Hacking caja part 2
Tuesday, 18 September 2012
I was asked for a “real” exploit on Caja by one of the devs after my previous post. I opened up my custom caja hacker inspector and inspected the window or fake window. I began looking through each object/function and noticed the setTimeout code. I wondered if they made the same mistake as me and checked the argument for a string. They did :O. The interesting thing about JavaScript objects is that sometimes an object is really a string like when you use an array on a function that can accept a string value because it’s automatically converted. The exploit is dead simple and instead of passing a string to setTimeout I pass an array pretty much like the one that pwnd JSReg by Soroush Dalili. We can now execute any JavaScript and bypass the sandbox because the sandboxed setTimeout function specifically checks for a string type but forgets the array literal.
<script>
setTimeout(['alert(location)']);//alerts the current location bypassing the sandbox
</script>
This works on Caja Rev 5047 built on 2012-09-13 15:28:30. I have now pwnd every JavaScript sandbox. Achievement unlocked.
No. 1 — September 18th, 2012 at 5:14 pm
Man, awesome 🙂
I assume this works with setInterval too.
No. 2 — September 18th, 2012 at 5:55 pm
We also asked that you submit it to us first; if you had, you could have earned some cash through the vulnerability rewards program. Now we’re scrambling; bad form!
No. 3 — September 18th, 2012 at 6:24 pm
@InsertScript
Yeah works with both but so I hope they patch both I assume they would.
No. 4 — September 18th, 2012 at 6:26 pm
@Mike
It was a simple hole and attacker could already be using it anyway. I’d imagine you’d be scrambling anyway. Money isn’t everything.
No. 5 — September 18th, 2012 at 9:42 pm
@Gareth That’s true. We’d really appreciate it if, in the future, you give us a heads up first, but congratulations on spotting the hole, and thanks for not abusing it!
No. 6 — September 18th, 2012 at 10:43 pm
@Mike
Yes no problem, in future I’ll report to you guys first. I got a little excited because I’ve been trying to exploit caja for a while and then discovered this.
No. 7 — October 5th, 2012 at 8:16 am
http://www.thespanner.co.uk/2012/09/18/hacking-caja-part-2/
No. 8 — October 5th, 2012 at 8:23 am
#inception