Closed
Bug 1437325
(CVE-2018-5166)
Opened 7 years ago
Closed 7 years ago
Web extension - Web Request host permission bypass using filterReponseData
Categories
(WebExtensions :: Request Handling, defect, P2)
Tracking
(firefox-esr52 wontfix, firefox58 wontfix, firefox59 wontfix, firefox60 fixed)
VERIFIED
FIXED
mozilla60
People
(Reporter: francois.lajeunesse.robert, Assigned: kmag)
Details
(Keywords: sec-moderate, Whiteboard: [adv-main60+])
Attachments
(2 files)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0
Build ID: 20180206200532
Steps to reproduce:
By leveraging the request redirection and filterReponseData, one can bypass the host permission to access content returned by an arbitrary host.
Actual results:
The attachment is a POC extension that have the webRequest, webRequestBlocking and http://localhost permission that upon loading will :
1- Open a new tabs to http://localhost
2- Redirect the request toward https://bugzilla.mozilla.org/user_profile
3- Output the content of https://bugzilla.mozilla.org/user_profile in the console
4- Close the tab
Expected results:
filterResponseData should be allowed only if the extension has the host permission for the fetched resource.
Comment 1•7 years ago
|
||
Moving over to webextensions.
Group: firefox-core-security → toolkit-core-security
Component: Untriaged → WebExtensions: Request Handling
Flags: needinfo?(ddurst)
Product: Firefox → Toolkit
Updated•7 years ago
|
Assignee: nobody → mixedpuppy
Updated•7 years ago
|
Status: UNCONFIRMED → NEW
status-firefox58:
--- → affected
status-firefox59:
--- → affected
status-firefox60:
--- → affected
Ever confirmed: true
Comment 2•7 years ago
|
||
The issue here is that StreamFilter is not disconnected upon a redirect.
The filter remains connected and receives data on the redirected channel. In a poorly written extension, this could result in multiple filters receiving the data. A short test I did, based on the attached extension, initiated a tab to http://allizom.org, which redirected -> https://allizom.org -> https://bugzilla.mozilla.org and I received 3 dumps of the page content for bugzilla. Note that for that to happen I changed to all_urls.
I'm really not certain of the sec severity here, if I were after the page content of a site I'd just request all_urls to begin with since I wouldn't have to depend on a bug and IMO that permission would likely bypass user scrutiny.
Comment 3•7 years ago
|
||
Kris, have any thoughts on a direction for a fix in StreamFilter?
Flags: needinfo?(kmaglione+bmo)
Updated•7 years ago
|
Flags: needinfo?(ddurst)
Comment 4•7 years ago
|
||
Given my thoughts on the severity (comment 2) I'm only putting this at p2.
Priority: -- → P2
Comment 5•7 years ago
|
||
For CSP we had to hook redirects and re-evaluate the policy permissions at each redirect. I think your filter will have to do the same and kill the stream when you bounce to an unallowed host.
Keywords: sec-moderate
Comment 6•7 years ago
|
||
I'm inclined towards always disconnecting StreamFilter on a redirect.
Assignee | ||
Comment 8•7 years ago
|
||
Marius, can you please confirm that bug 1444539 fixes this issue as described in comment 0? Please do not comment in that bug about its relationship to this one.
Thanks
Flags: needinfo?(marius.santa)
Comment 9•7 years ago
|
||
I was unable to reproduce the bug on Firefox 60.0a1 (20180210220139).
I have attached the results I get when testing on the latest nightly Firefox 61.0a1 (20180313100127).
I just loaded the extension temporary and looked in the console for the output, tried this while logged in and out from https://bugzilla.mozilla.org.
Flags: needinfo?(marius.santa)
Updated•7 years ago
|
Assignee: mixedpuppy → kmaglione+bmo
Assignee | ||
Comment 10•7 years ago
|
||
Thanks.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•7 years ago
|
Status: RESOLVED → VERIFIED
Updated•7 years ago
|
status-firefox-esr52:
--- → wontfix
Target Milestone: --- → mozilla60
Updated•7 years ago
|
Group: toolkit-core-security → core-security-release
Updated•7 years ago
|
Whiteboard: [adv-main60+]
Updated•7 years ago
|
Alias: CVE-2018-5166
Updated•7 years ago
|
Product: Toolkit → WebExtensions
Updated•6 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•