Date: Thu, 13 Sep 2012 19:59:46 +0200 From: Tavis Ormandy <taviso@...xchg8b.com> To: oss-security@...ts.openwall.com Subject: Re: note on gnome shell extensions Vincent Danen <vdanen@...hat.com> wrote: > * [2012-09-13 18:03:33 +0200] Marcus Meissner wrote: > > > On Thu, Sep 13, 2012 at 05:39:57PM +0200, Tavis Ormandy wrote: > > > On Mon, Sep 10, 2012 at 02:48:38PM -0600, Vincent Danen wrote: > > > > * [2012-09-08 18:14:10 -0600] Kurt Seifried wrote: SUSE has some > > > > interesting info in their bug: > >> > > > > > https://bugzilla.novell.com/show_bug.cgi?id=779473#c4 > >> > > > > > By the sounds of it, this should be harmless. Vincent Untz says > > > > that the browser plugin doesn't actually install the extensions, > > > > it's passed to another process via a dbus call to gnome-shell, which > > > > sends the uuid of the extension to the extensions.gnome.org web site > > > > in order to download the extension. > >> > > > > > See: > >> > > > > > http://git.gnome.org/browse/gnome-shell/tree/js/ui/shellDBus.js#n305 > > > > http://git.gnome.org/browse/gnome-shell/tree/js/ui/extensionDownloader.js#n27 > >> > > > > > which is: > >> > > > > > let message = Soup.form_request_new_from_hash('GET', > > > > REPOSITORY_URL_INFO, params); > >> > > > > > And REPOSITORY_URL_INFO is hardcoded earlier: > >> > > > > > const REPOSITORY_URL_BASE = 'https://extensions.gnome.org'; const > > > > REPOSITORY_URL_DOWNLOAD = REPOSITORY_URL_BASE + > > > > '/download-extension/%s.shell-extension.zip'; const > > > > REPOSITORY_URL_INFO = REPOSITORY_URL_BASE + '/extension-info/'; > > > > const REPOSITORY_URL_UPDATE = REPOSITORY_URL_BASE + > > > > '/update-info/'; > >> > > > > > I don't think this is something that can be exploited, based on the > > > > above. > >> > > > Not sure I follow the logic, can't I just upload something malicious > > > to extensions.gnome.org and then force you to download it? I mean, I > > > can try it if you're not convinced it's possible. > > > > There are supposed to be reviewers before it gets activated, but exactly > > this concern Sebastian also voiced. > > > > > They surely do not have a magical technique for determining if my code > > > is or can become malicious. > > > > Exactly. > > Yeah, this is definitely a possibility, but could happen regardless of > this with some social engineering (hey, download my cool foo extension!) > and have something malicious up there. This is pretty much the same > thing, just making it easier. Well, no. This is like saying it's pointless to patch vulnerabilities, because I can just make you download malware. You can't just make me download malware, because I know how to make trust decisions. You could make me download a malicious gnome extension, because you can do so without interaction or my consent. > It's not much different than having a malicious app in the > iTunes/Android/Whatever app store. The flaw there isn't so much in the > app store, but the app. Wouldn't the same thought apply here? > I've uploaded my malicious android app, how do I make you install it? I can create http://foo.com/malware.rpm, that's clearly not a vulnerability and working as designed. But if I can force you to download and install it without you having the opportunity to make a trust decision, that clearly is a vulnerability. Do you agree that I can upload something malicious to extensions.gnome.org? Do you agree that I can make you install it without consent, interaction, or the opportunity to make a trust decision? If so, then I don't understand the objection :-) Tavis. -- ------------------------------------- taviso@...xchg8b.com | pgp encrypted mail preferred -------------------------------------------------------
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