Loading ...
Sorry, an error occurred while loading the content.

Re: [caplet] Re: ADsafe and bind

Expand Messages
  • Kris Zyp
    ... Understood. I think the situation may be a little different for me than for the ADsafe in general, since I am focused on a Dojo-specific impl of ADsafe.
    Message 1 of 13 , Sep 8, 2008
    • 0 Attachment
      > mozilla() does not work if you haven't called it on a vulnerable
      method (of which there are at least a dozen in
      > Firefox). In the
      > current version of adsafe.js, only concat,
      reverse, and sort are correctly fixed with mozilla(). Also, like I said it's
      > very common to
      > augment Array with unsafe methods. It's also
      unreasonable to expect a host environment to understand the
      > dangers of
      > augmenting Array.prototype. Many libraries augment
      Array.prototype, and in most cases the host won't even be
      > aware.
       
      Understood. I think the situation may be a little different for me than for the ADsafe in general, since I am focused on a Dojo-specific impl of ADsafe. Since we are the host library, I think we have a more leeway in saying that it is not safe to use Dojo Secure with other libraries (that might augment Array.prototype), or to augment Array yourself. On the otherhand, ADsafe presumably aims to work with all libraries (even prototype augmenting ones), although I would think even ADsafe would have to setup some limits, since there are so many ways to make a host environment unsafe that ADsafe simply can't defend against.
       
      Of course I still need to make sure mozilla() is called on all vulnerable methods...
       
      Once again, thank you for the insights,
      Kris
    • Douglas Crockford
      ... has an iframe on the ... several other ways you can ... vectors? I see you re ... that approach won t work ... I looked at the Mozilla array methods, and
      Message 2 of 13 , Sep 8, 2008
      • 0 Attachment
        --- In caplet@yahoogroups.com, "marcel.laverdet" <marcel@...> wrote:
        > Of course the attack assumes that the host uses Prototype and also
        has an iframe on the
        > page, but I imagine such cases aren't hard to find. There's also
        several other ways you can
        > get window without even depending on Prototype:
        > ([].slice || 0)(0)
        > ([].sort || 0)()
        > ([].forEach || 0)(function(a,b,win){ })
        >
        > So now you're in a tough situation. Do you blacklist all of those
        vectors? I see you're
        > currently using mozilla() to handle concat, reverse, and sort but
        that approach won't work
        > consistently on all sites.

        I looked at the Mozilla array methods, and wrapped the three that I
        observed leaking the global object. Under what circumstances do slice,
        forEach, et al, leak?
      • Kris Zyp
        ... If there is an iframe somewhere on the page, they can leak access to it (I was able to reproduce that). Kris ... From: Douglas Crockford To:
        Message 3 of 13 , Sep 8, 2008
        • 0 Attachment
          > I looked at the Mozilla array methods, and wrapped the three that I
          > observed leaking the global object. Under what circumstances do slice,
          > forEach, et al, leak?
          If there is an iframe somewhere on the page, they can leak access to it (I was able to reproduce that).
          Kris
           
           
          ----- Original Message -----
          Sent: Monday, September 08, 2008 11:04 AM
          Subject: [caplet] Re: ADsafe and bind

          --- In caplet@yahoogroups. com, "marcel.laverdet" <marcel@...> wrote:
          > Of course the attack assumes that the host uses Prototype and also
          has an iframe on the
          > page, but I imagine such cases aren't hard to find. There's also
          several other ways you can
          > get window without even depending on Prototype:
          > ([].slice || 0)(0)
          > ([].sort || 0)()
          > ([].forEach || 0)(function( a,b,win){ })
          >
          > So now you're in a tough situation. Do you blacklist all of those
          vectors? I see you're
          > currently using mozilla() to handle concat, reverse, and sort but
          that approach won't work
          > consistently on all sites.

          I looked at the Mozilla array methods, and wrapped the three that I
          observed leaking the global object. Under what circumstances do slice,
          forEach, et al, leak?

        • Douglas Crockford
          ... Thanks, Marcel, that was really helpful. ADsafe s mozilla function is now conditioned on the existence of slots for concat, filter, map, reverse, slice,
          Message 4 of 13 , Sep 8, 2008
          • 0 Attachment
            --- In caplet@yahoogroups.com, "marcel.laverdet" <marcel@...> wrote:

            Thanks, Marcel, that was really helpful. ADsafe's mozilla function is
            now conditioned on the existence of slots for concat, filter, map,
            reverse, slice, and sort.

