Closed Bug 863933 (CVE-2013-1687) Opened 11 years ago Closed 11 years ago

Arbitrary code execution via XBL

Categories

(Core :: XPConnect, defect)

defect
Not set
critical

Tracking

()

VERIFIED FIXED
Tracking Status
firefox20 --- unaffected
firefox21 --- unaffected
firefox22 - verified
firefox23 - verified
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: marius.mlynski, Assigned: bholley)

References

Details

(Keywords: regression, sec-critical, Whiteboard: [adv-main22+])

Attachments

(1 file)

It is possible to compile a user-defined function in the XBL scope of a "marquee" element -- using |_setEventListener| method. Once the defined event is triggered, the code running in the XBL scope can access all content protected by System Only Wrapper. It can also open arbitrary chrome-privileged pages.

Additionally, remote web content can access privileged methods from property descriptor objects on Chrome Object Wrappers fetched off of an XBL scope. They can be subsequently used to perform a cross-site scripting attack on a frame with a privileged page, which allows drive-by download of malware.
This opens C:\Windows\System32\calc.exe on Windows or alerts Components.classes on other systems. Works in Firefox 22-23, earlier versions may work partially or not at all.
Attachment #739893 - Attachment mime type: text/plain → text/html
Comment on attachment 739893 [details]
Exploit (launches calc.exe on windows)

Oh, btw, run from HTTP to avoid the mixed-content blocker ruining things.
Attachment #739893 - Attachment mime type: text/html → text/plain
Keywords: sec-critical
Assignee: nobody → bobbyholley+bmo
Matt agreed to confirm exploitability (or not) of branches. \o/
Flags: needinfo?(mwobensmith)
Is this something that may affect all branches, or might it be a regression from more recent patches?
Holy moly Mariusz, this is probably the best Mozilla exploit I've ever seen. The depth and cleverness here are off the charts. There are at least three distinct security exploits working in tandem here, and a number of other bits of suboptimal Gecko behavior being used as well. You have my deepest respect.

For those following along, here's the short version of what this testcase does:
1 - Hijacks the XBL scope using <marquee>
2 - Using the nsExpandedPrincipal associatd with the XBL scope, exploits a bug in CAPS to load "about:" in an iframe, which ends up loading with system principal.
3 - Using the ability of XBL scopes to create Xray waivers to content, bypasses COWs to access the |about:| iframe's Object.prototype, grabs __lookupSetter__, uses __lookupSetter__ to get a chrome-side setter to Element.innerHTML, and invokes the setter with the payload, causing it to get loaded as chrome.

Bugs 1 and 2 are really bad bugs but straightforward to fix. The XBL Scope hijack is particularly problematic on Beta, because we still have the Sandbox exception for __exposedProps__ there, meaning that this allows arbitrary COW bypasses even without the cleverness of (2) and (3). Thankfully, those bugs should be easy to backport.

I'm going to file dependent bugs for all of the pieces here.
Depends on: 865947
Depends on: CVE-2013-1703
Depends on: 829872
I still need to file the lynchpin bug here - I'll get to it shortly.
Depends on: 866823
Exploit works on 22/23, all Windows.

For the purposes of this bug, I set the branch flags. However, I understand that components of this bug - the bugs that were filed as a result - may actually affect older branches.
Keywords: regression
As above, can we assume this affects Mac/Linux as well?
yeah.
Flags: sec-bounty?
Flags: sec-bounty? → sec-bounty+
Spoke with Bobby over email, no need to track this meta bug specifically (we're tracking/uplifting related bugs).
I think this can be closed, as all of the blocking bugs have been marked fixed.  This should probably also be verified as fixed.
Status: NEW → RESOLVED
Closed: 11 years ago
Keywords: verifyme
Resolution: --- → FIXED
I will verify this.
QA Contact: mwobensmith
Confirmed exploit on FF23, 2013-04-19
Verified fixed on FF22, 2013-05-31
Verified fixed on FF23, 2013-05-31
Verified fixed on FF24, 2013-05-31
Status: RESOLVED → VERIFIED
Keywords: verifyme
Whiteboard: [adv-main22+]
Alias: CVE-2013-1687
Attachment #739893 - Attachment description: Exploit → Exploit (launches calc.exe on windows)
Attachment #739893 - Attachment is private: true
Attachment #739893 - Attachment mime type: text/plain → text/html
Group: core-security
Is there any way that I could get access to the attachment testcase?  I've been studying older exploits some this week, and I would love to see this work.
(In reply to codyc from comment #16)
> Is there any way that I could get access to the attachment testcase?  I've
> been studying older exploits some this week, and I would love to see this
> work.

I have emailed the testcase to cody.
(In reply to Bobby Holley (:bholley) from comment #17)

> I have emailed the testcase to cody.

Heh. I encrypted it with his new key and did the same...
Attachment #739893 - Attachment is private: false
Aww, now I don't feel all super special ;-)
You need to log in before you can comment on or make changes to this bug.