Closed Bug 408034 Opened 17 years ago Closed 17 years ago

"click" MouseEvent can be used to set focus on file input and selectively capture keystrokes, which can be used to upload arbitrary files

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
PowerPC
macOS
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED DUPLICATE of bug 405299

People

(Reporter: gfleischer+bugzilla, Unassigned)

Details

(Keywords: verified1.8.1.12, Whiteboard: [sg:dupe 405299])

Attachments

(1 file)

Test case and file stealing demo
9.73 KB, application/zip
Details 
User-Agent:       Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11

By creating a "MouseEvent" and using dispatchEvent to send a "click" to a file input element or a label associated with the file, the focus can be set on the text portion of the file input.  This can be used to selectively capture keystrokes and construct a path that can be used to upload arbitrary files from a user's computer.

By sending the click as an event, the focus restrictions in bug #370092 can be bypassed.

An alternate approach is to use the observation in bug #404391 and send click to an additional input element nested inside of the label.  


Reproducible: Always




User agents tested:
  - Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
  - Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
 - Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.12pre) Gecko/20071211 BonEcho/2.0.0.12pre
 - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
 - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12pre) Gecko/20071211 BonEcho/2.0.0.12pre
Attached test-case and file stealing demo.
The attachment contains a test case (simple-click.html) and file stealing demo
(plausible.html + upload.cgi).

The simple-click.html file demonstrates how any of the elements in the grey box
(label, file input and text input) can be sent a "click" mouse event.  Any
keystrokes entered in the textarea will be transfered to the file input text
field.  No attempt is made to filter key strokes.

The plausible.html file demonstrates how an actual attack could be constructed.
The layout presented is similar to many blog comment sections.  All of the
fields are hooked so any keystroke that is entered can be used.  Once the
desired file is matched, the form would be automatically submitted.

The two files in the demo are "/etc/hosts" on Linux and Mac OS X and
"c:\boot.ini" on Windows.  Using a special set of captchas, any well known file
could be targeted.  For instance, an attack under Windows could include the
'c', ':', and '\' characters.  Multiple failures could be generated to capture
the necessary keystrokes by refreshing the image via XMLHttpRequest.  Some
potential  well known targets on Linux or Mac OS X would be "/etc/passwd" or
"~/.gnupg/secring.gpg".

The demo is standalone by default, but the 'upload.cgi' Perl CGI script can be used to actually submit the file.

Gregory, thanks for the bug report, but this turns out to be already reported, bug 405299.
Status: UNCONFIRMED → RESOLVED
Closed: 17 years ago
Resolution: --- → DUPLICATE
making this "block" 1.8.1.12 so this bug stays in our queries for verification that it really is the same thing.
Flags: blocking1.8.1.12+
Whiteboard: [sg:dupe 405299]
Flags: wanted1.8.1.x+
I've checked this in Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.12) Gecko/2008012822 Firefox/2.0.0.12. It no longer shows the matching (in green highlighting) for '/etc/hosts'. Based on the other demos from this same series of issues, I believe that means that the problem is fixed. Can you confirm that this is a correct assumption, Gregory (or Dan)?
Yes, that is a mostly correct assumption.

This bug had a different root cause (ability to programmatically send click events to set focus) which was fixed in bug 405299.

The mechanism by which this bug was exploited (selectively canceling keystrokes) was fixed in bug 413135.

In either case, this bug has been fixed.  I tested this with Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.12pre) Gecko/20080130 BonEcho/2.0.0.12pre.
Ok, thanks Gregory!
Marking  verified1.8.1.12 then.
Keywords: fixed1.8.1.12verified1.8.1.12
Group: security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: