Bugzilla@Mozilla – Bug 554449
Fix in bug 504021 can be circumvented
Last modified: 2011-03-29 19:11:26 PDT
Summon comment box
In nsXPCWrappedJSClass::CallMethod, JS_GetMethod is called before pushing a principal, and XPCConvert::JSData2Native is called after popping the principal. On 1.9.0, in nsXPCWrappedJSClass::CallQueryInterfaceOnJSObject, OBJ_GET_PROPERTY is called before pushing a principal. 1.9.0 is exploitable by bug 504021. (On trunk/1.9.2/1.9.1, bug 504021 was fixed by bug 503926.) A testcase for bug 554448 (which is trunk-only) depends on this bug.
Created attachment 434347 [details] testcase (requires Firebug) This uses bug 344495's trick. This works on fx3.0.19 candidate.
Comment on attachment 434347 [details] testcase (requires Firebug) What is the Firebug pattern you're abusing here? Something we're likely to see in other add-ons?
(In reply to comment #2) > (From update of attachment 434347 [details]) > What is the Firebug pattern you're abusing here? Something we're likely to see > in other add-ons? Please see bug 504021 comment 0. Add-ons that access content xhr.on* could be exploitable on 1.9.0.
1.9.0.x branch is EOL.
Ah, I intended this bug to cover trunk and all branches. Patches for trunk and all branches in bug 504021 have flaws I described in the first paragraph of comment 0.
Blake, can we get an ETA here?
Created attachment 440367 [details] [review] Proposed fix
And note: that patch is m-c only... Older branches that call QI on content objects will need more patching.
http://hg.mozilla.org/mozilla-central/rev/87ceb85b85df
Blake: you said this was "more involved" on the branches so now would be a good time to start working on it for the next set of releases.
Comment on attachment 440367 [details] [review] Proposed fix This actually applies as-is to these two branches. I must have been confusing this bug with another one.
(that being said, I'm having trouble reproducing the exploit on my 1.9.2 tree, I wonder if a change in Firebug is masking the problem)
Comment on attachment 440367 [details] [review] Proposed fix a=LegNeato for 1.9.2.13 and 1.9.1.16. Please submit by the end of today PST.
(In reply to comment #12) > (that being said, I'm having trouble reproducing the exploit on my 1.9.2 tree, > I wonder if a change in Firebug is masking the problem) The testcase in this bug worked only on 1.9.0 branch. Please see bug 560466. A testcase in bug 560466 depends on this bug.
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/81f0ff4d3cbb http://hg.mozilla.org/releases/mozilla-1.9.1/rev/eab9c1dd1f17
Created attachment 496155 [details] [review] Backport for 1.9.0 So, interestingly, this backport does fix bug 560466, but not this one. Am I missing something?
Comment on attachment 496155 [details] [review] Backport for 1.9.0 Looks good to me, but mrbkap should have a look as well, and may know why this may not fix this bug but fixes bug 560466.
(In reply to comment #16) > So, interestingly, this backport does fix bug 560466, but not this one. Am I > missing something? 1.9.0 needs to fix nsXPCWrappedJSClass::CallQueryInterfaceOnJSObject (or fix bug 503926) to stop the testcase in this bug.
(In reply to comment #18) > 1.9.0 needs to fix nsXPCWrappedJSClass::CallQueryInterfaceOnJSObject (or fix > bug 503926) to stop the testcase in this bug. Applying the patch from bug 503926 fixes the issue, indeed. What is strange is that bug 503926 was supposed to be required to fix CVE-2010-0179 (bug 504021), which was fixed in 1.9.0.19, but bug 503926 isn't in 1.9.0.19.
Please see bug 504021 comment #19, #55, #56. The 1.9.0 patch modified nsXPCWrappedJSClass::CallQueryInterfaceOnJSObject instead of fixing bug 503926.