||
Comment 3•12 years ago
|
||
We're fixing the XBL situation in general, but in the mean time I think we want to write a point fix here.
codyc has clever ways of getting at NAC that I don't really want to writing into my testcase. I'd rather use SpecialPowers, but it's not clear to me what the simplest way is to get a piece of NAC from a video control or somesuch. Dolske, any idea on the easiest way for privileged code to get a piece of NAC?
Flags: needinfo?(dolske)
Assignee | ||
Comment 4•12 years ago
|
||
Nevermind, Boris pointed out a good trick. Patches forthcoming.
Flags: needinfo?(dolske)
Assignee | ||
Comment 5•12 years ago
|
||
Attachment #703163 -
Flags: review?(mrbkap)
Assignee | ||
Comment 6•12 years ago
|
||
Attachment #703164 -
Flags: review?(mrbkap)
Updated•12 years ago
|
Attachment #703163 -
Flags: review?(mrbkap) → review+
Updated•12 years ago
|
Attachment #703164 -
Flags: review?(mrbkap) → review+
Assignee | ||
Comment 7•12 years ago
|
||
Comment on attachment 703163 [details] [diff] [review]
Check for all wrapper types. v1
[Security approval request comment]
How easily could an exploit be constructed based on the patch?
Fairly obvious. It's clear that we're now handling all security wrappers rather than just cross-compartment wrappers, and the wrapper not in the intersection there is the SOW, which is what this is about. As a mitigation factor, very few people, even Mozillians, understand the intricacies of XBL and NAC.
Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
The test does for sure.
Which older supported branches are affected by this flaw?
FF17 and above.
If not all supported branches, which bug introduced the flaw?
bug 774245. Though it may have existed before in some other form.
Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
I don't have backports. There backport to FF17 and FF18 will be slightly nontrivial due to the lack of bug 800915 on those branches, but I think it should be fine.
How likely is this patch to cause regressions; how much testing does it need?
Backports not withstanding, this patch is very low risk.
Another thing to keep in mind is that we're about to churn a bunch of the XBL stuff in bug 821850, which will fix a lot of outstanding XBL security issues. It might be worth waiting until that's on trunk before landing this patch anywhere.
Attachment #703163 -
Flags: sec-approval?
Comment 8•12 years ago
|
||
I need some release management input on when we want to take this one.
Comment 9•12 years ago
|
||
Bobby, can you suggest a security rating here?
Assignee | ||
Comment 10•12 years ago
|
||
(In reply to Al Billings [:abillings] from comment #9)
> Bobby, can you suggest a security rating here?
SOW bypass, so probably sec-critical.
Keywords: sec-critical
Comment 11•12 years ago
|
||
(In reply to Bobby Holley (:bholley) from comment #7)
> Another thing to keep in mind is that we're about to churn a bunch of the
> XBL stuff in bug 821850, which will fix a lot of outstanding XBL security
> issues. It might be worth waiting until that's on trunk before landing this
> patch anywhere.
I think we want to see bug 821850 land first.
Updated•12 years ago
|
Blocks: 774245
status-b2g18:
--- → affected
status-firefox18:
--- → wontfix
status-firefox19:
--- → affected
status-firefox20:
--- → affected
status-firefox21:
--- → affected
status-firefox-esr17:
--- → affected
tracking-b2g18:
--- → ?
tracking-firefox19:
--- → +
tracking-firefox20:
--- → +
tracking-firefox21:
--- → +
tracking-firefox-esr17:
--- → ?
Keywords: regression,
testcase
Updated•12 years ago
|
Flags: in-testsuite?
Reporter | ||
Comment 12•12 years ago
|
||
> I think we want to see bug 821850 land first.
Anyway I could be CC'ed on bug 821850? I don't know how you guys like to handle that internally, but I've just been curious on the progress of it. Wouldn't mind seeing how you guys are tackling the task of locking down XBL either, seems like a major undertaking with all the different ways to manipulate it.
Assignee | ||
Comment 13•12 years ago
|
||
(In reply to codyc from comment #12)
> > I think we want to see bug 821850 land first.
>
> Anyway I could be CC'ed on bug 821850? I don't know how you guys like to
> handle that internally, but I've just been curious on the progress of it.
> Wouldn't mind seeing how you guys are tackling the task of locking down XBL
> either, seems like a major undertaking with all the different ways to
> manipulate it.
