1437325 - (CVE-2018-5166) Web extension - Web Request host permission bypass using filterReponseData

Status: VERIFIED FIXED

(WebExtensions :: Request Handling, defect, P2)

Description

[FLR]

Attachment: WebRequestHostBypass.zip

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0
Build ID: 20180206200532

Steps to reproduce:

By leveraging the request redirection and filterReponseData, one can bypass the host permission to access content returned by an arbitrary host.


Actual results:

The attachment is a POC extension that have the webRequest, webRequestBlocking and http://localhost permission that upon loading will :
1- Open a new tabs to http://localhost
2- Redirect the request toward https://bugzilla.mozilla.org/user_profile
3- Output the content of https://bugzilla.mozilla.org/user_profile in the console
4- Close the tab


Expected results:

filterResponseData should be allowed only if the extension has the host permission for the fetched resource.

Comment 1

[:Gijs (he/him)]

Moving over to webextensions.

Comment 2

[Shane Caraveo (:mixedpuppy)]

The issue here is that StreamFilter is not disconnected upon a redirect.  

The filter remains connected and receives data on the redirected channel.  In a poorly written extension, this could result in multiple filters receiving the data.  A short test I did, based on the attached extension, initiated a tab to http://allizom.org, which redirected -> https://allizom.org -> https://bugzilla.mozilla.org and I received 3 dumps of the page content for bugzilla.  Note that for that to happen I changed to all_urls.

I'm really not certain of the sec severity here, if I were after the page content of a site I'd just request all_urls to begin with since I wouldn't have to depend on a bug and IMO that permission would likely bypass user scrutiny.

Comment 3

[Shane Caraveo (:mixedpuppy)]

Kris, have any thoughts on a direction for a fix in StreamFilter?

Comment 4

[Shane Caraveo (:mixedpuppy)]

Given my thoughts on the severity (comment 2) I'm only putting this at p2.

Comment 5

[Daniel Veditz [:dveditz]]

For CSP we had to hook redirects and re-evaluate the policy permissions at each redirect. I think your filter will have to do the same and kill the stream when you bounce to an unallowed host.

Comment 6

[Shane Caraveo (:mixedpuppy)]

I'm inclined towards always disconnecting StreamFilter on a redirect.

Comment 7

[Kris Maglione [:kmag]]

This will be fixed by bug 1444539.

Comment 8

[Kris Maglione [:kmag]]

Marius, can you please confirm that bug 1444539 fixes this issue as described in comment 0? Please do not comment in that bug about its relationship to this one.

Thanks

Comment 9

[marius.santa]

Attachment: host permision.gif

I was unable to reproduce the bug on Firefox 60.0a1 (20180210220139).
I have attached the results I get when testing on the latest nightly Firefox 61.0a1 (20180313100127).
I just loaded the extension temporary and looked in the console for the output, tried this while logged in and out from https://bugzilla.mozilla.org.

Comment 10

[Kris Maglione [:kmag]]

Thanks.