Bug 1393624 (CVE-2017-7825)

Domain spoofing thanks to U+0620 ARABIC LETTER rendered as 'space' on Mac OS

RESOLVED FIXED in Firefox -esr52

Status

()

defect
RESOLVED FIXED
2 years ago
a year ago

People

(Reporter: chromium.khalil, Assigned: jfkthame)

Tracking

({csectype-spoof, sec-moderate, sec-vector})

57 Branch
Firefox 57
Other
macOS
Points:
---
Bug Flags:
sec-bounty +
qe-verify -

Firefox Tracking Flags

(firefox-esr52 fixed, firefox55 wontfix, firefox56 fixed, firefox57 fixed)

Details

(Whiteboard: [adv-main56+][adv-esr52.4+][post-critsmash-triage])

Attachments

(2 attachments)

(Reporter)

Description

2 years ago
After reporting issue 1390980 which is fixed in version 57.0a1 Nightly, we have found another character (https://www.compart.com/en/unicode/U+0620) looks like a 'space' on Mac OS

http://important-domain.google.com.xn--fgbaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.bntk.pl/
(Reporter)

Comment 1

2 years ago
Note: I tested this with macOS X El Capitan 10.11.6
(Assignee)

Comment 2

2 years ago
Looks like this is another character where some of Apple's Chinese fonts (STSong / Songti) incorrectly have a blank glyph.

The same issue also applies to the extended Arabic-script characters 06EE, 06EF and 06FF. And to some (mostly unassigned) Tibetan-block characters: 0F6D 0F6E 0F6F 0F70 0F98 0FBD 0FCD 0FD9..0FFF. (Based on checking the Songti fonts on macOS 10.12.)

This really is an Apple bug, not a Firefox issue, but I guess we can add all these to the exclusion list in gfxMacPlatformFontList.
Flags: sec-bounty?
jfkthame: have we now gone through all the suspect fonts and blacklisted every character which is encoded as a space?

Gerv
(Assignee)

Comment 4

2 years ago
(In reply to Gervase Markham [:gerv] from comment #3)
> jfkthame: have we now gone through all the suspect fonts and blacklisted
> every character which is encoded as a space?

Not really; that's rather an open-ended project. I found a bunch more in the STSong fonts (comment 2 above), but this may not be exhaustive.

There could easily be additional fonts that have such flaws, but just haven't come to anyone's attention yet. And fonts change with every new OS release... existing fonts are updated, and entirely new fonts may be shipped. In general, of course, we hope that errors are fixed in new releases rather than new ones introduced, but there are no guarantees.
(Assignee)

Comment 5

2 years ago
(In reply to Jonathan Kew (:jfkthame) from comment #2)
> Looks like this is another character where some of Apple's Chinese fonts
> (STSong / Songti) incorrectly have a blank glyph.
> 
> The same issue also applies to the extended Arabic-script characters 06EE,
> 06EF and 06FF.

And 065F.
(Assignee)

Comment 6

2 years ago
This adds all the characters mentioned above (plus a few more I found when trawling through the Songti fonts) to our blacklist.
Attachment #8903080 - Flags: review?(jmuizelaar)
(Reporter)

Comment 7

2 years ago
I think this is Medium severity based on bug 1390980.
Attachment #8903080 - Flags: review?(jmuizelaar) → review+
https://hg.mozilla.org/mozilla-central/rev/a87b382c2135
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 57
I assume we'll want to backport this to Beta/ESR52 as well.
Assignee: nobody → jfkthame
Flags: needinfo?(jfkthame)
(Assignee)

Comment 11

2 years ago
Comment on attachment 8903080 [details] [diff] [review]
Blacklist more invalid characters found in Apple's fonts

[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration:
Not really a Gecko bug, this is a workaround for a buggy Apple font with spurious blank characters that might be used to obscure a spoofed URL.

User impact if declined:
Potential for URL spoofing due to invalid characters in a Chinese font on macOS

Fix Landed on Version: 57

Risk to taking this patch (and alternatives if risky): minimal

String or UUID changes made by this patch: none
Flags: needinfo?(jfkthame)
Attachment #8903080 - Flags: approval-mozilla-esr52?
Attachment #8903080 - Flags: approval-mozilla-beta?
Comment on attachment 8903080 [details] [diff] [review]
Blacklist more invalid characters found in Apple's fonts

Avoid potential for URL spoofing. Beta56+ & ESR52+.
Attachment #8903080 - Flags: approval-mozilla-esr52?
Attachment #8903080 - Flags: approval-mozilla-esr52+
Attachment #8903080 - Flags: approval-mozilla-beta?
Attachment #8903080 - Flags: approval-mozilla-beta+
Note this bug (and the similar Tibetan ones) also affect Safari, as one would expect since this is a Mac font bug.
We're going to pay a reduced bounty for this one because we've paid before, but we can't afford to be Apple's Bug Bounty program so this will have to be the last one for these bugs that 1) are due to bad Apple fonts, and 2) also affect Safari.
Flags: sec-bounty? → sec-bounty+
(Reporter)

Comment 16

2 years ago
See also https://bugs.chromium.org/p/chromium/issues/detail?id=725660 reproted to Chromium.
Group: firefox-core-security → core-security-release
Whiteboard: [adv-main56+][adv-esr52.4+]
Flags: qe-verify-
Whiteboard: [adv-main56+][adv-esr52.4+] → [adv-main56+][adv-esr52.4+][post-critsmash-triage]
Alias: CVE-2017-7825
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.