Hacking caja part 2

I was asked for a “real” exploit on Caja by one of the devs after my previous post. I opened up my custom caja hacker inspector and inspected the window or fake window. I began looking through each object/function and noticed the setTimeout code. I wondered if they made the same mistake as me and checked the argument for a string. They did :O. The interesting thing about JavaScript objects is that sometimes an object is really a string like when you use an array on a function that can accept a string value because it’s automatically converted. The exploit is dead simple and instead of passing a string to setTimeout I pass an array pretty much like the one that pwnd JSReg by Soroush Dalili. We can now execute any JavaScript and bypass the sandbox because the sandboxed setTimeout function specifically checks for a string type but forgets the array literal.


<script>
setTimeout(['alert(location)']);//alerts the current location bypassing the sandbox
</script>

This works on Caja Rev 5047 built on 2012-09-13 15:28:30. I have now pwnd every JavaScript sandbox. Achievement unlocked.

8 Responses to “Hacking caja part 2”

  1. insertScript writes:

    Man, awesome :)
    I assume this works with setInterval too.

  2. Mike Stay writes:

    We also asked that you submit it to us first; if you had, you could have earned some cash through the vulnerability rewards program. Now we’re scrambling; bad form!

  3. Gareth Heyes writes:

    @InsertScript

    Yeah works with both but so I hope they patch both I assume they would.

  4. Gareth Heyes writes:

    @Mike

    It was a simple hole and attacker could already be using it anyway. I’d imagine you’d be scrambling anyway. Money isn’t everything.

  5. Mike Stay writes:

    @Gareth That’s true. We’d really appreciate it if, in the future, you give us a heads up first, but congratulations on spotting the hole, and thanks for not abusing it!

  6. Gareth Heyes writes:

    @Mike

    Yes no problem, in future I’ll report to you guys first. I got a little excited because I’ve been trying to exploit caja for a while and then discovered this.

  7. Levis 501 writes:

    http://www.thespanner.co.uk/2012/09/18/hacking-caja-part-2/

  8. Gareth Heyes writes:

    #inception