Open
Bug 858721
Opened 12 years ago
Updated 3 years ago
UXSS using carefully timed history navigations
Categories
(Core :: DOM: Navigation, defect)
Tracking
()
NEW
People
(Reporter: marius.mlynski, Assigned: smaug)
Details
(Keywords: sec-audit, Whiteboard: [dupe of bug 848253?])
Attachments
(2 files, 1 obsolete file)
It is possible to load an arbitrary website contained in an iframe such that its document's baseURI points to the attacker's location. This allows cross-site scripting when the targeted page loads a script via a relative path.
|
Reporter | |
Comment 1•12 years ago
|
||
This gets document.cookie for usa.bnpparibas.com. Usage:
1. Upload the exploit to a server that doesn't auto-redirects on file access. This is a fragile piece of code stressing edge conditions, and any unexpected element in the navigation chain will break it (as was the case for previous PoC's running directly from bmo).
2. Upload the /common/ directory to the root of the web server.
3. Run /exploit/index.html. It takes about 15 seconds to complete.
I've tested in Firefox 20 and the latest Nightly.
|
|
Reporter | |
Updated•12 years ago
|
Attachment #734010 -
Attachment mime type: application/octet-stream → application/zip
this seems like an extreme corner case so I am thinking sec-moderate at best, assigning to mgoodwin to verify and look over
Assignee: nobody → mgoodwin
Whiteboard: [verif?]
|
||
Comment 3•12 years ago
|
||
What in particular makes this a corner-case?
|
|
||
Comment 4•12 years ago
|
||
If he's achieving universal XSS, this seems clearly sg-high to me, no matter how fiddly the testcase may be. That's how we flagged all of the previous bugs that are similar to this one (there have been many).
|
|
Reporter | |
Comment 5•12 years ago
|
||
Granted, a random bank website isn't too impressive as a XSS target. Here's an exploit for Wikipedia. I've made a minor timing fix, so if you experience problems with the previous testcase, try this one out.
|
|
Reporter | |
Updated•12 years ago
|
Attachment #734067 -
Attachment mime type: application/octet-stream → application/zip
|
|
Reporter | |
Comment 6•12 years ago
|
||
I missed that the injected code fails to load when the file being swapped is cached and Wikipedia hasn't been loaded earlier in the browsing session. I'm attaching a (hopefully) final version that works around this issue.
Attachment #734067 -
Attachment is obsolete: true
|
|
Reporter | |
Updated•12 years ago
|
Attachment #734404 -
Attachment mime type: application/octet-stream → application/zip
|
||
Comment 7•12 years ago
|
||
Is this related to the fact that we get the script entry point wrong in this case? If so, this is probably a more interesting attack using the same underlying bug as bug 810808.
We basically need to implement the script entry point stack properly here.
|
|
||
Comment 8•12 years ago
|
||
I'm not actually convinced that this uses the same bug as 810808.
Cursorily, it looks like the exploit gets around the history-object blocking by doing history.back() on the window he controls, and relying on the fact that that navigates the cross-origin iframe.
|
|
||
Comment 9•12 years ago
|
||
(In reply to Justin Lebar [:jlebar] from comment #8)
> I'm not actually convinced that this uses the same bug as 810808.
>
> Cursorily, it looks like the exploit gets around the history-object blocking
> by doing history.back() on the window he controls, and relying on the fact
> that that navigates the cross-origin iframe.
Wait, can History.back cause descendant docshells to navigate as well? I thought that whenever we navigated a docshell node all child nodes went away.
|
|
||
Comment 10•12 years ago
|
||
> Wait, can History.back cause descendant docshells to navigate as well?
Yeah, you can test with
> data:text/html,<button onclick="history.back()">Back</button><iframe src="http://wikipedia.org">
|
||
Comment 11•12 years ago
|
||
history.back() goes one step back in the history. There is one history per toplevel navigation context (aka tab). back() anywhere in the navigation context tree will, iirc, navigate whatever frame in that navigation context tree last navigated or something.
|
|
||
Comment 12•12 years ago
|
||
(In reply to Boris Zbarsky (:bz) from comment #11)
> history.back() goes one step back in the history. There is one history per
> toplevel navigation context (aka tab). back() anywhere in the navigation
> context tree will, iirc, navigate whatever frame in that navigation context
> tree last navigated or something.
Which means that restricting the history object to same-origin pages does nothing to protect us from attacks, unless we also change how history.back works. :(
|
|
||
Comment 13•12 years ago
|
||
Yikes. Does our history.back behavior match the spec? I just spent some time reading the session history stuff in the spec, but my eyes glazed over before I got a full picture. I can dig more if nobody knows that part of the spec well, I guess.
|
|
Reporter | |
Comment 15•12 years ago
|
||
The exploits stopped working in Nightly 2013-05-16. At a glance, the caching behaviour was changed such that the PoC's no longer navigate to the target site after the final call to history.back(). I think this may be a side effect of the following code revision:
https://hg.mozilla.org/mozilla-central/rev/1695bdfbfa8e
|
Assignee | |
Comment 16•12 years ago
|
||
Oh, is this a dup of Bug 848253. I'll investigate.
|
|
||
Updated•12 years ago
|
Whiteboard: [verif?]
|
||
Comment 17•12 years ago
|
||
As this looks like a dupe of another fixed bug, and is being left open so Olli can take a look into it, I'm going to mark this sec-audit.
|
||
Updated•10 years ago
|
Group: core-security → dom-core-security
|
||
Updated•9 years ago
|
Group: dom-core-security
|
|
||
Updated•3 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•