New issue
Advanced search Search tips

Issue 850559 link

Starred by 2 users
Status: WontFix
Owner: ----
Closed: Jun 2018
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac , Fuchsia
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Chrome Javascript Object.defineProperty

Reported by alanf...@gmail.com, Jun 7 2018 
Please see the following link for instructions on filing security bugs:
https://www.chromium.org/Home/chromium-security/reporting-security-bugs

NOTE: Security bugs are normally made public once a fix has been widely
deployed.

VULNERABILITY DETAILS
Please provide a brief explanation of the security issue.

VERSION
Chrome Version: 66.0.3359.181 (Official Build) (64-bit)
Operating System: macOS High Sierra, Version 10.13.4 (17E202)

REPRODUCTION CASE

JavaScript Object.defineProperty function can be overridden by malicious code to bypass the writeable object descriptor. Non-mutable properties of all objects can be changed as a result.

// Hack overrides Object.defineProperty
var copy = Object.defineProperty
Object.defineProperty = function(x, y, z) {
     z.configurable = true
     return copy(x, y, z)
}

var o = {}; // Test case

// "age" property defined as non-writeable
Object.defineProperty(o, "age", { 
  value: "10",
  writable: false,
  configurable: false
});

// Second defineProperty should fail
Object.defineProperty(o, "age", { 
  writable: true
});

// "non-writable" property can be changed
o.age = 20

Please see the source code of the hack here:
https://codepen.io/aln/pen/WyGWpj

The demonstration is here:
https://codepen.io/aln/debug/WyGWpj

Comment 1 by alanf...@gmail.com, Jun 7 2018 

This vulnerability can be easily fixed by changing the "configurable" descriptor of the defineProperty function of Object to false.

Comment 2 by palmer@chromium.org, Jun 7 2018

Components: Blink>JavaScript
Labels: -Restrict-View-SecurityTeam OS-Android OS-Chrome OS-Fuchsia OS-Linux OS-Mac OS-Windows
Status: WontFix (was: Unconfirmed)
This is working as intended. It's a weird feature of JavaScript that you can redefine its standard functions. See e.g. https://stackoverflow.com/questions/10427708/override-function-e-g-alert-and-call-the-original-function.

It can certainly lead to security problems if a developer was assuming the standard functions are immutable and if they also include code from another author that redefines them in a malicious way. But the root cause of the vulnerability in such a case is: including code from a malicious author. Such an attacker could achieve whatever attack they want even if built-ins were immutable.

Comment 3 by alanf...@gmail.com, Jun 7 2018 

Is there any use-case in which you would want to redefine JavaScript's standard functions?

Also, if this is an intended feature, what would be the purpose of having the descriptors "configurable" and "writable"? It was my understanding that those descriptors existed in part to prevent malicious users from altering important code.

If they can simply be overridden by this feature, isn't it dangerous to provide developers with the illusion of keeping their code immutable?

Sign in to add a comment