Bug 863933 (CVE-2013-1687)

Arbitrary code execution via XBL

VERIFIED FIXED

Status

()

Core
XPConnect
--
critical
VERIFIED FIXED
4 years ago
3 years ago

People

(Reporter: Mariusz Mlynski, Assigned: bholley)

Tracking

({regression, sec-critical})

Trunk
regression, sec-critical
Points:
---
Dependency tree / graph
Bug Flags:
sec-bounty +

Firefox Tracking Flags

(firefox20 unaffected, firefox21 unaffected, firefox22- verified, firefox23- verified, firefox-esr17 unaffected, b2g18 unaffected)

Details

(Whiteboard: [adv-main22+])

Attachments

(1 attachment)

(Reporter)

Description

4 years ago
It is possible to compile a user-defined function in the XBL scope of a "marquee" element -- using |_setEventListener| method. Once the defined event is triggered, the code running in the XBL scope can access all content protected by System Only Wrapper. It can also open arbitrary chrome-privileged pages.

Additionally, remote web content can access privileged methods from property descriptor objects on Chrome Object Wrappers fetched off of an XBL scope. They can be subsequently used to perform a cross-site scripting attack on a frame with a privileged page, which allows drive-by download of malware.
(Reporter)

Comment 1

4 years ago
Created attachment 739893 [details]
Exploit (launches calc.exe on windows)

This opens C:\Windows\System32\calc.exe on Windows or alerts Components.classes on other systems. Works in Firefox 22-23, earlier versions may work partially or not at all.
(Reporter)

Updated

4 years ago
Attachment #739893 - Attachment mime type: text/plain → text/html
(Reporter)

Comment 2

4 years ago
Comment on attachment 739893 [details]
Exploit (launches calc.exe on windows)

Oh, btw, run from HTTP to avoid the mixed-content blocker ruining things.
Attachment #739893 - Attachment mime type: text/html → text/plain
Keywords: sec-critical
Assignee: nobody → bobbyholley+bmo
Matt agreed to confirm exploitability (or not) of branches. \o/
Flags: needinfo?(mwobensmith)
Is this something that may affect all branches, or might it be a regression from more recent patches?
Holy moly Mariusz, this is probably the best Mozilla exploit I've ever seen. The depth and cleverness here are off the charts. There are at least three distinct security exploits working in tandem here, and a number of other bits of suboptimal Gecko behavior being used as well. You have my deepest respect.

For those following along, here's the short version of what this testcase does:
1 - Hijacks the XBL scope using <marquee>
2 - Using the nsExpandedPrincipal associatd with the XBL scope, exploits a bug in CAPS to load "about:" in an iframe, which ends up loading with system principal.
3 - Using the ability of XBL scopes to create Xray waivers to content, bypasses COWs to access the |about:| iframe's Object.prototype, grabs __lookupSetter__, uses __lookupSetter__ to get a chrome-side setter to Element.innerHTML, and invokes the setter with the payload, causing it to get loaded as chrome.

Bugs 1 and 2 are really bad bugs but straightforward to fix. The XBL Scope hijack is particularly problematic on Beta, because we still have the Sandbox exception for __exposedProps__ there, meaning that this allows arbitrary COW bypasses even without the cleverness of (2) and (3). Thankfully, those bugs should be easy to backport.

I'm going to file dependent bugs for all of the pieces here.
Depends on: 865947
Depends on: 865948
Depends on: 829872
I still need to file the lynchpin bug here - I'll get to it shortly.
Depends on: 866823
Exploit works on 22/23, all Windows.

For the purposes of this bug, I set the branch flags. However, I understand that components of this bug - the bugs that were filed as a result - may actually affect older branches.
status-firefox20: --- → unaffected
status-firefox21: --- → unaffected
status-firefox22: --- → affected
status-firefox23: --- → affected
status-firefox-esr17: --- → unaffected
Flags: needinfo?(mwobensmith)
tracking-firefox22: --- → ?
tracking-firefox23: --- → ?
Keywords: regression
As above, can we assume this affects Mac/Linux as well?
yeah.

Updated

4 years ago
tracking-firefox22: ? → +
tracking-firefox23: ? → +
Flags: sec-bounty?
Flags: sec-bounty? → sec-bounty+
Spoke with Bobby over email, no need to track this meta bug specifically (we're tracking/uplifting related bugs).
tracking-firefox22: + → -
tracking-firefox23: + → -
I think this can be closed, as all of the blocking bugs have been marked fixed.  This should probably also be verified as fixed.
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Keywords: verifyme
Resolution: --- → FIXED
I will verify this.
QA Contact: mwobensmith
Confirmed exploit on FF23, 2013-04-19
Verified fixed on FF22, 2013-05-31
Verified fixed on FF23, 2013-05-31
Verified fixed on FF24, 2013-05-31
Status: RESOLVED → VERIFIED
status-firefox22: affected → verified
status-firefox23: affected → verified
Keywords: verifyme
Whiteboard: [adv-main22+]
Alias: CVE-2013-1687
Attachment #739893 - Attachment description: Exploit → Exploit (launches calc.exe on windows)
Attachment #739893 - Attachment is private: true
Attachment #739893 - Attachment mime type: text/plain → text/html
status-b2g18: --- → unaffected
Group: core-security

Comment 16

3 years ago
Is there any way that I could get access to the attachment testcase?  I've been studying older exploits some this week, and I would love to see this work.
(In reply to codyc from comment #16)
> Is there any way that I could get access to the attachment testcase?  I've
> been studying older exploits some this week, and I would love to see this
> work.

I have emailed the testcase to cody.
(In reply to Bobby Holley (:bholley) from comment #17)

> I have emailed the testcase to cody.

Heh. I encrypted it with his new key and did the same...

Updated

3 years ago
Attachment #739893 - Attachment is private: false

Comment 19

3 years ago
Aww, now I don't feel all super special ;-)
You need to log in before you can comment on or make changes to this bug.