angler-fishThe Vulnerability History Project

CVE-2015-1217

10 Upvotes
The V8LazyEventListener listens for javascript events for a given type of event. This vulnerability occurred in the prepareListenerObject function of this listener class, which is responsible for binding DOM event types to listener objects. Essentially, the V8 engine needs bindings/wrappers to interact with WebKit, which then in turn interacts more directly with DOM content in the Chromium app. The vulnerability category is "type confusion", where a variable or object is previously declared as one type but is accessed as another type. This causes problems in mainly C-like languages because they do not have memory safety that will check if something like a pointer is trying to point to allocated memory of another type. In this case, JavaScript code is constructed, compiled, and then ran, partially based on DOM element input (what the listener should listen for). The result is then cast to a function, although it is not necessarily a function, causing type confusion that could cause a crash in the program or another DoS of sorts for a malicious actor. This was fixed by removing testing assert statements and replacing them with conditional checks for whether a context object is a document, whether it allows inline event handlers, and whether the internal script that is ran has a result that is a function. This ensures objects are of the proper type and are not null, which could make the above exploits possible.
This is definitely a case of quick development of code between commits leading up to the vulnerability. This code was overlooked, perhaps due to miscommunication since it appears a different person was involved with each step of introducing and fixing this vulnerability. More rigorous code reviews for common security standards (especially pertaining to C and how these subsystems are typically implemented in Chromium) could add up in the long run to have a more fortified application build with fewer common, easy to check for errors. Make sure everyone reviewing understands what the code is trying to accomplish and if it does that (Validate and Verify). The fix of checking for certain conditions before preceding to create the listener object seems appropriate for this kind of vulnerability. In the future, do not rely too heavily on asserts for runtime in the production environment. These should be converted to actual checks and handling of errors and exceptions.
  • Bounty Awarded $3000.0 awarded. Learn more about Bounty Awarded.
  • Chromium subsystem: v8 Learn more about Chromium subsystem: v8.
  • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') Learn more about CWE-843: Access of Resource Using Incompatible Type ('Type Confusion').
  • Discovered Automatically The renderer crashed when using a certain test page, which had a certain mouse down event on the document. Asserts were not enabled on the Windows Vista snapshot, but the reporter, pim...@live.nl was able to debug that the preparedListenerObject function had a type confusion vulnerability that caused the crash. The email pim...@live.nl could not be traced to anyone on LinkedIn, Outlook, Skype, etc. but it would appear to be someone named Pim in Netherlands. Learn more about Discovered Automatically.
  • Discovered Externally The renderer crashed when using a certain test page, which had a certain mouse down event on the document. Asserts were not enabled on the Windows Vista snapshot, but the reporter, pim...@live.nl was able to debug that the preparedListenerObject function had a type confusion vulnerability that caused the crash. The email pim...@live.nl could not be traced to anyone on LinkedIn, Outlook, Skype, etc. but it would appear to be someone named Pim in Netherlands. Learn more about Discovered Externally.
  • Known Origin (VCC) Learn more about Known Origin (VCC).
  • Language: C++ Learn more about Language: C++.
  • Lesson: Distrust Input A listener source (parsed from a DOM element) could be manipulated to return a different type of object for the preparedListenerObject function, allowing for the rendering crash to occur. Input should usually be validated and sanitized in some way like whitelisting characters/types or checking edge cases as in this fix. Learn more about Lesson: Distrust Input.
  • Lesson: Fix Untested It is clear that unit testing occurs for this event listener module. Checking the logs, tests are often updated, mostly pertaining to checking mouse events. There are also multiple assertions directly in the code. Learn more about Lesson: Fix Untested.
  • Lesson: Too Many Cooks 29 different developers made commits to the files fixed for this vulnerability. Learn more about Lesson: Too Many Cooks.
  • Lesson: You Ain't Gonna Need It Judging from this string of commits for this file and others, a strong sense of "you ain't gonna need it" seems to be present with incremental but sometimes verbose additions of code that are either not accompanied with new test files or are not reviewed carefully for common edge cases that could lead to vulnerabilities (e.g., null checks). When in doubt, it may be a good idea to implement these simple checks. Learn more about Lesson: You Ain't Gonna Need It.
  • Lifetime: 5+ years 1935.8 days, or 5.3 years Learn more about Lifetime: 5+ years.
  • Project: Chromium Learn more about Project: Chromium. 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288

CVE: CVE-2015-1217
CWE:
- 843
- 17
bugs:
- 456192
repo: 
vccs:
- note: |
    This is the commit before the fix.  It is interesting to notice how much
    code was touched in and around where the fix occurred, yet the assertions
    were never taken out for mechanisms to officially "fail safely".
  commit: ed66d28be8a33cb0f5e084549f0d87c6b58c05d7
- note: |
    This is essentially where the preparedListenerObject method is formed
    close to its current form.  A decent amount of adding and removing of
    assertions and changing of function methodologies have been done before
    the fix.
  commit: 313588bc5684f8eacd61c27d8921e9cb347920ff
fixes:
- note: |
    Asserts were replaced with conditional statements in the code for
    checking whether a context object is a document, whether it allows
    inline event handlers, and whether the internal script that is ran
    has a result that is a function.
  commit: fc81fcf38edd250876cc384a6ed5567e1b2999e4
bounty:
  date: '2015-03-03 15:53:00.000000000 -05:00'
  amount: 3000.0
  references:
  - http://chromereleases.googleblog.com/2015/03/stable-channel-update.html
lessons:
  yagni:
    note: |
      Judging from this string of commits for this file and others,
      a strong sense of "you ain't gonna need it" seems to be present
      with incremental but sometimes verbose additions of code that
      are either not accompanied with new test files or are not reviewed
      carefully for common edge cases that could lead to vulnerabilities
      (e.g., null checks).  When in doubt, it may be a good idea to
      implement these simple checks.
    applies: true
  question: |
    Are there any common lessons we have learned from class that apply to this
    vulnerability? In other words, could this vulnerability serve as an example
    of one of those lessons?

    Leave "applies" blank or put false if you did not see that lesson (you do
    not need to put a reason). Put "true" if you feel the lesson applies and put
    a quick explanation of how it applies.

    Don't feel the need to claim that ALL of these apply, but it's pretty likely
    that one or two of them apply.

    If you think of another lesson we covered in class that applies here, feel
    free to give it a small name and add one in the same format as these.
  serial_killer:
    note: 
    applies: 
  complex_inputs:
    note: 
    applies: 
  distrust_input:
    note: |
      A listener source (parsed from a DOM element) could be manipulated
      to return a different type of object for the preparedListenerObject
      function, allowing for the rendering crash to occur.  Input should
      usually be validated and sanitized in some way like whitelisting
      characters/types or checking edge cases as in this fix.
    applies: true
  least_privilege:
    note: 
    applies: 
  native_wrappers:
    note: 
    applies: 
  defense_in_depth:
    note: 
    applies: 
  secure_by_default:
    note: 
    applies: 
  environment_variables:
    note: 
    applies: 
  security_by_obscurity:
    note: 
    applies: 
  frameworks_are_optional:
    note: 
    applies: 
reviews:
- 933003002
- 927343006
- 906193002
- 938483002
- 939503002
- 910683002
- 958543002
- 913713004
upvotes: 10
mistakes:
  answer: |
    This is definitely a case of quick development of code between commits leading
    up to the vulnerability.  This code was overlooked, perhaps due to miscommunication
    since it appears a different person was involved with each step of introducing and
    fixing this vulnerability.  More rigorous code reviews for common security standards
    (especially pertaining to C and how these subsystems are typically implemented in
    Chromium) could add up in the long run to have a more fortified application build
    with fewer common, easy to check for errors.  Make sure everyone reviewing understands
    what the code is trying to accomplish and if it does that (Validate and Verify).

    The fix of checking for certain conditions before preceding to create the listener
    object seems appropriate for this kind of vulnerability.  In the future, do not
    rely too heavily on asserts for runtime in the production environment.  These should
    be converted to actual checks and handling of errors and exceptions.
  question: |
    In your opinion, after all of this research, what mistakes were made that
    led to this vulnerability? Coding mistakes? Design mistakes?
    Maintainability? Requirements? Miscommunications?

    Look at the CWE entry for this vulnerability and examine the mitigations
    they have written there. Are they doing those? Does the fix look proper?

    Use those questions to inspire your answer. Don't feel obligated to answer
    every one. Write a thoughtful entry here that those ing the software
    engineering industry would find interesting.
announced: '2015-03-08 20:59:09.387000000 -04:00'
subsystem:
  name: v8
  answer: |
    The vulnerability was in the LazyEventListener module of v8, Chromium's
    JavaScript engine.
  question: |
    What subsystems was the mistake in?

    Look at the path of the source code files code that were fixed to get
    directory names. Look at comments in the code. Look at the bug reports how
    the bug report was tagged. Examples: "clipboard", "gpu", "ssl", "speech", "renderer"
discovered:
  date: '2015-02-06'
  answer: |
    The renderer crashed when using a certain test page, which had a certain mouse
    down event on the document.  Asserts were not enabled on the Windows Vista snapshot,
    but the reporter, pim...@live.nl was able to debug that the preparedListenerObject
    function had a type confusion vulnerability that caused the crash.

    The email pim...@live.nl could not be traced to anyone on LinkedIn, Outlook, Skype, etc.
    but it would appear to be someone named Pim in Netherlands.
  google: false
  contest: 
  question: |
    How was this vulnerability discovered?

    Go to the bug report and read the conversation to find out how this was
    originally found. Answer in longform below in "answer", fill in the date in
    YYYY-MM-DD, and then determine if the vulnerability was found by a Google
    employee (you can tell from their email address). If it's clear that the
    vulenrability was discovered by a contest, fill in the name there.

    The "automated" flag can be true, false, or nil.
    The "google" flag can be true, false, or nil.

    If there is no evidence as to how this vulnerability was found, then you may
    leave the entries blank except for "answer". Write down where you looked in "answer".
  automated: true
description: |
  The V8LazyEventListener listens for javascript events for a given type of event.
  This vulnerability occurred in the prepareListenerObject function of this listener
  class, which is responsible for binding DOM event types to listener objects.
  Essentially, the V8 engine needs bindings/wrappers to interact with WebKit, which
  then in turn interacts more directly with DOM content in the Chromium app.

  The vulnerability category is "type confusion", where a variable or object is
  previously declared as one type but is accessed as another type.  This causes
  problems in mainly C-like languages because they do not have memory safety that
  will check if something like a pointer is trying to point to allocated memory
  of another type.  In this case, JavaScript code is constructed, compiled, and
  then ran, partially based on DOM element input (what the listener should listen for).
  The result is then cast to a function, although it is not necessarily a function,
  causing type confusion that could cause a crash in the program or another DoS of
  sorts for a malicious actor.

  This was fixed by removing testing assert statements and replacing them with conditional
  checks for whether a context object is a document, whether it allows
  inline event handlers, and whether the internal script that is ran
  has a result that is a function.  This ensures objects are of the proper type and are
  not null, which could make the above exploits possible.
unit_tested:
  fix: true
  code: true
  answer: |
    It is clear that unit testing occurs for this event listener module.  Checking
    the logs, tests are often updated, mostly pertaining to checking mouse events.
    There are also multiple assertions directly in the code.
  question: |
    Were automated unit tests involved in this vulnerability?
    Was the original code unit tested, or not unit tested? Did the fix involve
    improving the automated tests?

    For the "code" answer below, look not only at the fix but the surrounding
    code near the fix and determine if and was there were unit tests involved
    for this module.

    For the "fix" answer below, check if the fix for the vulnerability involves
    adding or improving an automated test to ensure this doesn't happen again.
major_events:
  answer: |
    Not many major commits/events were created near this time.  But over the past year
    before this, the following was an interesting focus the team had.
  events:
  - date: '2014-03-07'
    name: |
      Revision 168726, a revert occurred for removing precompiled scripts.  Clearly
      much contention concerning regression statistics was the focus during the Spring
      and Summer of 2014.  If the team was focused on optimizing speed, less attention
      to creating quality listener code might have happened.
  - date: 
    name: 
  question: |
    Please record any major events you found in the history of this
    vulnerability. Was the code rewritten at some point? Was a nearby subsystem
    changed? Did the team change?

    The event doesn't need to be directly related to this vulnerability, rather,
    we want to capture what the development team was dealing with at the time.
curation_level: 0
CWE_instructions: |
  Please go to cwe.mitre.org and find the most specific, appropriate CWE entry
  that describes your vulnerability. (Tip: this may not be a good one to start
  with - spend time understanding this vulnerability before making your choice!)
bounty_instructions: |
  If you came across any indications that a bounty was paid out for this
  vulnerability, fill it out here. Or correct it if the information already here
  was wrong. Otherwise, leave it blank.
interesting_commits:
  answer: 
  commits:
  - note: |
      This is actually another bug involving a null state with the AbstractEventListener
      in v8, found about nine months beforehand.  Could have the developers
      included looking at similar components such as the LazyEventListener to
      find similar problems during the code review?
    commit: 1e2aefdb3d864e1bfd2e6e1c94c52aebe321c2d1
  question: |
    Are there any interesting commits between your VCC(s) and fix(es)?

    Write a brief (under 100 words) description of why you think this commit was
    interesting in light of the lessons learned from this vulnerability. Any
    emerging themes?

    If there are no interesting commits, demonstrate that you completed this section by explaining what happened between the VCCs and the fix.
curated_instructions: |
  If you are manually editing this file, then you are "curating" it. Set the
  entry below to "true" as soon as you start. This will enable additional
  integrity checks on this file to make sure you fill everything out properly.
  If you are a student, we cannot accept your work as finished unless curated is
  set to true.
upvotes_instructions: |
  For the first round, ignore this upvotes number.

  For the second round of reviewing, you will be giving a certain amount of
  upvotes to each vulnerability you see. Your peers will tell you how
  interesting they think this vulnerability is, and you'll add that to the
  upvotes score on your branch.
announced_instructions: |
  Was there a date that this vulnerability was announced to the world? You can
  find this in changelogs, blogs, bug reports, or perhaps the CVE date. A good
  source for this is Chrome's Stable Release Channel
  (https://chromereleases.googleblog.com/).
  Please enter your date in YYYY-MM-DD format.
fixes_vcc_instructions: |
  Please put the commit hash in "commit" below (see my example in
  CVE-2011-3092.yml). Fixes and VCCs follow the same format.
description_instructions: |
  You can get an initial description from the CVE entry on cve.mitre.org. These
  descriptions are a fine start, but they can be kind of jargony.

  Rewrite this description in your own words. Make it interesting and easy to
  read to anyone with some programming experience. We can always pull up the NVD
  description later to get more technical.

  Try to still be specific in your description, but remove Chromium-specific
  stuff. Remove references to versions, specific filenames, and other jargon
  that outsiders to Chromium would not understand. Technology like "regular
  expressions" is fine, and security phrases like "invalid write" are fine to
  keep too.

See a mistake? Is something missing from our story? We welcome contributions! All of our work is open-source and version-controlled on GitHub. You can curate using our Curation Wizard.

Use our Curation Wizard

Or go to GitHub

  • There are no articles here... yet

Timeline

Hover over an event to see its title.
Click on the event to learn more.
Filter by event type with the buttons below.

expand_less