Sure thing - given that you're probably one of less than a dozen people in the world who understands how XBL works, it'd be great to have your eyes on it. :-) The patches work and we just need to get them reviewed and landed.
Reporter | ||
Comment 14•12 years ago
|
||
I would definitely love to take a look at the changes made, and depending on the overall changes I might have a few new tricks to try out too. ;) So the changes from what I've been able to gather is a different compartment with a special principal right? Have I been added to the CC list yet? I thought that would let me see the bug but right now I'm still getting access denied when trying to view it. No real hurry on it though because its the weekend and I know like me everyone is trying to relax and enjoy it. Ill have a few new things being brought to light here soon, trying to find out the full extent of what can be done with them, and one of them involves one of the still experimental APIs so no rush but definitely some interesting things in the works.
Assignee | ||
Comment 15•12 years ago
|
||
(In reply to codyc from comment #14)
> I would definitely love to take a look at the changes made, and depending on
> the overall changes I might have a few new tricks to try out too. ;) So the
> changes from what I've been able to gather is a different compartment with a
> special principal right? Have I been added to the CC list yet? I thought
> that would let me see the bug but right now I'm still getting access denied
> when trying to view it.
Whoops, my bad. I still had the tab open but never clicked "Save Changes". Should work now. ;-)
Comment 16•12 years ago
|
||
(In reply to Al Billings [:abillings] from comment #11)
> (In reply to Bobby Holley (:bholley) from comment #7)
> > Another thing to keep in mind is that we're about to churn a bunch of the
> > XBL stuff in bug 821850, which will fix a lot of outstanding XBL security
> > issues. It might be worth waiting until that's on trunk before landing
> > this patch anywhere.
>
> I think we want to see bug 821850 land first.
The patches in bug 821850 are huge and will never be back-ported. Why would we wait for those to land rather than work up the back-ports for old branches now and get it in?
Updated•12 years ago
|
Flags: needinfo?(bobbyholley+bmo)
Assignee | ||
Comment 17•12 years ago
|
||
Yeah, we can probably just land this whenever.
Flags: needinfo?(bobbyholley+bmo)
Comment 18•12 years ago
|
||
Sigh. We're at the end of the cycle. We need to wait a few weeks into the next one, based on the comments about how obvious this is, security wise, on check in. I'd say March 12, at this point.
Any comments from anyone before I give is sec-approval+ for 3/12/2013?
Assignee | ||
Comment 19•12 years ago
|
||
(In reply to Al Billings [:abillings] from comment #18)
> Sigh. We're at the end of the cycle. We need to wait a few weeks into the
> next one, based on the comments about how obvious this is, security wise, on
> check in. I'd say March 12, at this point.
>
> Any comments from anyone before I give is sec-approval+ for 3/12/2013?
That sounds reasonable. I think we'll want to land on all branches (mostly) simultaneously.
Updated•12 years ago
|
Attachment #703163 -
Flags: sec-approval? → sec-approval+
Comment 20•12 years ago
|
||
Batch edit: Bugs marked status-b2g18: affected after 2/13 branching of v1.0.1 are now also status-b2g18-v1.0.1: affected
status-b2g18-v1.0.1:
--- → affected
Updated•12 years ago
|
Updated•12 years ago
|
status-firefox22:
--- → affected
tracking-firefox22:
--- → +
Comment 21•12 years ago
|
||
(In reply to Al Billings [:abillings] from comment #18)
> Sigh. We're at the end of the cycle. We need to wait a few weeks into the
> next one, based on the comments about how obvious this is, security wise, on
> check in. I'd say March 12, at this point.
>
> Any comments from anyone before I give is sec-approval+ for 3/12/2013?
Let's get this in *before* 3/12 so it's in the beta going to build on that day. Please land to trunk and nominate for branch uplift with risk assessment.
Assignee | ||
Comment 22•12 years ago
|
||
Assignee | ||
Comment 23•12 years ago
|
||
Comment on attachment 703163 [details] [diff] [review]
Check for all wrapper types. v1
[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 774245
User impact if declined: Security problems.
Testing completed (on m-c, etc.): Just landed to inbound.
Risk to taking this patch (and alternatives if risky): Not very risky. It's possible that this could make some code throw that previously didn't throw, but this is Components.lookupMethod we're talking about, which is a pretty obscure gecko-only feature that's been long-deprecated anyway. We have telemetry that says that <0.05% of users ever encounter a page that calls lookupMethod, and the chance that those instances involve doing lookups on security wrappers is insanely small. More to the point, if they were doing that, we really _don't_ want to continue allowing it.
String or UUID changes made by this patch: None.
Attachment #703163 -
Flags: approval-mozilla-beta?
Attachment #703163 -
Flags: approval-mozilla-aurora?
Comment 24•12 years ago
|
||
Comment on attachment 703163 [details] [diff] [review]
Check for all wrapper types. v1
Approving for branches to get as much testing with our pre-release populations as possible prior to FF20's release.
Please also nominate for ESR17/B2G18 approval when you get the chance. Thanks!
Attachment #703163 -
Flags: approval-mozilla-beta?
Attachment #703163 -
Flags: approval-mozilla-beta+
Attachment #703163 -
Flags: approval-mozilla-aurora?
Attachment #703163 -
Flags: approval-mozilla-aurora+
Assignee | ||
Comment 25•12 years ago
|
||
Comment on attachment 703163 [details] [diff] [review]
Check for all wrapper types. v1
Flagging for b2g18 and esr17. The same analysis given in comment 23 applies.
Attachment #703163 -
Flags: approval-mozilla-esr17?
Attachment #703163 -
Flags: approval-mozilla-b2g18?
Updated•12 years ago
|
Attachment #703163 -
Flags: approval-mozilla-esr17?
Attachment #703163 -
Flags: approval-mozilla-esr17+
Attachment #703163 -
Flags: approval-mozilla-b2g18?
Attachment #703163 -
Flags: approval-mozilla-b2g18+
Comment 26•12 years ago
|
||
Status: NEW → RESOLVED
Closed: 12 years ago
status-b2g18-v1.0.0:
--- → wontfix
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
Comment 27•12 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/a2e74c936887
https://hg.mozilla.org/releases/mozilla-beta/rev/f8aaee7e65ea
https://hg.mozilla.org/releases/mozilla-b2g18/rev/29c8694183c1
https://hg.mozilla.org/releases/mozilla-esr17/rev/a867722ce57c
Note that this will need tef+ or shira+ to land on b2g18_v1_0_1.
Assignee | ||
Comment 28•12 years ago
|
||
I'm concerned that this might be being exploited in the wild. See bug 837370 comment 22.
Assignee | ||
Comment 29•12 years ago
|
||
Flagging dveditz for some general input here.
Flags: needinfo?(dveditz)
Comment 30•12 years ago
|
||
This has been checked in for all releases. Without direct evidence of a zero day, we can probably wait the two weeks until the next release.
Updated•12 years ago
|
Flags: sec-bounty?
Flags: sec-bounty+
Flags: needinfo?(dveditz)
Updated•12 years ago
|
Whiteboard: [adv-main20+][adv-esr1705+]
Updated•12 years ago
|
Alias: CVE-2013-0795
Updated•12 years ago
|
Summary: Components.lookupMethod allows calling of SOW functions → Bypass of SOW protections allows cloning of protected node
Comment 32•12 years ago
|
||
I can repro this issue in affected Aurora and m-c builds, and can see it fixed post-patch.
However, I can't reproduce the issue at all in 17esr builds, 17 through 17.0.5. Re-reading comments 1 and 2, this appears to be true because the bug was regressed post-17.
Based on that, perhaps we should change the status flag for 17 to "unaffected"?
Summary: Bypass of SOW protections allows cloning of protected node → Components.lookupMethod allows calling of SOW functions
Comment 33•12 years ago
|
||
Bobby - does comment 32 match your expectations?
blocking-b2g: --- → tef+
Flags: needinfo?(bobbyholley+bmo)
Assignee | ||
Comment 34•12 years ago
|
||
> However, I can't reproduce the issue at all in 17esr builds, 17 through
> 17.0.5. Re-reading comments 1 and 2, this appears to be true because the bug
> was regressed post-17.
As comment 1 indicates, the regressing changeset was from bug 774245, which landed on esr17. But if we're having trouble reproducing the problem on old esr17, I don't think we should spend too much effort on it. As long as this changeset landed there we should be fine.
Flags: needinfo?(bobbyholley+bmo)
Comment 35•12 years ago
|
||
Updated•11 years ago
|
Group: core-security
Assignee | ||
Comment 37•10 years ago
|
||
lookupMethod was removed in bug 856437.
Flags: in-testsuite? → in-testsuite-
Updated•4 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•