Closed Bug 1014596 Opened 11 years ago Closed 7 years ago

Origin field in app-manifest with path traversal attempt causes perma-DOS of homescreen

Categories

(Firefox OS Graveyard :: General, defect)

x86_64
Windows 8
defect
Not set
normal

Tracking

(Not tracked)

RESOLVED INCOMPLETE

People

(Reporter: sdna.muneaki.nishimura, Unassigned)

Details

(Keywords: csectype-dos, reporter-external, sec-low, Whiteboard: [reporter-external] marketplace screens for this, side-loaded apps only)

Attachments

(1 file)

User Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/537.36 Steps to reproduce: 1. Create a privileged app of Firefox OS 2. Set "app://..%2f..%2fmy-app.com to origin field in manifest.webapp 3. Install the app from app-manager to the device Actual results: Homescreen app restarts repeatedly and then following log is shown in adb-logcat. I/Gecko ( 110): NeckoParent::AllocPRemoteOpenFile: FATAL error: requested fil e URI '/data/local/webapps/../../my-app.com/application.zip' contains '/../' KIL LING CHILD PROCESS Expected results: Reject to install an application which has path separator in origin header. Or, sanitize all path separators in origin header when Gecko installs the app.
Group: b2g-core-security
Component: Untriaged → General
Flags: sec-bounty?
Product: Firefox → Firefox OS
Whiteboard: [reporter-external]
Version: 30 Branch → unspecified
Thanks for reporting this. I reproduced the issue on a flame on a 2.0.0-prerelease. The homescreen keeps on restarting even after restarting the phone. The marketplace validator performs a regex check on the origin field, and in this case rejects rightfully the app: https://marketplace.firefox.com/developers/upload/a04d91fc315b474192e614302e04ae14 So hopefully this limits the scope to privileged or certified apps installed manually via the app-manager.
Complete error logs in logcat are: I/Gecko ( 287): NeckoParent::AllocPRemoteOpenFile: FATAL error: requested file URI '/data/local/webapps/../../my-app.com/application.zip' contains '/../' KILLING CHILD PROCESS I/Gecko ( 287): I/Gecko ( 287): ###!!! [Parent][DispatchAsyncMessage] Error: Value error: message was deserialized, but contained an illegal value I/Gecko ( 287): I/Gecko ( 287): [Parent 287] WARNING: waitpid failed pid:3102 errno:10: file ../../../gecko/ipc/chromium/src/base/process_util_posix.cc, line 261 E/GeckoConsole( 287): [JavaScript Error: "IndexedDB UnknownErr: IDBTransaction.cpp:864"] I/Gecko ( 287): I/Gecko ( 287): ###!!! [Parent][MessageChannel] Error: Channel error: cannot send/recv I/Gecko ( 287): I/Gecko ( 287): AudioChannelService::UpdateChannelType(aChannel=0) :::==> (newType=1 != oldType=1) ?= 0; E/GeckoConsole( 287): [JavaScript Error: "AbortError"] E/GeckoConsole( 287): [JavaScript Error: "IndexedDB UnknownErr: IDBTransaction.cpp:864"]
Deleting the entry for the malicious app in /data/local/webapps/webapps.json solves the issue, so maybe we could perform some checks when building webapps.json from the manifest data. This is done when installing external apps: https://github.com/mozilla-b2g/gaia/blob/42b468d6b18d8cd6ea73e23a269b40e22584f4fb/build/copy-build-stage-data.js#L61
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: Origin field in app-manifest is prone to path traversal attack → Origin field in app-manifest with path traversal attempt causes perma-DOS of homescreen
Whiteboard: [reporter-external] → [reporter-external] marketplace screens for this, side-loaded apps only
Flags: sec-bounty? → sec-bounty-
Group: b2g-core-security
Group: core-security → b2g-core-security
FirefoxOS is no longer under active development.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → INCOMPLETE
Group: b2g-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: