It is possible to compile a user-defined function in the XBL scope of a "marquee" element -- using |_setEventListener| method. Once the defined event is triggered, the code running in the XBL scope can access all content protected by System Only Wrapper. It can also open arbitrary chrome-privileged pages. Additionally, remote web content can access privileged methods from property descriptor objects on Chrome Object Wrappers fetched off of an XBL scope. They can be subsequently used to perform a cross-site scripting attack on a frame with a privileged page, which allows drive-by download of malware.
Created attachment 739893 [details] Exploit (launches calc.exe on windows) This opens C:\Windows\System32\calc.exe on Windows or alerts Components.classes on other systems. Works in Firefox 22-23, earlier versions may work partially or not at all.
Comment on attachment 739893 [details] Exploit (launches calc.exe on windows) Oh, btw, run from HTTP to avoid the mixed-content blocker ruining things.
Matt agreed to confirm exploitability (or not) of branches. \o/
Is this something that may affect all branches, or might it be a regression from more recent patches?
Holy moly Mariusz, this is probably the best Mozilla exploit I've ever seen. The depth and cleverness here are off the charts. There are at least three distinct security exploits working in tandem here, and a number of other bits of suboptimal Gecko behavior being used as well. You have my deepest respect. For those following along, here's the short version of what this testcase does: 1 - Hijacks the XBL scope using <marquee> 2 - Using the nsExpandedPrincipal associatd with the XBL scope, exploits a bug in CAPS to load "about:" in an iframe, which ends up loading with system principal. 3 - Using the ability of XBL scopes to create Xray waivers to content, bypasses COWs to access the |about:| iframe's Object.prototype, grabs __lookupSetter__, uses __lookupSetter__ to get a chrome-side setter to Element.innerHTML, and invokes the setter with the payload, causing it to get loaded as chrome. Bugs 1 and 2 are really bad bugs but straightforward to fix. The XBL Scope hijack is particularly problematic on Beta, because we still have the Sandbox exception for __exposedProps__ there, meaning that this allows arbitrary COW bypasses even without the cleverness of (2) and (3). Thankfully, those bugs should be easy to backport. I'm going to file dependent bugs for all of the pieces here.
I still need to file the lynchpin bug here - I'll get to it shortly.
Exploit works on 22/23, all Windows. For the purposes of this bug, I set the branch flags. However, I understand that components of this bug - the bugs that were filed as a result - may actually affect older branches.
As above, can we assume this affects Mac/Linux as well?
Spoke with Bobby over email, no need to track this meta bug specifically (we're tracking/uplifting related bugs).
I think this can be closed, as all of the blocking bugs have been marked fixed. This should probably also be verified as fixed.
I will verify this.
Confirmed exploit on FF23, 2013-04-19 Verified fixed on FF22, 2013-05-31 Verified fixed on FF23, 2013-05-31 Verified fixed on FF24, 2013-05-31
Is there any way that I could get access to the attachment testcase? I've been studying older exploits some this week, and I would love to see this work.
(In reply to codyc from comment #16) > Is there any way that I could get access to the attachment testcase? I've > been studying older exploits some this week, and I would love to see this > work. I have emailed the testcase to cody.
(In reply to Bobby Holley (:bholley) from comment #17) > I have emailed the testcase to cody. Heh. I encrypted it with his new key and did the same...
Aww, now I don't feel all super special ;-)