Closed Bug 1425267 (CVE-2018-5113) Opened 6 years ago Closed 6 years ago

browser.identity.launchWebAuthFlow can open privileged pages

Categories

(WebExtensions :: General, defect)

58 Branch
defect
Not set
normal

Tracking

(firefox-esr52 unaffected, firefox59 fixed)

RESOLVED FIXED
mozilla59
Tracking Status
firefox-esr52 --- unaffected
firefox59 --- fixed

People

(Reporter: qab, Assigned: mixedpuppy)

Details

(Keywords: sec-moderate, Whiteboard: [adv-main58+][post-critsmash-triage])

Attachments

(2 files)

Attached file google-userinfo.zip
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36

Steps to reproduce:

1. Unpack attached PoC addon
2. Go to about:debugging and temporarily load the unpacked addon
3. 'about:addons' is opened in new window


Actual results:

browser.identity.launchWebAuthFlow does not check whether the passed URL is http/s only. We can open privileged about: pages as well as file: urls.


Expected results:

It should only open http/s (maybe other) URI schemes.
Shane, given bug 1305421, I guess you know about this?
Group: firefox-core-security → toolkit-core-security
Component: Untriaged → WebExtensions: General
Flags: needinfo?(mixedpuppy)
Product: Firefox → Toolkit
Redirecting to rpl.
Flags: needinfo?(mixedpuppy) → needinfo?(lgreco)
Redirecting back to Shane which is already looking into this.
Flags: needinfo?(lgreco) → needinfo?(mixedpuppy)
Assignee: nobody → mixedpuppy
Flags: needinfo?(mixedpuppy)
Attachment #8938122 - Flags: review?(lgreco)
Attachment #8938122 - Flags: review?(lgreco) → review+
FYI I'm not certain this is any real security concern here.  Extensions should get no more access to eg. about:addons opened this way than they would if a user opened a tab to it.  Nonetheless, it is fixed.
(In reply to Shane Caraveo (:mixedpuppy) from comment #5)
> FYI I'm not certain this is any real security concern here.  Extensions
> should get no more access to eg. about:addons opened this way than they
> would if a user opened a tab to it.  Nonetheless, it is fixed.

This bug alone is not that dangerous, like the only security issue I can think of is opening 'about:addons' as soon as a user drags a link pointing to an addon and then once its dropped it will attempt to install.

Another example is that I found an xss in one of the about: pages which alone is not exploitable due to having the victim type the url manually to open the effected about: page. But coupled with this bug the whole process is automated resulting in a sec-highISH security exploit. 

So technically this bug is a sec-moderate issue ( https://www.mozilla.org/en-US/security/advisories/mfsa2017-21/#﷒0﷓ )
The above URL should have a hash pointing to "CVE-2017-7816: WebExtensions can load about: URLs in extension UI" Not sure why it did that.
Comment on attachment 8938122 [details] [diff] [review]
fix url param schema for launchWebAuthFlow

Requesting now so this is not lost over the break.

Approval Request Comment
[Feature/Bug causing the regression]: identity api
[User impact if declined]: possible to open local urls
[Is this code covered by automated tests?]: yes
[Has the fix been verified in Nightly?]: not yet
[Needs manual test from QE? If yes, steps to reproduce]: yes, see opening comment for str
[List of other uplifts needed for the feature/fix]: none
[Is the change risky?]: no
[Why is the change risky/not risky?]: no new code paths, just limiting api arguments via schema
[String changes made/needed]: none
Attachment #8938122 - Flags: approval-mozilla-beta?
https://hg.mozilla.org/mozilla-central/rev/0c4f3b8d311e
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
Comment on attachment 8938122 [details] [diff] [review]
fix url param schema for launchWebAuthFlow

Fix a security issue which is possible to open local urls. Beta58+.
Attachment #8938122 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Whiteboard: [adv-main58+]
Alias: CVE-2018-5113
Flags: sec-bounty?
Whiteboard: [adv-main58+] → [adv-main58+][post-critsmash-triage]
Group: toolkit-core-security → core-security-release
Flags: sec-bounty? → sec-bounty+
Product: Toolkit → WebExtensions
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: