Closed Bug 1372112 (CVE-2017-7795) Opened 9 years ago Closed 8 years ago

XUL Injection in Inspector Image Tooltip

Categories

(DevTools :: Inspector, defect)

Product:
DevTools
Component:
Inspector
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(firefox-esr5255+ fixed, firefox54 wontfix, firefox55+ fixed, firefox56+ fixed)

Status:
VERIFIED FIXED
Milestone:
Firefox 56
Tracking Flags:
Tracking Status
firefox-esr52 55+ fixed
firefox54 --- wontfix
firefox55 + fixed
firefox56 + fixed

People

(Reporter: freddy, Assigned: jdescottes)

References

Details

(Keywords: csectype-priv-escalation, sec-critical, wsec-xss, Whiteboard: [adv-main55+][adv-esr52.3+])

Attachments

(3 files, 1 obsolete file)

bug1372112.patch
1.32 KB, patch
pbro
: review+
freddy
: feedback+
lizzard
: approval-mozilla-beta+
abillings
: sec-approval+
Details | Diff | Splinter Review
bug1372112.esr52.patch
1.38 KB, patch
jdescottes
: review+
lizzard
: approval-mozilla-esr52+
Details | Diff | Splinter Review
proof of concept (alerts)
100 bytes, text/html
Details
Attached file proof of concept (obsolete) —
ImageToolTipHelper.js uses innerHTML to create tooltips. While doing this, it does not properly encode image URLs, which can lead to chrome privileged XSS. STR: 1) Open attached file 2) right-click broken image and select "Inspect Element" to open DevTools 3) highlight the underlined image src attribute 4) the toolbox contains XUL markup supplied by the website (here: a harmless <button> element) I suggest we fix this by using encodeURI(imageURL) instead of imageURL.
The vulnerability is in http://searchfox.org/mozilla-central/rev/1a054419976437d0778a2b89be1b00207a744e94/devtools/client/shared/widgets/tooltip/ImageTooltipHelper.js#98 Let me quote: > let html = ` > <div style="flex: 1; > display: flex; > padding: ${IMAGE_PADDING}px; > align-items: center; > justify-content: center; > min-height: 1px;"> > <img class="${imageClass}" > style="height: ${imgHeight}px; max-height: 100%;" > src="${imageUrl}"/> > </div>`; ... > div.innerHTML = html; Causing the injection is the imageURL variable.
Keywords: sec-highsec-critical
Attached patch bug1372112.patchSplinter Review
Attachment #8876668 - Flags: review?(pbrosset)
Simply following the suggestion from freddyb and calling encodeURI on the image source.
The code updated here comes from Bug 1266448 (https://hg.mozilla.org/mozilla-central/rev/a41f8a55229c) which landed in Firefox 49.
Comment on attachment 8876668 [details] [diff] [review] bug1372112.patch Review of attachment 8876668 [details] [diff] [review]: ----------------------------------------------------------------- Yep, I already tested this. Consider this patch reviewed from a security perspective.
Attachment #8876668 - Flags: feedback+
Comment on attachment 8876668 [details] [diff] [review] bug1372112.patch [Security approval request comment] How easily could an exploit be constructed based on the patch? Crafting a page exploiting this is easy (see attached example). Requires the user to use devtools to be impacted by the issue. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? No test added/comment added to try and land this asap. I supposed we can open a follow up sec bug to add tests? Which older supported branches are affected by this flaw? All versions of firefox up to 49 are affected, so: - central - beta - release - esr-52 If not all supported branches, which bug introduced the flaw? Bug 1266448 Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? Backports are not ready yet, but it is a simple one-liner on code that hasn't changed much since ff49. How likely is this patch to cause regressions; how much testing does it need? This is a minor change, regressions are very unlikely.
Attachment #8876668 - Flags: sec-approval?
Comment on attachment 8876668 [details] [diff] [review] bug1372112.patch Review of attachment 8876668 [details] [diff] [review]: ----------------------------------------------------------------- Thanks Julian! Looks good to me.
Attachment #8876668 - Flags: review?(pbrosset) → review+
Blocks: 1351608
sec-approval+ for checkin on June 26, two weeks into the new cycle. We'll want patches nominated to go into Beta and ESR52 once it lands on trunk as well.
status-firefox54: --- → wontfix
status-firefox55: --- → affected
status-firefox56: --- → affected
status-firefox-esr52: --- → affected
tracking-firefox55: --- → +
tracking-firefox56: --- → +
tracking-firefox-esr52: --- → 55+
Whiteboard: [checkin on 6/26]
Attachment #8876668 - Flags: sec-approval? → sec-approval+
