Closed Bug 1050690 (CVE-2014-1566) Opened 10 years ago Closed 10 years ago

Download arbitrary files to SD card via additional slashes in file: URI

Categories

(Firefox for Android Graveyard :: General, defect)

Product:
Firefox for Android Graveyard
Component:
General
Version:
31 Branch
Platform:
All
Android
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(firefox31 wontfix, firefox32 verified, firefox33 verified, firefox34 verified, firefox-esr31 fixed, b2g-v1.4 unaffected, b2g-v2.0 unaffected, b2g-v2.0M unaffected, b2g-v2.1 unaffected, b2g-v2.2 unaffected, fennec31+)

Status:
VERIFIED FIXED
Milestone:
Firefox 34
Tracking Flags:
Tracking Status
firefox31 --- wontfix
firefox32 --- verified
firefox33 --- verified
firefox34 --- verified
firefox-esr31 --- fixed
b2g-v1.4 --- unaffected
b2g-v2.0 --- unaffected
b2g-v2.0M --- unaffected
b2g-v2.1 --- unaffected
b2g-v2.2 --- unaffected
fennec 31+ ---

People

(Reporter: ydsldy, Assigned: rnewman)

References

Details

(Keywords: reporter-external, reproducible, sec-high, Whiteboard: [adv-main32+][adv-esr31.1+])

Attachments

(1 file)

Proposed patch. v1
896 bytes, patch
wesj
: review+
Sylvestre
: approval-mozilla-aurora+
Sylvestre
: approval-mozilla-beta+
Sylvestre
: approval-mozilla-esr31+
Details | Diff | Splinter Review 
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36

Steps to reproduce:

If we input the URL in the address bar such as:
file:///data/data/org.mozilla.firefox/files/mozilla/xxxxxxxx.default/cookies.sqlite
the download will not be invoked because the update in Firefox 28.0.1
But we can simply add ‘/’ before folders in the URL:
file:////data/data/org.mozilla.firefox/files/mozilla/gnxblohb.default/cookies.sqlite


Actual results:

The cookies will be automatically downloaded in the SDcard so that all apps in the devices get access to the cookies which save users privacy information.


Expected results:

No matter what users input in the address bar, the cookies should not be downloaded into SDcard.
Group: core-security
Status: UNCONFIRMED → NEW
status-firefox31: --- → affected
status-firefox32: --- → affected
status-firefox33: --- → affected
status-firefox34: --- → affected
Ever confirmed: true
Keywords: reproducible
OS: Windows 7 → Android
Hardware: x86_64 → ARM
Flags: sec-bounty?
bug 945429 should have fixed this. Is it not robust enough?
Flags: needinfo?(wjohnston)
Flags: needinfo?(rnewman)
(In reply to Mark Finkle (:mfinkle) from comment #1)
> bug 945429 should have fixed this.

It did: from Comment 0: "the download will not be invoked because the update in Firefox 28.0.1".

> Is it not robust enough?

I thought we normalized the URL, but apparently not enough!
Assignee: nobody → rnewman
Status: NEW → ASSIGNED
Flags: needinfo?(rnewman)
Looks like nsIFile.compare just uses a strcmp function, which fails here because of the extra '/'. Is this a platform bug?
http://mxr.mozilla.org/mozilla-central/source/xpcom/io/nsLocalFileUnix.cpp#1744
Flags: needinfo?(wjohnston)
Hardware: ARM → All
Summary: Firefox for Android Automatic Download File to SDcard by File:// → Download arbitrary files to SD card via additional slashes in file: URI
Depends on: CVE-2014-1515
The nsIIOService trick we use to resolve the URL doesn't clean up in this case.

let url = makeURI("file:////Users/rnewman/");
url.schemeIs("file");        // true
let ioSvc = Cc["@mozilla.org/network/io-service;1"].getService(Components.interfaces.nsIIOService);
let resolved = ioSvc.newChannelFromURI(url).URI;
url.equals(resolved);        // true
resolved.path;               // "//Users/rnewman/"

