[Webkit-unassigned] [Bug 16011] New: JavaScript privilege escalation when Web Inspector accesses page unsafely

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Nov 15 20:40:12 PST 2007 

http://bugs.webkit.org/show_bug.cgi?id=16011

           Summary: JavaScript privilege escalation when Web Inspector
                    accesses page unsafely
           Product: WebKit
           Version: 525+ (Nightly build)
          Platform: PC
               URL: http://www.stanford.edu/~collinj/research/inspector.html
        OS/Version: Mac OS X 10.5
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: Web Inspector
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: webkit at collinjackson.com
                CC: hk9565 at gmail.com


The Web Inspector is written in JavaScript. It is served from a privileged
file:// URL, while the page it inspects may be served from a http:// URL and is
thus constrained by the browser's same-origin policy.

When privileged JS interacts with unprivileged JS, the unprivileged JS may
escape its unprivileged sandbox and hijack the capabilities of the privileged
sandbox. Firefox has several classes, such as XPCSafeJSObjectWrapper, to allow
privileged JavaScript to access unprivileged JavaScript safely:

http://developer.mozilla.org/en/docs/XPConnect_wrappers#XPCSafeJSObjectWrapper

WebKit does not provide a similar API, so the Web Inspector resorts to
accessing the raw page directly. The unsafe access allows the page being
inspected to escalate its privileges, scripting other domains and reading the
user's file system.

Several examples of unsafe access can be found in
WebCore/page/inspector/PropertiesSidebarPane.js, where the code attempts to
dereference "object[propertyName]" (note that "object" is an unsafe object
controlled by the attacker). The attacker can define a malicious getter for the
propertyName property of "object" that uses
caller.caller.caller.caller.caller.arguments[0].target.ownerDocument.defaultView
to obtain a reference to the Inspector's privileged DOMWindow.


-- 
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list