Closed Bug 896255 Opened 12 years ago Closed 11 years ago

Execute a XPI cover by Title Even (spoofing/clickjacking)

Categories

(Core :: General, defect)

Product:
Core
Component:
General
Version:
22 Branch
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 884488

People

(Reporter: jordi.chancel, Unassigned)

References

Details

(Keywords: csectype-spoof, reporter-external, sec-moderate, Whiteboard: [local attack])

Attachments

(4 files)

TESTCASE LOCAL 1
45.19 KB, application/java-archive
Details
Windows exemple
453.63 KB, application/octet-stream
Details
Linux exemple
760.95 KB, application/octet-stream
Details
linux-example (screenshot)
39.12 KB, image/png
Details
Attached file TESTCASE LOCAL 1
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0 (Beta/Release) Build ID: 20130618035212 Steps to reproduce: -Go to 2.html and don't move the mouse when there is on the link -Press ENTER (if you don't enderstand look this youtube video => http://www.youtube.com/watch?v=Q3O2Kn2xyPw&feature=youtu.be) Actual results: XPI is executed Expected results: Title even cover the XPI install box.
Attached file Windows exemple
:dveditz - is this bug related to the fix you mention in https://bugzilla.mozilla.org/show_bug.cgi?id=888842#c3
Flags: needinfo?(dveditz)
it's not a duplicate ! see the poc it work with diferent elements.
Flags: needinfo?(dveditz)
(In reply to Jordi Chancel from comment #3) > it's not a duplicate ! see the poc it work with diferent elements. I did not say it was a duplicate, I am asking if the fixes are related. I would appreciate it if you could please not clear flags explicitly set for other people. Please allow us to do our work in our time frame and be patient as we try to do our jobs.
Flags: needinfo?(dveditz)
Attachment #778941 - Attachment mime type: application/octet-stream → application/java-archive
(In reply to Jordi Chancel from comment #1) > Created attachment 778942 [details] > Windows exemple What format is this? It doesn't seem to be a .zip like the first attachment. (In reply to Curtis Koenig [:curtisk] from comment #2) > :dveditz - is this bug related to the fix you mention in > https://bugzilla.mozilla.org/show_bug.cgi?id=888842#c3 Depends on how we fix it. Ultimately both rely on the fact that an important security dialog is allowing content above it. If that dialog is not the top-most thing on the screen it should not be "active".
Flags: needinfo?(dveditz)
Whiteboard: [sg:critical]
Attached file Linux exemple
Flags: sec-bounty?
Whiteboard: [sg:critical]
This is what I see when I follow the STR in FF23/Linux64 with a clean profile: 1. load 2.html 2. hover the mouse over the link on the page and wait Nothing happens when I press Enter in this state (the Allow button does not have focus). Still, I suspect that the "wait 5 seconds and the press Enter" is really meant for the Install button in the add-on installation dialog, which makes me wonder -- how did you get past the Allow button?
On windows and linux after the addon loading (5seconds) the button "executed" is selectioned by default, when you press enter this addon is executed. it's not complicated.
and title even cover the addon box. read previous message witch say : On windows and linux after the addon loading (5seconds) the button "executed" is selectioned by default, when you press enter this addon is executed. it's not complicated.
But the add-on installation dialog does not open unless you first click "Agree" (see my screenshot). Please test in a fresh profile and see for yourself. (I get the same results on Windows 7)
I'm using http:// of course, maybe that's the difference?
test this testcase localy please. my testcase work only localy on file:///
Ah OK, if I load the test using file:// then the initial Allow confirmation step is skipped and I get directly to the installation dialog. But that means the PoC requires that the .xpi is already on my file system.
yes bu he can be not visible on other folder on the zip
But you still have to convince the user to save some file to disk, then open that file using file:// then follow the instructions on that page "hover the link, wait 5 seconds, then press Enter". It seems rather unlikely that anyone would follow through performing all these steps without getting suspicious.
Depends on: 884488
Whiteboard: sec-low
i have never view a sec-low that allow code execution localy perfectly ! it's moderate or high , but it's not high it's moderate!!!
Whiteboard: sec-low → sec-modedrate
Whiteboard: sec-modedrate → sec-moderate
That's not true - extensions have system privileges, so installing one without user consent is exactly arbitrary code execution.
Jordi, making your own modifications to the security rating or whiteboard is counter productive to what you are trying to achieve. I agree that the end effect is severe, but because these testcases are difficult to get to work and very platform-specific, the severity is mitigated by the unreliability of the attack.
Whiteboard: sec-moderate
(In reply to Jordi Chancel from comment #16) > yes bu he can be not visible on other folder on the zip But if you ask the user to save a ZIP file, and then load that locally, doesn't that trigger some external unzip process to be able to load the HTML file inside? (in addition to the steps in comment 17). And if you're not using a ZIP file, you'll have to convince the user to save *two* files? Maybe you could write down the exact steps you think are the simplest to download the PoC and launch it locally with file:// in the browser, just in case we're missing something.
(In reply to :Gavin Sharp (use gavin@gavinsharp.com for email) from comment #20) > Jordi, making your own modifications to the security rating or whiteboard is > counter productive to what you are trying to achieve. In fact, we've specifically told Jordi not to do this on his bugs on more than one occasion. Jordi, if you keep doing this, we're going to have to remove some of your bugzilla privileges.
i'm sorry.
Flags: sec-bounty? → sec-bounty-
Keywords: csec-spoof, sec-moderate
Whiteboard: [local attack]
Bug Bounty Triage: We're making bug 884488 the master bug for XPI clickjacking issues that you're reporting. They are all variants of the same basic problem.
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: