Opened 3 years ago

Closed 3 years ago

#18782 closed defect (worksforme)

media tab in Page Info can bypass NoScript on Linux if gstreamer is used

Reported by: cypherpunks Owned by: tbb-team
Priority: Very High Milestone:
Component: Applications/Tor Browser Version:
Severity: Critical Keywords: ff45-esr-will-have
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

to reproduce:

  • visit machetona.neocities.org
  • [collateral/bonus: rack up a 16 year old girl's page counts]
  • Tools->Page Info->Media (tab)
  • scroll down the media list to the URL that looks like an IP address
  • press play and listen to the sweet jams and OH CRAP THAT ISN'T SUPPOSED TO HAPPEN
  • trouble

Child Tickets

Change History (24)

comment:1 Changed 3 years ago by cypherpunks

(this happens with NoScript cranked all the way up)

comment:2 Changed 3 years ago by cypherpunks

Also, RequestPolicy AddOn was active and allowing nothing, and this bypassed that as well. Yes I know the Tor project has no responsibility for RequestPolicy, but maybe the info helps somehow anyway.

comment:3 Changed 3 years ago by gk

Status: newneeds_information

I don't have such an URL. Are you talking about an item in the Media Preview? If so, this thing is empty for me apart from the favicon it seems. I am using the security slider set to high.

comment:4 Changed 3 years ago by cypherpunks

By "I don't have such an URL.", do you mean the IP-based one in Media Preview? Do you get any URLs at all in Media Preview? Anyway, yes, I am talking about an item in the Media Preview.

I suppose it is possible that some addon I use has circumvented default Tor Browser restrictions, but most of my plugins restrict content, none enable it. A few enhance it, but not in ways I can see interfering.

I know the addon hole isn't something you want to fall into, but this still might not stem from addons. And in any case, I'd need help narrowing it down if it is an addon. Are there specific settings in NoScript or Firefox which govern Media Preview?

comment:5 Changed 3 years ago by cypherpunks

"apart from the favicon" Ok, that is the only element in Media Preview which appears for you, I see.

comment:6 Changed 3 years ago by cypherpunks

Priority: HighVery High
Severity: MajorCritical

I just downloaded and ran a fresh copy of 5.5.4, en-us, hash ebc24ad69a27531dac62c25f939d4028c5494c1759137a3a841e9e32619a3c71, which I ran in both private and regular modes, and with security slider set to High.

The only things I changed:

  • though it isn't recommended, I ran it as root because reasons; basically it is easier on my test system to do that and it was just to run it once for the purpose of this test
  • imported some bookmarks

No addons at all were imported, installed, or adjusted. Visiting the website listed in the steps did indeed produce the bug. The IP-looking URL was there along with a host of other addresses, all instantly previewable, including the media player for that IP-based URL.

If you are running an unmodified version of the browser, these should be your results as well. I have no idea why they aren't.

comment:7 Changed 3 years ago by cypherpunks

The specific URL in question is 107.155.111.170:8250/;?icy=http , in case you just didn't notice it.

comment:8 Changed 3 years ago by gk

I still get the same results as in comment:3. Here is what I did:

1) I downloaded the 5.5.4 64bit en-US bundle + signature from dist.torproject.org
2) I checked the signature (it was okay)
3) I started Tor Browser and set the Security Slider to "high"
4) I visited visit machetona.neocities.org
5) I opened Tools->Page Info->Media (tab)

comment:9 Changed 3 years ago by cypherpunks

Different cypherpunk here. Could the difference in results be caused by gstreamer being (un)available?

comment:10 Changed 3 years ago by cypherpunks

OP here. Right. Because stupidly I forgot to mention that mine is on Linux (although the root comment should have given it away).

comment:11 Changed 3 years ago by cypherpunks

Yep. Uninstalled gstreamer and it wasn't there. Reinstalled and it was back again.

Gstreamer is a dependency for several apps i regard as important. I really don't want to have to do without it :/

comment:12 Changed 3 years ago by cypherpunks

Okay, just discovered via #13543 that gstreamer can be disabled in Firefox via about:config (and indeed doing so does disable the example content in Media Preview), so it doesn't need to be uninstalled from the OS.

But disabling it in the browser leaves the user without an in-browser playback method for various formats.

comment:13 in reply to:  11 Changed 3 years ago by cypherpunks

Replying to cypherpunks:

Gstreamer is a dependency for several apps i regard as important. I really don't want to have to do without it :/

I only asked about gstreamer so gk can reproduce it (and then hopefully is able to fix the issue).

comment:14 Changed 3 years ago by gk

So, what is the actual bug here? Or asked differently: What is the expected behavior in this case?

comment:15 Changed 3 years ago by cypherpunks

I don't know what the protocol here is for when one bug through the process of discovery is revealed to be a different bug. I can't modify the title.

I feel like getting testy here (because isn't this really, really obvious? why are you asking how to proceed?) but I'll refrain. The expected behaviour is for TBB, since it ships with media.gstreamer.enabled set to true, to not allow gstreamer leaks to affect TBB's security negatively.

In TBB, when the slider, which is what the team presents to the userbase as the primary security control panel, is set to high, no JS objects at all should be able to run in the browser. Media Preview absolutely is in the browser. It is a user-facing feature. It is not a setting, i.e. "don't poke around in TBB's innards unless you know what you're doing" does not apply here.

