Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 18 Oct 2023 13:25:21 -0500
From: Grant Taylor <gtaylor@...tconsulting.net>
To: oss-security@...ts.openwall.com
Subject: Re: with firefox on X11, any page can pastejack you
 anytime

I have some misgivings about this.

On 10/16/23 7:17 PM, turistu wrote:
> In firefox running on X11, any script from any page can freely write 
> to the primary selection,

I'm largely inclined to say "so what is the problem here?" but I'm 
trying to keep an open mind and understand ~> maybe learn something.

The *primary* /selection/ /buffer/ is updated by simply selecting text 
on the screen.

About the only thing that I can see being a problem is if something 
updates the chosen selection buffer without my knowledge while I'm in 
the middle of doing something using the selection buffer.

*Selection* /buffer/ being a buffer referencing something that is selected.

Remember, the selection buffers; primary and / or secondary, are 
completely independent of the clipboard.

> and that can be easily exploited to run arbitrary code on the user's 
> machine.

I'm not convinced of that.

1st, simply updating the selection buffer doesn't mean that what's in it 
will be used for anything,
2nd, the updated selection buffer must be used in a way that tries to 
execute a command or maliciously alters contents, e.g. swapping 
something of value for something else malicious, say an address to send 
something.

> No user interaction is necessary -- any page able to run javascript 
> can do it ....

The ability to update the selection buffer doesn't extend into the 
ability to cause what's in the selection buffer to be executed.

> This applies to all the versions of mozilla/firefox and their 
> derivatives (seamonkey, etc) ....

It probably applies to a lot more than that.  I suspect that anything 
that can run 3rd party code can do the same thing.

> Sooner or later, when trying to paste something in the terminal with 
> shift-Insert or middle click, you will end up running the command 
> `writeXPrimary()` has injected just between your copy and paste.

I can do the same thing with most shells that you're claiming is a 
Mozilla / Firefox bug:

    while sleep 1; do echo "yes LOL" | xsel -ip; done

Change your sleep duration, what goes into the primary selection buffer, 
tool used to modify the selection buffer, which selection buffer / 
clipboard you monkey with, etc.

I think that this is more a problem with X11 security than it is a 
problem specific to Mozilla / Firefox.

This X11 security issue is well known and has been well known for 
decades.  Anybody / anything that can read / write to your DISPLAY can 
do this.

Maybe the fact that malicious JavaScript can do this is a surprise.  But 
I don't see this as a new issue.

As I said earlier, I'm unconvinced that this is a Mozilla / Firefox 
specific bug, but I'm trying to keep an open mind and understand ~> 
maybe learn something.

As for patching Firefox, that's sort of like closing one vector out of 
the undetermined / infinite number that exist on the system.

Yes, what you're talking about is a problem.  It's also a known problem. 
  What's more is I believe the root of the problem is outside of where 
you have targeted your scrutiny.



-- 
Grant. . . .
unix || die

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.