Closed Bug 1393624 (CVE-2017-7825) Opened 3 years ago Closed 3 years ago

Domain spoofing thanks to U+0620 ARABIC LETTER rendered as 'space' on Mac OS

Categories

(Firefox :: Address Bar, defect)

57 Branch
Other
macOS
defect
Not set
normal

Tracking

()

RESOLVED FIXED
Firefox 57
Tracking Status
firefox-esr52 --- fixed
firefox55 --- wontfix
firefox56 --- fixed
firefox57 --- fixed

People

(Reporter: chromium.khalil, Assigned: jfkthame)

Details

(Keywords: csectype-spoof, sec-moderate, sec-vector, Whiteboard: [adv-main56+][adv-esr52.4+][post-critsmash-triage])

Attachments

(2 files)

After reporting issue 1390980 which is fixed in version 57.0a1 Nightly, we have found another character (https://www.compart.com/en/unicode/U+0620) looks like a 'space' on Mac OS

http://important-domain.google.com.xn--fgbaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.bntk.pl/
Note: I tested this with macOS X El Capitan 10.11.6
Looks like this is another character where some of Apple's Chinese fonts (STSong / Songti) incorrectly have a blank glyph.

The same issue also applies to the extended Arabic-script characters 06EE, 06EF and 06FF. And to some (mostly unassigned) Tibetan-block characters: 0F6D 0F6E 0F6F 0F70 0F98 0FBD 0FCD 0FD9..0FFF. (Based on checking the Songti fonts on macOS 10.12.)

This really is an Apple bug, not a Firefox issue, but I guess we can add all these to the exclusion list in gfxMacPlatformFontList.
jfkthame: have we now gone through all the suspect fonts and blacklisted every character which is encoded as a space?

Gerv
(In reply to Gervase Markham [:gerv] from comment #3)
> jfkthame: have we now gone through all the suspect fonts and blacklisted
> every character which is encoded as a space?

Not really; that's rather an open-ended project. I found a bunch more in the STSong fonts (comment 2 above), but this may not be exhaustive.

There could easily be additional fonts that have such flaws, but just haven't come to anyone's attention yet. And fonts change with every new OS release... existing fonts are updated, and entirely new fonts may be shipped. In general, of course, we hope that errors are fixed in new releases rather than new ones introduced, but there are no guarantees.
(In reply to Jonathan Kew (:jfkthame) from comment #2)
> Looks like this is another character where some of Apple's Chinese fonts
> (STSong / Songti) incorrectly have a blank glyph.
> 
> The same issue also applies to the extended Arabic-script characters 06EE,
> 06EF and 06FF.

And 065F.
This adds all the characters mentioned above (plus a few more I found when trawling through the Songti fonts) to our blacklist.
Attachment #8903080 - Flags: review?(jmuizelaar)
I think this is Medium severity based on bug 1390980.
Attachment #8903080 - Flags: review?(jmuizelaar) → review+
https://hg.mozilla.org/mozilla-central/rev/a87b382c2135
Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 57
I assume we'll want to backport this to Beta/ESR52 as well.
Assignee: nobody → jfkthame
Flags: needinfo?(jfkthame)
Comment on attachment 8903080 [details] [diff] [review]
Blacklist more invalid characters found in Apple's fonts

[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration:
Not really a Gecko bug, this is a workaround for a buggy Apple font with spurious blank characters that might be used to obscure a spoofed URL.

User impact if declined:
Potential for URL spoofing due to invalid characters in a Chinese font on macOS

Fix Landed on Version: 57

Risk to taking this patch (and alternatives if risky): minimal

String or UUID changes made by this patch: none
Flags: needinfo?(jfkthame)
Attachment #8903080 - Flags: approval-mozilla-esr52?
Attachment #8903080 - Flags: approval-mozilla-beta?
Comment on attachment 8903080 [details] [diff] [review]
Blacklist more invalid characters found in Apple's fonts

Avoid potential for URL spoofing. Beta56+ & ESR52+.
Attachment #8903080 - Flags: approval-mozilla-esr52?
Attachment #8903080 - Flags: approval-mozilla-esr52+
Attachment #8903080 - Flags: approval-mozilla-beta?
Attachment #8903080 - Flags: approval-mozilla-beta+
Note this bug (and the similar Tibetan ones) also affect Safari, as one would expect since this is a Mac font bug.
We're going to pay a reduced bounty for this one because we've paid before, but we can't afford to be Apple's Bug Bounty program so this will have to be the last one for these bugs that 1) are due to bad Apple fonts, and 2) also affect Safari.
Flags: sec-bounty? → sec-bounty+
See also https://bugs.chromium.org/p/chromium/issues/detail?id=725660 reproted to Chromium.
Group: firefox-core-security → core-security-release
Whiteboard: [adv-main56+][adv-esr52.4+]
Flags: qe-verify-
Whiteboard: [adv-main56+][adv-esr52.4+] → [adv-main56+][adv-esr52.4+][post-critsmash-triage]
Alias: CVE-2017-7825
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.