It looks to me as though your end needs to look upstream, either to Firefox (why is Media Preview a separate display process?) or to NoScript (why can't NoScript affect Media Preview?) or to gstreamer (has it been leaking data ever since it was included as an option?). Using an external element for media display should have been a bigger red flag than it seems to have been treated as. The fact that Firefox uses that external element in two different ways in the same product complicates the matter.

Of these, NoScript and Firefox are connected to the Tor Project and subsequently should be within the responsibility of the developers to at least interact with. Gstreamer is obviously separate.

So fundamentally, the expected behaviour is not to leak data? To obey the security slider? To start shipping TBB with media.gstreamer.enabled set to false, or incorporating that setting into the slider?

Do you even know if gstreamer has been leaking this whole time and should be removed as an option until upstream passes an audit?

  • If you can determine gstreamer isn't leaky (meaning outside the Tor network) then media.gstreamer.enabled should become part of what the security slider controls
  • if you cannot determine anything about gstreamer's network activity conclusively (?) then it should be removed from interaction from TBB completely
  • as a side note, Firefox probably shouldn't be loading objects of any kind in Media Preview by different means than it uses for general pages
Last edited 3 years ago by cypherpunks (previous) (diff)

comment:16 Changed 3 years ago by cypherpunks

As a further side note - I forgot to mention that the advertised URL is able to run in Media Preview with javascript turned off completely. So gstreamer is completely bypassing Firefox/TBB's settings, even aside from NoScript.

Last edited 3 years ago by cypherpunks (previous) (diff)

comment:17 Changed 3 years ago by cypherpunks

Alternatively, Media Preview itself might be outside the control of about:config, which would be just as bad in a different way.

media.play-stand-alone might also be a setting you guys should look into if gstreamer is what TBB uses for it.

Last edited 3 years ago by cypherpunks (previous) (diff)

comment:18 in reply to:  15 ; Changed 3 years ago by gk

Status: needs_informationassigned
Summary: media tab in Page Info can bypass NoScriptmedia tab in Page Info can bypass NoScript on Linux if gstreamer is used

Replying to cypherpunks:

So fundamentally, the expected behaviour is not to leak data? To obey the security slider? To start shipping TBB with media.gstreamer.enabled set to false, or incorporating that setting into the slider?

Do you even know if gstreamer has been leaking this whole time and should be removed as an option until upstream passes an audit?

  • If you can determine gstreamer isn't leaky (meaning outside the Tor network) then media.gstreamer.enabled should become part of what the security slider controls
  • if you cannot determine anything about gstreamer's network activity conclusively (?) then it should be removed from interaction from TBB completely

See #13020 for the network activity. The sole reason I was asking about the expected behavior was that there are a bunch of possible ways to deal with this issue and I certainly don't want to pick one users are unhappy about as this would result in follow-up bugs leading to extra work.

And FWIW Tor Browser based on ESR45 won't have this problem anymore as Mozilla is not using gstreamer anymore. We'll start shipping that in roughly 10 days with the next alpha.

comment:19 in reply to:  18 Changed 3 years ago by cypherpunks

Seems like a few misconceptions have made our fellow cpunk a little anxious. Maybe the following will help (gk can correct me if I say something stupid):

  1. Disabling embedded objects on chrome contexts was never among NoScript's goals. It only ever tries when in content context. (So this bug is hardly a "bypass".)
  2. The rationale for using NoScript to disable embedded multimedia objects is not preventing IP leaks (that would be a catastrophic failure; such identity leaks should never happen, ever, no matter the security slider setting, full stop). No, the idea is reducing the attack surface: multimedia codecs are known to be large pieces of flaky, vulnerable software. So the less you use them, the better your odds look.
  3. The media previewer doesn't run any content javascript. (If it runs javascript, it's chrome.)

Replying to gk:

And FWIW Tor Browser based on ESR45 won't have this problem anymore as Mozilla is not using gstreamer anymore.

But what about whatever replaces it (I'm assuming there is such replacement)?

comment:20 Changed 3 years ago by cypherpunks

I did see #13020, and thank you for addressing.

However, ESR45 won't change the fact that Page Info/Media Preview allows things that seemingly should be disabled via internal settings; that part of Firefox may not be affected by the same controls as other parts of the browser.

As for chrome vs. content and NoScript's focus, ok. But did you miss the part about Media Preview running a music player even though javascript was turned off completely in about:config? I'm pretty sure the content wasn't php.

Anyway, new bug filed at #18829.

comment:21 in reply to:  20 Changed 3 years ago by cypherpunks

Replying to cypherpunks:

As for chrome vs. content and NoScript's focus, ok. But did you miss the part about Media Preview running a music player

I did not. You don't seem to understand how that works.
The element is an HTML5 audio, that's Firefox player. You can read the source for said player if you look in Firefox's source tree.

even though javascript was turned off completely in about:config?

News flash: a huge part of Firefox is written in javascript. The about:config preference only disables it in content contexts, disabling everywhere would make the browser stop working.

I'm pretty sure the content wasn't php.

No idea what you're trying to say here.

comment:22 Changed 3 years ago by cypherpunks

I didn't realize it was HTML5, thanks for checking it out. I did wonder, but didn't know how to check.

I am indeed flashed by that javascript news +embarrassed (anonymously).

Rereading re:php, I don't know what I was saying there either :/

comment:23 Changed 3 years ago by gk

Keywords: ff45-esr-will-have added

comment:24 Changed 3 years ago by gk

Resolution: worksforme
Status: assignedclosed

Our nightlies already ship fixes for that and our alphas are about to do so, too. Let's close this ticket then.

Note: See TracTickets for help on using tickets.