Closed Bug 1459206 (CVE-2018-12365) Opened 7 years ago Closed 7 years ago

Arbitrary file listing (content disclosure?) by compromised content process

Categories

(Core :: DOM: Content Processes, defect)

Product:
Core
Component:
DOM: Content Processes
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla62
Tracking Flags:
Tracking Status
firefox-esr52 61+ fixed
firefox-esr60 61+ fixed
firefox59 --- wontfix
firefox60 --- wontfix
firefox61 + fixed
firefox62 + fixed

People

(Reporter: Alex_Gaynor, Assigned: baku)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-disclosure, csectype-sandbox-escape, sec-moderate, Whiteboard: [adv-main61+][adv-esr52.9+][adv-esr60.1+][post-critsmash-triage])

Attachments

(1 file)

security.patch
1.21 KB, patch
ehsan.akhgari
: review+
RyanVM
: approval-mozilla-beta+
jcristau
: approval-mozilla-esr52+
jcristau
: approval-mozilla-esr60+
abillings
: sec-approval+
Details | Diff | Splinter Review
The GetFilesRequest IPC method on PContentParent appears to allow a compromised child to list arbitrary files: https://searchfox.org/mozilla-central/source/dom/ipc/ContentParent.cpp#5238 I haven't worked out whether this is just directory listings, or whether it can also get contents. The threat model for the sandbox should not allow a child process to access the filesystem without affirmative user consent (e.g. the UI shown by <input type=file>, drag-and-drop, etc.). I'm not super familiar with this code or how it's used, so I'd appreciate feeback.
I'd guess that Andrea is most familiar with this.
Flags: needinfo?(amarchesini)
Flags: needinfo?(amarchesini)
Attached patch security.patchSplinter Review
We have a FileSystemSecurity component that knows the list of the paths sent to content processes via D&D and FilePicker. We should use this component here as well. Ehsan, you reviewed FileSystemSecurity. Do you mind to take a look?
Assignee: nobody → amarchesini
Attachment #8973241 - Flags: review?(ehsan)
Removing sec-audit since this is confirmed. Should either be a sec-high or sec-moderate, not positive which.
Keywords: sec-audit
It's very important to have this check because here we _could_ leak file contents via DOM Blob objects.
Too late for 60 at this point.
Group: core-security → dom-core-security
status-firefox60: affectedwontfix
tracking-firefox61: --- → +
tracking-firefox-esr52: --- → 61+
tracking-firefox-esr60: --- → 61+
Comment on attachment 8973241 [details] [diff] [review] security.patch Review of attachment 8973241 [details] [diff] [review]: ----------------------------------------------------------------- ::: dom/ipc/ContentParent.cpp @@ +5240,5 @@ > const bool& aRecursiveFlag) > { > MOZ_ASSERT(!mGetFilesPendingRequests.GetWeak(aUUID)); > > + if (!mozilla::Preferences::GetBool("dom.filesystem.pathcheck.disabled", false)) { Is there a good reason why you aren't killing the child process here? I think not doing so is wrong. Please refactor this existing code into a new method on ContentParent, like DoFileSystemSecurityChecks(), and just call that method here.
Attachment #8973241 - Flags: review?(ehsan) → review-
We are killing the content process: returning IPC_FAIL_NO_REASON(this) means killing the content process as far as I know.
Flags: needinfo?(ehsan)
Note that in FileSystemRequest actor, we kill the content process on the main-thread, but the IPC protocol runs on PBackground: https://searchfox.org/mozilla-central/source/dom/filesystem/FileSystemRequestParent.cpp#111-113
Yes, returning IPC_FAIL_NO_REASON(this) will kill the content process (an is friendlier to the fuzzer than just caling KillHard directly :-))
Comment on attachment 8973241 [details] [diff] [review] security.patch Consider this patch again. Read the latest comments.
Attachment #8973241 - Flags: review- → review?(ehsan)
Comment on attachment 8973241 [details] [diff] [review] security.patch Review of attachment 8973241 [details] [diff] [review]: ----------------------------------------------------------------- OK, this makes sense given your comments. Thanks!
Attachment #8973241 - Flags: review?(ehsan) → review+
Flags: needinfo?(ehsan)
Comment on attachment 8973241 [details] [diff] [review] security.patch [Security approval request comment] How easily could an exploit be constructed based on the patch? None. But if the content process is hacked, it will be able to retrieve the list of files, from a particular directory, as DOM Blob objects. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? No. Which older supported branches are affected by this flaw? All. This method code is needed for webkitdirectory attribute. Bug 1265767. If not all supported branches, which bug introduced the flaw? Bug 1265767. How likely is this patch to cause regressions; how much testing does it need? None.
Attachment #8973241 - Flags: sec-approval?
sec-approval+ for trunk. We'll want Beta and ESR patches for both of those branches made and nominated too.
status-firefox62: --- → affected
tracking-firefox62: --- → +
Attachment #8973241 - Flags: sec-approval? → sec-approval+
Comment on attachment 8973241 [details] [diff] [review] security.patch Approval Request Comment [Feature/Bug causing the regression]: webkitdirectory attribute [User impact if declined]: if the content process is hacked, it can retrieve the list of files of a directory using this IPC method. [Is this code covered by automated tests?]: n/a [Has the fix been verified in Nightly?]: n/a [Needs manual test from QE? If yes, steps to reproduce]: n/a [List of other uplifts needed for the feature/fix]: none [Is the change risky?]: no [Why is the change risky/not risky?]: Similar approach is used in Entries API [String changes made/needed]: none
Attachment #8973241 - Flags: approval-mozilla-esr60?
Attachment #8973241 - Flags: approval-mozilla-esr52?
Attachment #8973241 - Flags: approval-mozilla-beta?
(In reply to Ryan VanderMeulen [:RyanVM] from comment #15) > This was pushed to inbound: > https://hg.mozilla.org/integration/mozilla-inbound/rev/05ad0f66aa8f Whoops, that one got backed out for mochitest issues. It then re-landed as: https://hg.mozilla.org/integration/mozilla-inbound/rev/a3ebab26f0d9
Comment on attachment 8973241 [details] [diff] [review] security.patch Fixes a sec-high, approved for 61.0b4. We'll revisit the ESR requests later in the cycle.
Attachment #8973241 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
https://hg.mozilla.org/mozilla-central/rev/a3ebab26f0d9
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox62: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
Comment on attachment 8973241 [details] [diff] [review] security.patch sec-high fix for 52.9esr and 60.1esr
Attachment #8973241 - Flags: approval-mozilla-esr60?
Attachment #8973241 - Flags: approval-mozilla-esr60+
Attachment #8973241 - Flags: approval-mozilla-esr52?
Attachment #8973241 - Flags: approval-mozilla-esr52+
Blocks: libfuzzer-ipc
Whiteboard: [adv-main61+][adv-esr52.9+][adv-esr60.1+]
sec-moderate seems more appropriate: a list of files is not as severe as reading the actual content or a sandbox escape that we call sec-high.
Keywords: sec-highsec-moderate
Flags: qe-verify-
Whiteboard: [adv-main61+][adv-esr52.9+][adv-esr60.1+] → [adv-main61+][adv-esr52.9+][adv-esr60.1+][post-critsmash-triage]
Alias: CVE-2018-12365
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: