Hacking caja part 2

Tuesday, 18 September 2012

I was asked for a “real” exploit on Caja by one of the devs after my previous post. I opened up my custom caja hacker inspector and inspected the window or fake window. I began looking through each object/function and noticed the setTimeout code. I wondered if they made the same mistake as me and checked the argument for a string. They did :O. The interesting thing about JavaScript objects is that sometimes an object is really a string like when you use an array on a function that can accept a string value because it’s automatically converted. The exploit is dead simple and instead of passing a string to setTimeout I pass an array pretty much like the one that pwnd JSReg by Soroush Dalili. We can now execute any JavaScript and bypass the sandbox because the sandboxed setTimeout function specifically checks for a string type but forgets the array literal.


<script>
setTimeout(['alert(location)']);//alerts the current location bypassing the sandbox
</script>

This works on Caja Rev 5047 built on 2012-09-13 15:28:30. I have now pwnd every JavaScript sandbox. Achievement unlocked.

The entry 'Hacking caja part 2' was posted on September 18th, 2012 at 11:59 am and is filed under javascript, Security. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

8 Responses to “Hacking caja part 2”

  1. insertScript writes:
    No. 1 — September 18th, 2012 at 5:14 pm

    Man, awesome 🙂
    I assume this works with setInterval too.

  2. Mike Stay writes:
    No. 2 — September 18th, 2012 at 5:55 pm

    We also asked that you submit it to us first; if you had, you could have earned some cash through the vulnerability rewards program. Now we’re scrambling; bad form!

  3. Gareth Heyes writes:
    No. 3 — September 18th, 2012 at 6:24 pm

    @InsertScript

    Yeah works with both but so I hope they patch both I assume they would.

  4. Gareth Heyes writes:
    No. 4 — September 18th, 2012 at 6:26 pm

    @Mike

    It was a simple hole and attacker could already be using it anyway. I’d imagine you’d be scrambling anyway. Money isn’t everything.

  5. Mike Stay writes:
    No. 5 — September 18th, 2012 at 9:42 pm

    @Gareth That’s true. We’d really appreciate it if, in the future, you give us a heads up first, but congratulations on spotting the hole, and thanks for not abusing it!

  6. Gareth Heyes writes:
    No. 6 — September 18th, 2012 at 10:43 pm

    @Mike

    Yes no problem, in future I’ll report to you guys first. I got a little excited because I’ve been trying to exploit caja for a while and then discovered this.

  7. Levis 501 writes:
    No. 7 — October 5th, 2012 at 8:16 am

    http://www.thespanner.co.uk/2012/09/18/hacking-caja-part-2/

  8. Gareth Heyes writes:
    No. 8 — October 5th, 2012 at 8:23 am

    #inception

«
»