Mozilla Foundation Security Advisory 2006-31

EvalInSandbox escape (Proxy Autoconfig, Greasemonkey)

Announced
June 1, 2006
Reporter
moz_bug_r_a4
Impact
Moderate
Products
Firefox, SeaMonkey, Thunderbird
Fixed in
  • Firefox 1.5.0.4
  • SeaMonkey 1.0.2
  • Thunderbird 1.5.0.4

Description

Mozilla researcher moz_bug_r_a4 demonstrated that javascript run via EvalInSandbox can escape the sandbox and gain elevated privilege by calling valueOf() on objects created outside the sandbox and inserted into it. Malicious scripts could use these privileges to compromise your computer or data.

In Mozilla clients the primary use for EvalInSandbox is to run the Proxy Autoconfig script should one be specified by your network administrator. This is a rare option for home users, it is primarily used by institutional networks which have a need for remote configuration.

The popular Greasemonkey extension uses EvalInSandbox to run userscripts which manipulate the web pages you visit on your behalf. Using this vulnerability a malicious userscript could gain enough privilege to install malware, but even when Greasemonkey is working as designed a malicious userscript can make life miserable. Only install userscripts from sources you can trust.

Workaround

On the Connection Settings preferences select either "Direct connection to the Internet" (the default) or "Manual proxy configuration."

If you use Greasemonkey user only install userscripts from trusted sources and inspect them for occurrances of valueOf(). Or simply disable Greasemonkey until you can upgrade to a newer version.

References