Closed
Bug 1326154
Opened 7 years ago
Closed 7 years ago
The uiUrl option of navigator.publishServer allows to launch arbitrary URL
Categories
(Core Graveyard :: DOM: Flyweb, defect)
Core Graveyard
DOM: Flyweb
Tracking
(firefox-esr45 unaffected, firefox52 disabled, firefox53 disabled, firefox54 disabled, firefox55 fixed)
RESOLVED
FIXED
mozilla55
Tracking | Status | |
---|---|---|
firefox-esr45 | --- | unaffected |
firefox52 | --- | disabled |
firefox53 | --- | disabled |
firefox54 | --- | disabled |
firefox55 | --- | fixed |
People
(Reporter: sdna.muneaki.nishimura, Assigned: ron.waisberg)
Details
(Keywords: sec-moderate, Whiteboard: currently disabled behind a pref)
Attachments
(2 files, 3 obsolete files)
233.15 KB,
image/png
|
Details | |
1.25 KB,
patch
|
justindarc
:
review+
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/602.3.12 (KHTML, like Gecko) Version/10.0.2 Safari/602.3.12 Steps to reproduce: 1) Enable FlyWeb (dom.flyweb.enabled=true) 2) Open http://mallory.csrf.jp/flyweb.html 3) Push one of the button to activate a FlyWeb service 4) Launch nearby FlyWeb service called 'foo' from FlyWeb menu on Nightly Actual results: 'uiUrl' option of navigator.publishServer allows to set an arbitrary URL including chrome:, file:, and about:. That URL is shown when a victim or other persons in the same local network as the victim try to connect the rogue FlyWeb service. The 3rd button of the above PoC exploits an address bar spoofing vector in about:reader by accessing following URL. about:reader?url=http://cnn.example.com%26story=breaking_news@flyweb.github.io/ The current implementation of about:reader is not unsafe but it's prone to similar kind of attacks. Expected results: URL with http: or https: schema should be allowed to be set.
Reporter | ||
Comment 1•7 years ago
|
||
Further investigation revealed that FlyWeb enabled Firefox opens an arbitrary URL sent through a MDNS discovery packet including malicious PATH key in the TXT record. The attachment picture shows a MDNS packet including javascript URL in the PATH key.
Updated•7 years ago
|
Group: firefox-core-security → dom-core-security
Component: Untriaged → DOM: Flyweb
Flags: needinfo?(kvijayan)
Product: Firefox → Core
Updated•7 years ago
|
Flags: sec-bounty?
Comment 2•7 years ago
|
||
Maybe Justin could look into this while Kannan is away? I don't know what layer of code this might be going wrong in.
Flags: needinfo?(jdarcangelo)
Reporter | ||
Comment 3•7 years ago
|
||
As I mentioned in an e-mail last year FlyWeb is still in feasibility study and it's not landed on Aurora or Beta. Also it's disabled by default even on Nightly. So I think there would be no risks if the bug is made unhidden. How do ynu think about it and can you open the bug?
Flags: needinfo?(abillings)
Updated•7 years ago
|
Group: dom-core-security
status-firefox52:
--- → disabled
status-firefox53:
--- → disabled
status-firefox54:
--- → disabled
status-firefox-esr45:
--- → unaffected
Keywords: sec-moderate
Whiteboard: currently disabled behind a pref
Comment 4•7 years ago
|
||
Assigning to myself to fix.
Assignee: nobody → jdarcangelo
Status: NEW → ASSIGNED
Flags: needinfo?(jdarcangelo)
Updated•7 years ago
|
Flags: needinfo?(kvijayan)
Assignee | ||
Comment 5•7 years ago
|
||
When NS_NewURI() is passed a `uriString` that is an absolute URI, the `baseURI` parameter is ignored and not prepended (http://i.imgur.com/W4N4mOe.png).
Attachment #8841159 -
Flags: review?(jdarcangelo)
Assignee | ||
Comment 6•7 years ago
|
||
Updated to avoid extraneous forward slash when mPath was something like "/controls.html" (would result in a spec of "http://<UUID>//controls.html") as well as adding a necessary forward slash when mPath was missing it e.g. "controls.html".
Attachment #8841243 -
Flags: review?(jdarcangelo)
Updated•7 years ago
|
Attachment #8841159 -
Flags: review?(jdarcangelo) → review-
Updated•7 years ago
|
Attachment #8841243 -
Flags: review?(jdarcangelo) → review+
Updated•7 years ago
|
Assignee: jdarcangelo → ron.waisberg
Updated•7 years ago
|
Keywords: checkin-needed
Comment 7•7 years ago
|
||
Please attach that includes appropriate commit information when requesting checkin (name, email, commit message). http://mozilla-version-control-tools.readthedocs.io/en/latest/mozreview/commits.html#write-detailed-commit-messages https://developer.mozilla.org/en-US/docs/Mercurial_FAQ#How_can_I_generate_a_patch_for_somebody_else_to_check-in_for_me.3F
Keywords: checkin-needed
Comment 8•7 years ago
|
||
Ron: See Comment 7 above and provide the necessary information to land this patch. Thanks!
