Closed
Bug 1014596
Opened 11 years ago
Closed 7 years ago
Origin field in app-manifest with path traversal attempt causes perma-DOS of homescreen
Categories
(Firefox OS Graveyard :: General, defect)
Tracking
(Not tracked)
RESOLVED
INCOMPLETE
People
(Reporter: sdna.muneaki.nishimura, Unassigned)
Details
(Keywords: csectype-dos, reporter-external, sec-low, Whiteboard: [reporter-external] marketplace screens for this, side-loaded apps only)
Attachments
(1 file)
12.44 KB,
application/x-zip-compressed
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/537.36
Steps to reproduce:
1. Create a privileged app of Firefox OS
2. Set "app://..%2f..%2fmy-app.com to origin field in manifest.webapp
3. Install the app from app-manager to the device
Actual results:
Homescreen app restarts repeatedly and then following log is shown in adb-logcat.
I/Gecko ( 110): NeckoParent::AllocPRemoteOpenFile: FATAL error: requested fil
e URI '/data/local/webapps/../../my-app.com/application.zip' contains '/../' KIL
LING CHILD PROCESS
Expected results:
Reject to install an application which has path separator in origin header.
Or, sanitize all path separators in origin header when Gecko installs the app.
![]() |
||
Updated•11 years ago
|
Group: b2g-core-security
Component: Untriaged → General
Flags: sec-bounty?
Product: Firefox → Firefox OS
Whiteboard: [reporter-external]
Version: 30 Branch → unspecified
Comment 1•11 years ago
|
||
Thanks for reporting this.
I reproduced the issue on a flame on a 2.0.0-prerelease. The homescreen keeps on restarting even after restarting the phone.
The marketplace validator performs a regex check on the origin field, and in this case rejects rightfully the app: https://marketplace.firefox.com/developers/upload/a04d91fc315b474192e614302e04ae14
So hopefully this limits the scope to privileged or certified apps installed manually via the app-manager.
Comment 2•11 years ago
|
||
Complete error logs in logcat are:
I/Gecko ( 287): NeckoParent::AllocPRemoteOpenFile: FATAL error: requested file URI '/data/local/webapps/../../my-app.com/application.zip' contains '/../' KILLING CHILD PROCESS
I/Gecko ( 287):
I/Gecko ( 287): ###!!! [Parent][DispatchAsyncMessage] Error: Value error: message was deserialized, but contained an illegal value
I/Gecko ( 287):
I/Gecko ( 287): [Parent 287] WARNING: waitpid failed pid:3102 errno:10: file ../../../gecko/ipc/chromium/src/base/process_util_posix.cc, line 261
E/GeckoConsole( 287): [JavaScript Error: "IndexedDB UnknownErr: IDBTransaction.cpp:864"]
I/Gecko ( 287):
I/Gecko ( 287): ###!!! [Parent][MessageChannel] Error: Channel error: cannot send/recv
I/Gecko ( 287):
I/Gecko ( 287): AudioChannelService::UpdateChannelType(aChannel=0) :::==> (newType=1 != oldType=1) ?= 0;
E/GeckoConsole( 287): [JavaScript Error: "AbortError"]
E/GeckoConsole( 287): [JavaScript Error: "IndexedDB UnknownErr: IDBTransaction.cpp:864"]
Comment 3•11 years ago
|
||
Deleting the entry for the malicious app in /data/local/webapps/webapps.json solves the issue, so maybe we could perform some checks when building webapps.json from the manifest data. This is done when installing external apps: https://github.com/mozilla-b2g/gaia/blob/42b468d6b18d8cd6ea73e23a269b40e22584f4fb/build/copy-build-stage-data.js#L61
Updated•11 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Updated•11 years ago
|
Keywords: csectype-dos,
sec-low
Summary: Origin field in app-manifest is prone to path traversal attack → Origin field in app-manifest with path traversal attempt causes perma-DOS of homescreen
Updated•11 years ago
|
Whiteboard: [reporter-external] → [reporter-external] marketplace screens for this, side-loaded apps only
Updated•11 years ago
|
Flags: sec-bounty? → sec-bounty-
Updated•11 years ago
|
Group: b2g-core-security
Updated•9 years ago
|
Group: core-security → b2g-core-security
Comment 4•7 years ago
|
||
FirefoxOS is no longer under active development.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → INCOMPLETE
Updated•7 years ago
|
Group: b2g-core-security
Updated•9 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•