Comment on attachment 8876668 [details] [diff] [review] bug1372112.patch Approval Request Comment [Feature/Bug causing the regression]: Bug 1266448 (fixed in FF49) [User impact if declined]: security issue for devtools users [Is this code covered by automated tests?]: no [Has the fix been verified in Nightly?]: no [Needs manual test from QE? If yes, steps to reproduce]: not sure what is the usual process here, but if QE verification is done on security bugs, you can follow the STRs: - open the attachment 'proof of concept' in Firefox - open the inspector - in the markup view, hover with the mouse on the image-url - check that the tooltip does not contain a button (it should only display a broken image preview) [List of other uplifts needed for the feature/fix]: none [Is the change risky?]: no [Why is the change risky/not risky?]: one-liner javascript change, devtools only [String changes made/needed]: none
Attachment #8876668 - Flags: approval-mozilla-beta?
The existing patch does not apply cleanly on esr52. It's still the same fix, lines just moved between 52 and 55. Freddy: Since this is a different attachment, should I flag it for sec-review?
Flags: needinfo?(fbraun)
Attachment #8877517 - Flags: review+
Attachment #8877517 - Flags: approval-mozilla-esr52?
No need, it's very close to being the same thing (and I just checked).
Flags: needinfo?(fbraun)
Group: core-security → firefox-core-security
Comment on attachment 8876668 [details] [diff] [review] bug1372112.patch This has sec approval for 6/26 so we can check it in on trunk. This might make it to today's beta build but if not, it will be in beta 6 on Thursday.
Attachment #8876668 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Comment on attachment 8877517 [details] [diff] [review] bug1372112.esr52.patch Sec-critical, taking this for esr52.3.0.
Attachment #8877517 - Flags: approval-mozilla-esr52? → approval-mozilla-esr52+
https://hg.mozilla.org/mozilla-central/rev/c66c287c6180
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
status-firefox56: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → Firefox 56
Whiteboard: [adv-main55+]
Group: firefox-core-security → core-security-release
Whiteboard: [adv-main55+] → [adv-main55+][adv-esr52.3+]
Alias: CVE-2017-7795
Freddy, I was wondering: a) Has this bug had been fixed as filed? If yes, you could mark verified. If not, let's reopen it and try to get some attention on it. b) Did you just find a variation for Linux? Is it significant enough to merit its own bug? It appears that we are releasing an advisory for Fx 55. If there's more work here, let's make sure it's tracked.
Flags: needinfo?(fbraun)
The bug is fixed, sorry for the confusion.
Status: RESOLVED → VERIFIED
Flags: needinfo?(fbraun)
Lowering severity to sec-moderate; it's not critical unless it allows script injection and I keep getting "Unable to run script because scripts are blocked internally"
Keywords: csectype-priv-escalation, sec-critical, wsec-xsscsectype-sop, sec-moderate
I poked a bit again and I did not get further than <button>i</button> for various reasons - the payload is in a URL - the injection happens through an innerHTML assignment, so <script>..</script> won't work - reading it from the DOM, JavaScript sees the URL with spaces encoded as %20, which limits the HTML payload significantly - finding a way to execute scripts without <script> tags and with all spaces encoded as %20 limits us greatly - an obvious avenue for attack would be things like <svg/onload=alert(1)> - the current document is an XHTML (XUL) document, that parses way stricter than normal HTML - despite the well-known XHTML strictness that demands proper quoting and ending tags, it also disallows the trick to replace the space that separates the tag name and the attribute with a forward slash In summary: I'd be amazed to see if someone else gets any farther.
(In reply to Frederik Braun [:freddyb] from comment #22) > - reading it from the DOM, JavaScript sees the URL with spaces encoded as > %20, which limits the HTML payload significantly > - finding a way to execute scripts without <script> tags and with all spaces > encoded as %20 limits us greatly > - an obvious avenue for attack would be things like <svg/onload=alert(1)> I just also tested \r, \n, \t, and other things listed in https://en.wikipedia.org/wiki/Whitespace_character but no luck.
I couldn't let go and found a way to make this execute script with chrome privileges, which raises the severity back to critical. (The bug is still fixed in the relevant branches, but I wanted to make sure we don't rate it improperly)
Attachment #8876665 - Attachment is obsolete: true
Group: core-security-release
Product: Firefox → DevTools
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: