Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 20 Oct 2023 09:04:07 +0200
From: Donald Buczek <buczek@...gen.mpg.de>
To: oss-security@...ts.openwall.com
Subject: Re: with firefox on X11, any page can pastejack you
 anytime

On 10/18/23 8:25 PM, Grant Taylor wrote:
> I have some misgivings about this.
> 
> On 10/16/23 7:17 PM, turistu wrote:
>> In firefox running on X11, any script from any page can freely write to the primary selection,
> 
> I'm largely inclined to say "so what is the problem here?" but I'm trying to keep an open mind and understand ~> maybe learn something.
> 
> The *primary* /selection/ /buffer/ is updated by simply selecting text on the screen.
> 
> About the only thing that I can see being a problem is if something updates the chosen selection buffer without my knowledge while I'm in the middle of doing something using the selection buffer.
> 
> *Selection* /buffer/ being a buffer referencing something that is selected.
> 
> Remember, the selection buffers; primary and / or secondary, are completely independent of the clipboard.
> 
>> and that can be easily exploited to run arbitrary code on the user's machine.
> 
> I'm not convinced of that.
> 
> 1st, simply updating the selection buffer doesn't mean that what's in it will be used for anything,
> 2nd, the updated selection buffer must be used in a way that tries to execute a command or maliciously alters contents, e.g. swapping something of value for something else malicious, say an address to send something.
> 
>> No user interaction is necessary -- any page able to run javascript can do it ....
> 
> The ability to update the selection buffer doesn't extend into the ability to cause what's in the selection buffer to be executed.
> 
>> This applies to all the versions of mozilla/firefox and their derivatives (seamonkey, etc) ....
> 
> It probably applies to a lot more than that.  I suspect that anything that can run 3rd party code can do the same thing.
> 
>> Sooner or later, when trying to paste something in the terminal with shift-Insert or middle click, you will end up running the command `writeXPrimary()` has injected just between your copy and paste.
> 
> I can do the same thing with most shells that you're claiming is a Mozilla / Firefox bug:
> 
>    while sleep 1; do echo "yes LOL" | xsel -ip; done

Yes, and "rm" can delete all my files, but a piece of Javascript on random website, I visit with Firefox, is not supposed to be able to do that.

A Javascript program from a website is not in the same security domain as the user and the commands and application he invokes explicitly.

> Change your sleep duration, what goes into the primary selection buffer, tool used to modify the selection buffer, which selection buffer / clipboard you monkey with, etc.
> 
> I think that this is more a problem with X11 security than it is a problem specific to Mozilla / Firefox.
> 
> This X11 security issue is well known and has been well known for decades.  Anybody / anything that can read / write to your DISPLAY can do this.

libX11 API is not exposed to Javascript, is it? Javascript is not able to communicate with your DISPLAY socket, is it?

> Maybe the fact that malicious JavaScript can do this is a surprise.  But I don't see this as a new issue.
> As I said earlier, I'm unconvinced that this is a Mozilla / Firefox specific bug, but I'm trying to keep an open mind and understand ~> maybe learn something.

To me it looks like a big issue.

It is a serious bug when Javascript, which is untrusted, is able to do sneak commands into your shell session. 

If I'd work my usual way and had the example site open in my browser, I would have many LOL-* Files in my home. I select and paste into terminal windows all day and my terminal doesn't protect me and wait for a confirming keystroke. And a bad script could do worse things in a more subtle way, of course.

> As for patching Firefox, that's sort of like closing one vector out of the undetermined / infinite number that exist on the system.

I'd be grateful for the patch that requires secure context for writing to the primary selection and would add it to the Firefox build of our (in-house) distribution.

Best

  Donald


> Yes, what you're talking about is a problem.  It's also a known problem.  What's more is I believe the root of the problem is outside of where you have targeted your scrutiny.


-- 
Donald Buczek
buczek@...gen.mpg.de
Tel: +49 30 8413 1433

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.