Mailinglist Archive: opensuse-security (228 mails)

< Previous Next >
Firefox invocation allows unintended root access
  • From: Phil Betts <phil_betts@xxxxxxxxxxxx>
  • Date: Tue, 29 Mar 2005 22:40:14 +0100
  • Message-id: <1112132414.5217.71.camel@xxxxxxxxxxxxxxxxxxxxxxx>
This is possibly not a SuSE specific problem, but since the two systems
involved are both running 9.2 Pro, and it's their integrity that's at
stake, and since I've no idea what the underlying mechanism is, I
thought I'd start here ;)

The situation:

PC1 - SuSE 9.2 Pro AMD32
PC2 - SuSE 9.2 Pro AMD64

Run Firefox as root@PC2 for browsing local files (the files are only
readable by root).
Still on PC2, run ssh -X to get a shell as normal-user@PC1.
Start Evolution on PC1, opening on PC2's display.
Click on an http link in an email.
A Firefox window opens with the link displayed.

By chance, I noticed that the Adblock extension was missing and I
happened to click on the About menu. I was surprised to see that it
claimed to be the x86_64 version.

Further investigation revealed that Evolution had connected to the
root-invoked Firefox on PC2, rather than starting a fresh instance by
normal-user@PC1 displaying on PC2.

Had I not noticed this, it would have been easy for me to enable
java/javascript and installed plugins etc., in the belief that the
browser was running as normal-user@PC1.

Note that Evolution is an innocent party here, just starting Firefox
directly from the ssh session produces the same effect. The reason for
mentioning it is that a link in an email can be a seductive way to trap
the unwitting user.

Also note that the situation does not appear to occur if the remote
connection is not involved. I.e. when root@PC2 runs Firefox, then
user@PC2 starts Firefox, this results in 2 instances of Firefox.

IMHO, Firefox should only connect with an already running instance if
that instance was started by the same user on the same host. It is
questionable whether normal-user@PC1 should even be aware of the
existence of the root@PC2 instance.


< Previous Next >
Follow Ups