And indeed that causes containment to be incorrect:

let subdir       = makeURI("file:////Users/rnewman/foo/").QueryInterface(Ci.nsIFileURL).file;
let dirSlashed   = makeURI("file:////Users/").QueryInterface(Ci.nsIFileURL).file;
let dirUnslashed = makeURI("file:///Users/").QueryInterface(Ci.nsIFileURL).file;

dirSlashed.contains(subdir, true);      // true
dirUnslashed.contains(subdir, true);    // false

even though a path with an arbitrary number of leading slashes is still readable.
I haven't tested this in-product yet, but I have tested the normalization itself:

let parent = makeURI("file:///Users/").QueryInterface(Ci.nsIFileURL).file;
let child = makeURI("file://////Users/rnewman/").QueryInterface(Ci.nsIFileURL).file;

parent.contains(child, true);       // false
child.normalize();
parent.contains(child, true);       // true
Attachment #8470119 - Flags: review?(wjohnston)
Comment on attachment 8470119 [details] [diff] [review]
Proposed patch. v1

Review of attachment 8470119 [details] [diff] [review]:
-----------------------------------------------------------------

::: mobile/android/components/HelperAppDialog.js
@@ +70,5 @@
>        // If it's in our app directory or profile directory, we never ever
>        // want to do anything with it, including saving to disk or passing the
>        // file to another application.
>        let file = url.QueryInterface(Ci.nsIFileURL).file;
> +      file.normalize();

You might add a comment here so this isn't removed by someone in the future.
Attachment #8470119 - Flags: review?(wjohnston) → review+
tracking-fennec: --- → ?
Comment on attachment 8470119 [details] [diff] [review]
Proposed patch. v1

Approval Request Comment
[Feature/regressing bug #]:
  Omission from Bug 945429.

[User impact if declined]:
  See Bug 945429.

[Describe test coverage new/current, TBPL]:
  Verified by hand.

[Risks and why]: 
  Should be zero risk. Would take for release if that happens.

[String/UUID change made/needed]:
  None.
Attachment #8470119 - Flags: approval-mozilla-beta?
Attachment #8470119 - Flags: approval-mozilla-aurora?
https://hg.mozilla.org/mozilla-central/rev/8e80d6b6f9af
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
status-firefox34: affectedfixed
status-firefox-esr31: --- → affected
Resolution: --- → FIXED
Target Milestone: --- → Firefox 34
Richard, why particular reason you are not requesting an uplift to ESR31? FYI, ESR is going to be used for the ARMv6/Android 2.2 fennec release.
Flags: needinfo?(rnewman)
Attachment #8470119 - Flags: approval-mozilla-beta?
Attachment #8470119 - Flags: approval-mozilla-beta+
Attachment #8470119 - Flags: approval-mozilla-aurora?
Attachment #8470119 - Flags: approval-mozilla-aurora+
Comment on attachment 8470119 [details] [diff] [review]
Proposed patch. v1

(In reply to Sylvestre Ledru [:sylvestre] from comment #10)
> Richard, why particular reason you are not requesting an uplift to ESR31?
> FYI, ESR is going to be used for the ARMv6/Android 2.2 fennec release.

No reason why not.
Attachment #8470119 - Flags: approval-mozilla-esr31?
Flags: needinfo?(rnewman)
Attachment #8470119 - Flags: approval-mozilla-esr31? → approval-mozilla-esr31+
# start -a android.intent.action.VIEW -n org.mozilla.fennec/.App -d file:////data/data/org.mozilla.fennec/files/mozilla/of48tywi.default/cookies.sqlite

'Couldn't find an app to open this link'
Status: RESOLVED → VERIFIED
status-firefox33: fixedverified
status-firefox34: fixedverified
We should also test that normalize deals with extra slashes elsewhere in the path, as well as path traversal attempts (/./ and /../ etc)
Flags: sec-bounty? → sec-bounty+
Keywords: sec-high
We're awarding the bounty because this is equivalent to the other problem, and on older versions of Android there are still avenues for malicious apps to learn the salted profile name.
(In reply to Daniel Veditz [:dveditz] from comment #14)
> We should also test that normalize deals with extra slashes elsewhere in the
> path, as well as path traversal attempts (/./ and /../ etc)

As far as my testing here in local profile file downloading, these cases seem covered with the normalize() call.
tracking-fennec: ? → 31+
Whiteboard: [adv-main32+][adv-esr31.1+]
Alias: CVE-2014-1566
Group: core-security → core-security-release
Group: core-security-release
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: