Closed Bug 931768 Opened 11 years ago Closed 11 years ago

Arbitrary code execution using openDialog

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla28
Tracking Flags:
Tracking Status
firefox26 --- unaffected
firefox27 + verified
firefox28 + verified
firefox-esr17 --- unaffected
firefox-esr24 --- unaffected
b2g18 --- unaffected

People

(Reporter: marius.mlynski, Assigned: peterv)

References

Details

(Keywords: regression, sec-critical)

Attachments

(2 files, 3 obsolete files)

Exploit
752 bytes, text/html
Details
v1 with testcase
3.09 KB, patch
peterv
: review+
abillings
: approval-mozilla-aurora+
abillings
: sec-approval+
Details | Diff | Splinter Review
Attached file Exploit 
This is a regression from bug 918345. The new implementation of nsGlobalWindow::OpenDialog doesn't check if it's called from chrome, which allows web content to open privileged windows.

The attached example launches C:\Windows\System32\calc.exe (Windows) or alerts Components.classes (other systems) in Nightly 27.0a1 (2013-10-28).
Keywords: regression
Attached patch Patch (v1) (obsolete) — Splinter Review 
Assignee: nobody → ehsan
Status: NEW → ASSIGNED

        Attachment #823355 -
        Flags: review?(peterv)

    
    

    
  
Comment on attachment 823355 [details] [diff] [review]
Patch (v1)

[Security approval request comment]
How easily could an exploit be constructed based on the patch?  The patch makes it clear that this is a chrome permission check, and hence exposes the bug, but coming up with the exploit in the test case here probably takes a bit more effort.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?  See above.

Which older supported branches are affected by this flaw? Firefox 27, where bug 918345 landed.

If not all supported branches, which bug introduced the flaw?  Bug 918345.

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? N/A.

How likely is this patch to cause regressions; how much testing does it need?  It should bring us back to the old behavior, so the risk for regressions should be minimal.

        Attachment #823355 -
        Flags: sec-approval?

    
    

    
  
Comment on attachment 823355 [details] [diff] [review]
Patch (v1)

Did you try the patch? I don't see how this could fix it, this is a non-scriptable method.

        Attachment #823355 -
        Flags: sec-approval?

        Attachment #823355 -
        Flags: sec-approval-

        Attachment #823355 -
        Flags: review?(peterv)

        Attachment #823355 -
        Flags: review-

    
    

    
  
We probably just need to mark openDialog ChromeOnly in the Window.webidl.
Assignee: ehsan → peterv

    
    

    
  

      
      
      
      

        Attached patch
          
          
        v1 (obsolete)
        — Splinter Review
      

    


  
Working on an automated testcase, pretty sad that we didn't have one already.

    
    

    
  
Marking this as [ChromeOnly] will hide the method from regular content, which changes our existing behavior.  Is that OK?

    
    

    
  
Calling it has always thrown so you'll just get a different kind of exception (ReferenceError vs a security exception). The only difference in behaviour is if it's used for browser detection ("openDialog in window"), but I think we should try it anyway.

    
    

    
  
And actually, until we switch completely to WebIDL for the Window object there won't be a difference at all, since we'll just fall back to XPConnect if the WebIDL property isn't installed.

    
    

    
  

      
      
      
      

        Attached patch
          
          
        v1 (obsolete)
        — Splinter Review
      

    


  

        Attachment #823355 -
        Attachment is obsolete: true

        Attachment #823447 -
        Attachment is obsolete: true

        Attachment #823504 -
        Flags: review?(bzbarsky)

    
    

    
  
Comment on attachment 823504 [details] [diff] [review]
v1

r=me

        Attachment #823504 -
        Flags: review?(bzbarsky) → review+

    
    

    
  

      
      
      
      

        Attached patch
          
          
        v1 with testcaseSplinter Review
      

    


  
[Security approval request comment]
How easily could an exploit be constructed based on the patch?

Fairly easily.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

Yeah, we're specifically marking an accidentally exposed API as ChromeOnly.

Which older supported branches are affected by this flaw?

Firefox 27.

If not all supported branches, which bug introduced the flaw?

Bug 918345.

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

The patch will be identical.

How likely is this patch to cause regressions; how much testing does it need?

Very low risk, we're basically reverting to the previous behaviour.

        Attachment #823577 -
        Flags: sec-approval?

        Attachment #823577 -
        Flags: review+

    
  

        Attachment #823504 -
        Attachment is obsolete: true

    
    

    
  
If we haven't branched to make 27 Aurora and Central into 28 (effectively) yet, you can check this in without sec-approval. I thought the branching happened later today.

Otherwise, I'll give it sec-approval but we'll have to put it on Aurora if we go post-branching.

    
    

    
  
Comment on attachment 823577 [details] [diff] [review]
v1 with testcase

Looks like we just missed the branching. I'm giving sec-approval+ and approving for Aurora to get this in.

        Attachment #823577 -
        Flags: sec-approval?

        Attachment #823577 -
        Flags: sec-approval+

        Attachment #823577 -
        Flags: approval-mozilla-aurora+

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/bcda05da19cd
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla28

    
    

    
  
setting status-firefox28 to fixed per comment #16

          status-firefox28:
          affectedfixed
Keywords: verifyme

    
    

    
  
Confirmed issue on FF27, 2013-10-28.
Verified fixed, FF27 2013-11-20.
Verified fixed, FF28 2013-11-26.
Status: RESOLVED → VERIFIED

          status-firefox27:
          fixedverified

          status-firefox28:
          affectedverified
Keywords: verifyme
Flags: sec-bounty? → sec-bounty+
Group: core-security
Component: DOM → DOM: Core & HTML

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: