[Webkit-unassigned] [Bug 16011] New: JavaScript privilege escalation when Web Inspector accesses page unsafely
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Nov 15 20:40:12 PST 2007
http://bugs.webkit.org/show_bug.cgi?id=16011
Summary: JavaScript privilege escalation when Web Inspector
accesses page unsafely
Product: WebKit
Version: 525+ (Nightly build)
Platform: PC
URL: http://www.stanford.edu/~collinj/research/inspector.html
OS/Version: Mac OS X 10.5
Status: UNCONFIRMED
Severity: Normal
Priority: P2
Component: Web Inspector
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: webkit at collinjackson.com
CC: hk9565 at gmail.com
The Web Inspector is written in JavaScript. It is served from a privileged
file:// URL, while the page it inspects may be served from a http:// URL and is
thus constrained by the browser's same-origin policy.
When privileged JS interacts with unprivileged JS, the unprivileged JS may
escape its unprivileged sandbox and hijack the capabilities of the privileged
sandbox. Firefox has several classes, such as XPCSafeJSObjectWrapper, to allow
privileged JavaScript to access unprivileged JavaScript safely:
http://developer.mozilla.org/en/docs/XPConnect_wrappers#XPCSafeJSObjectWrapper
WebKit does not provide a similar API, so the Web Inspector resorts to
accessing the raw page directly. The unsafe access allows the page being
inspected to escalate its privileges, scripting other domains and reading the
user's file system.
Several examples of unsafe access can be found in
WebCore/page/inspector/PropertiesSidebarPane.js, where the code attempts to
dereference "object[propertyName]" (note that "object" is an unsafe object
controlled by the attacker). The attacker can define a malicious getter for the
propertyName property of "object" that uses
caller.caller.caller.caller.caller.arguments[0].target.ownerDocument.defaultView
to obtain a reference to the Inspector's privileged DOMWindow.
--
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list