            I haven't found the leak in forEach. How does that one work?
          • marcel.laverdet
            ... As follows: var leak; ([].forEach || 0)(function(a,b,win) { leak = win; }); leak.alert(leak); Simple demo:
            Message 5 of 13 , Sep 8, 2008
            • 0 Attachment
              --- In caplet@yahoogroups.com, "Douglas Crockford" <douglas@...> wrote:
              >
              > --- In caplet@yahoogroups.com, "marcel.laverdet" <marcel@> wrote:
              >
              > Thanks, Marcel, that was really helpful. ADsafe's mozilla function is
              > now conditioned on the existence of slots for concat, filter, map,
              > reverse, slice, and sort.
              >
              > I haven't found the leak in forEach. How does that one work?
              >

              As follows:
              <iframe src="#"></iframe>
              <script>
              var leak;
              ([].forEach || 0)(function(a,b,win) {
              leak = win;
              });
              leak.alert(leak);
              </script>

              Simple demo:
              http://llamaguy.com/adsafe/

              It even works in Safari :D
            • brendaneich
              ... These vulnerabilities were first pointed out by Jeff Walden and Eli Friedman, then interns at Mozilla, in August 2007. Jeff wrote back then in reply to
              Message 6 of 13 , Sep 8, 2008
              • 0 Attachment
                --- In caplet@yahoogroups.com, "Douglas Crockford" <douglas@...> wrote:
                >
                > --- In caplet@yahoogroups.com, "marcel.laverdet" <marcel@> wrote:
                >
                > Thanks, Marcel, that was really helpful. ADsafe's mozilla function is
                > now conditioned on the existence of slots for concat, filter, map,
                > reverse, slice, and sort.
                >
                > I haven't found the leak in forEach. How does that one work?

                These vulnerabilities were first pointed out by Jeff Walden and Eli
                Friedman, then interns at Mozilla, in August 2007. Jeff wrote back
                then in reply to Marcel:

                "... you need only call it on something that has a length property (or
                a getter that doesn't throw), and so long as your provided function
                *is* one, it'll get called for each item less than the pre-computed
                length. Here's an example:

                =====

                <a onclick="boom();">click here</a>
                <script>

                function boom()
                {
                var win = null;
                var forEach = [].forEach;
                forEach(function(val, prop, thisp) {
                win = thisp;
                }, []);
                win.alert("Hello world!");
                }

                </script>

                =====

                Aha, but that doesn't work, and for a simple enough reason: the test
                console page (presumably you used this) doesn't have any subframes,
                iframes, etc. Consequently, |window.length == 0| and there's nothing
                to iterate over, so the callback is never called. However, it's a
                reasonably safe bet that most Facebook pages *will* contain iframes
                for ads, and with an iframe in the document it'll succeed. To
                demonstrate this, simply run the following URL on the test console
                after loading the given example:

                javascript:var d = document;
                d.body.appendChild(d.createElement("iframe"));[].v

                Before I load that, the exploit fails. After I load it, it succeeds.

                Jeff

                0.
                http://developer.mozilla.org/en/docs/Core_JavaScript_1.5_Reference:Global_Objects:Array:forEach
                "

                Separately, Eli wrote:

                "Some other methods that are also vulnerable: Array.prototype.reverse,
                Array.prototype.sort, Array.prototype.forEach (returns this in Safari 2
                only), and Object.prototype.valueOf.

                Also, combined with Array.prototype.push or Array.prototype.unshift or
                the existence of a subframe, a similar vulnerability exists with
                Array.prototype.forEach, Array.prototype.every, Array.prototype.map,
                Array.prototype.some, Array.prototype.reduce (Fx 3 only),
                Array.prototype.reduceRight (Fx 3 only), and Array.prototype.filter.

                -Eli
                "

                So scrutinize all of the array extras, not just forEach, map, and filter.

                HTH, and credit where due.

                /be
              • Douglas Crockford
                ... Thanks. ADsafe is now wrapping concat every filter forEach map reduce reduceRight reverse slice some sort.
                Message 7 of 13 , Sep 8, 2008
                • 0 Attachment
                  --- In caplet@yahoogroups.com, "marcel.laverdet" <marcel@...> wrote:
                  >
                  > --- In caplet@yahoogroups.com, "Douglas Crockford" <douglas@> wrote:
                  > >
                  > > --- In caplet@yahoogroups.com, "marcel.laverdet" <marcel@> wrote:
                  > >
                  > > Thanks, Marcel, that was really helpful. ADsafe's mozilla function is
                  > > now conditioned on the existence of slots for concat, filter, map,
                  > > reverse, slice, and sort.
                  > >
                  > > I haven't found the leak in forEach. How does that one work?
                  > >
                  >
                  > As follows:
                  > <iframe src="#"></iframe>
                  > <script>
                  > var leak;
                  > ([].forEach || 0)(function(a,b,win) {
                  > leak = win;
                  > });
                  > leak.alert(leak);
                  > </script>
                  >
                  > Simple demo:
                  > http://llamaguy.com/adsafe/
                  >
                  > It even works in Safari :D

                  Thanks. ADsafe is now wrapping concat every filter forEach map reduce
                  reduceRight reverse slice some sort.
                Your message has been successfully submitted and would be delivered to recipients shortly.