Flags: needinfo?(ron.waisberg)
Assignee | ||
Comment 9•7 years ago
|
||
Comment on attachment 8841243 [details] [diff] [review] bug1326154-fixed.patch Name: Ron Waisberg Email: ron.waisberg@gmail.com Commit Message: Fixed improper building of URL by concatenating mHostname with mPath. Previously, the user provided parameter mPath was passed into NS_NewURI() which would ignore and not concatenate the baseURI if mPath was an absolute URI.
Flags: needinfo?(ron.waisberg)
Attachment #8841243 -
Flags: checkin?
Comment 10•7 years ago
|
||
seems this need a rebase now since i hit conflicts: patching file dom/flyweb/FlyWebService.cpp Hunk #1 FAILED at 784 1 out of 1 hunks FAILED -- saving rejects to file dom/flyweb/FlyWebService.cpp.rej patch failed, unable to continue (try -v) patch failed, rejects left in working directory errors during apply, please fix and qrefresh bug1326154-fixed.patch could you take a look, thanks!
Flags: needinfo?(ron.waisberg)
Updated•7 years ago
|
Attachment #8841159 -
Attachment is obsolete: true
Updated•7 years ago
|
Attachment #8841243 -
Flags: checkin?
Comment 11•7 years ago
|
||
Carsten, I am able to apply bug1326154-fixed.patch to inbound without any issues. Also, the affected file (dom/flyweb/FlyWebService.cpp) has not changed for several months so it shouldn't be a rebasing issue. Can you please re-check this? Thanks! (In reply to Carsten Book [:Tomcat] from comment #10) > seems this need a rebase now since i hit conflicts: > > patching file dom/flyweb/FlyWebService.cpp > Hunk #1 FAILED at 784 > 1 out of 1 hunks FAILED -- saving rejects to file > dom/flyweb/FlyWebService.cpp.rej > patch failed, unable to continue (try -v) > patch failed, rejects left in working directory > errors during apply, please fix and qrefresh bug1326154-fixed.patch > > could you take a look, thanks!
Flags: needinfo?(cbook)
Comment 12•7 years ago
|
||
hm still hitting the problem ? Ryan could you take a look if you are able to checkin ? Thanks!
Flags: needinfo?(cbook) → needinfo?(ryanvm)
Comment 13•7 years ago
|
||
Doesn't apply for me either. Are you working from a git repo? I'm wondering if the patch format is confusing Mercurial for some reason.
Flags: needinfo?(ryanvm)
Comment 14•7 years ago
|
||
Kannan, can you take a look at why Ron's patch isn't applying? I was able to apply to m-c using mq, but the sheriffs have not been able to. I'm not sure what the issue is.
Flags: needinfo?(kvijayan)
Comment 15•7 years ago
|
||
Justin: can you prod this bug along, please?
Flags: sec-bounty?
Flags: sec-bounty+
Flags: needinfo?(jdarcangelo)
Flags: needinfo?(abillings)
Comment 16•7 years ago
|
||
Updated patch that applies.
Attachment #8841243 -
Attachment is obsolete: true
Flags: needinfo?(kvijayan)
Comment 17•7 years ago
|
||
Comment on attachment 8870455 [details] [diff] [review] fix-flyweb-bug-1326154.patch Forwarding prior r+ from justin, since this is the same patch.
Attachment #8870455 -
Flags: review+
Updated•7 years ago
|
Flags: needinfo?(ron.waisberg)
Flags: needinfo?(jdarcangelo)
Updated•7 years ago
|
Attachment #8870455 -
Flags: checkin?
Comment 18•7 years ago
|
||
Comment on attachment 8870455 [details] [diff] [review] fix-flyweb-bug-1326154.patch In the future, you can just set the checkin-needed bug keyword, which plays more nicely with the automated bug marking tools.
Attachment #8870455 -
Flags: checkin?
Comment 19•7 years ago
|
||
Also, please attach a patch that includes proper commit information when requesting checkin.
Comment 20•7 years ago
|
||
Attached corrected patch with author and commit message. Carrying over R+.
Attachment #8870455 -
Attachment is obsolete: true
Attachment #8870520 -
Flags: review+
Updated•7 years ago
|
Keywords: checkin-needed
Comment 21•7 years ago
|
||
Pushed by ryanvm@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/cbae2c2731e4 Fix to prevent FlyWebService from pointing to a URL with a different origin. r=djvj
Keywords: checkin-needed
Comment 22•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/cbae2c2731e4
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
status-firefox55:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Updated•6 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•