Closed
Bug 1459206
(CVE-2018-12365)
Opened 7 years ago
Closed 7 years ago
Arbitrary file listing (content disclosure?) by compromised content process
Categories
(Core :: DOM: Content Processes, defect)
Core
DOM: Content Processes
Tracking
()
People
(Reporter: Alex_Gaynor, Assigned: baku)
References
(Blocks 1 open bug)
Details
(Keywords: csectype-disclosure, csectype-sandbox-escape, sec-moderate, Whiteboard: [adv-main61+][adv-esr52.9+][adv-esr60.1+][post-critsmash-triage])
Attachments
(1 file)
1.21 KB,
patch
|
ehsan.akhgari
:
review+
RyanVM
:
approval-mozilla-beta+
jcristau
:
approval-mozilla-esr52+
jcristau
:
approval-mozilla-esr60+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
The GetFilesRequest IPC method on PContentParent appears to allow a compromised child to list arbitrary files: https://searchfox.org/mozilla-central/source/dom/ipc/ContentParent.cpp#5238
I haven't worked out whether this is just directory listings, or whether it can also get contents.
The threat model for the sandbox should not allow a child process to access the filesystem without affirmative user consent (e.g. the UI shown by <input type=file>, drag-and-drop, etc.).
I'm not super familiar with this code or how it's used, so I'd appreciate feeback.
Comment 1•7 years ago
|
||
I'd guess that Andrea is most familiar with this.
Flags: needinfo?(amarchesini)
Assignee | ||
Updated•7 years ago
|
Flags: needinfo?(amarchesini)
Assignee | ||
Comment 2•7 years ago
|
||
We have a FileSystemSecurity component that knows the list of the paths sent to content processes via D&D and FilePicker. We should use this component here as well.
Ehsan, you reviewed FileSystemSecurity. Do you mind to take a look?
Assignee: nobody → amarchesini
Attachment #8973241 -
Flags: review?(ehsan)
Reporter | ||
Comment 3•7 years ago
|
||
Removing sec-audit since this is confirmed. Should either be a sec-high or sec-moderate, not positive which.
Keywords: sec-audit
Assignee | ||
Comment 4•7 years ago
|
||
It's very important to have this check because here we _could_ leak file contents via DOM Blob objects.
Updated•7 years ago
|
Keywords: csectype-disclosure,
sec-high
Updated•7 years ago
|
status-firefox59:
--- → wontfix
status-firefox60:
--- → affected
status-firefox-esr52:
--- → affected
status-firefox-esr60:
--- → affected
Comment 5•7 years ago
|
||
Too late for 60 at this point.
Group: core-security → dom-core-security
tracking-firefox61:
--- → +
tracking-firefox-esr52:
--- → 61+
tracking-firefox-esr60:
--- → 61+
Comment 6•7 years ago
|
||
Comment on attachment 8973241 [details] [diff] [review]
security.patch
Review of attachment 8973241 [details] [diff] [review]:
-----------------------------------------------------------------
::: dom/ipc/ContentParent.cpp
@@ +5240,5 @@
> const bool& aRecursiveFlag)
> {
> MOZ_ASSERT(!mGetFilesPendingRequests.GetWeak(aUUID));
>
> + if (!mozilla::Preferences::GetBool("dom.filesystem.pathcheck.disabled", false)) {
Is there a good reason why you aren't killing the child process here?
I think not doing so is wrong.
Please refactor this existing code into a new method on ContentParent, like DoFileSystemSecurityChecks(), and just call that method here.
Attachment #8973241 -
Flags: review?(ehsan) → review-
Assignee | ||
Comment 7•7 years ago
|
||
We are killing the content process: returning IPC_FAIL_NO_REASON(this) means killing the content process as far as I know.
Flags: needinfo?(ehsan)
Assignee | ||
Comment 8•7 years ago
|
||
Note that in FileSystemRequest actor, we kill the content process on the main-thread, but the IPC protocol runs on PBackground:
https://searchfox.org/mozilla-central/source/dom/filesystem/FileSystemRequestParent.cpp#111-113
Reporter | ||
Comment 9•7 years ago
|
||
Yes, returning IPC_FAIL_NO_REASON(this) will kill the content process (an is friendlier to the fuzzer than just caling KillHard directly :-))
Assignee | ||
Comment 10•7 years ago
|
||
Comment on attachment 8973241 [details] [diff] [review]
security.patch
Consider this patch again. Read the latest comments.
Attachment #8973241 -
Flags: review- → review?(ehsan)
Comment 11•7 years ago
|
||
Comment on attachment 8973241 [details] [diff] [review]
security.patch
Review of attachment 8973241 [details] [diff] [review]:
-----------------------------------------------------------------
OK, this makes sense given your comments. Thanks!
Attachment #8973241 -
Flags: review?(ehsan) → review+
Updated•7 years ago
|
Flags: needinfo?(ehsan)
Assignee | ||
Comment 12•7 years ago
|
||
Comment on attachment 8973241 [details] [diff] [review]
security.patch
[Security approval request comment]
How easily could an exploit be constructed based on the patch?
None. But if the content process is hacked, it will be able to retrieve the list of files, from a particular directory, as DOM Blob objects.
Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
No.
Which older supported branches are affected by this flaw?
All. This method code is needed for webkitdirectory attribute. Bug 1265767.
If not all supported branches, which bug introduced the flaw?
Bug 1265767.
How likely is this patch to cause regressions; how much testing does it need?
None.
Attachment #8973241 -
Flags: sec-approval?
Comment 13•7 years ago
|
||
sec-approval+ for trunk.
We'll want Beta and ESR patches for both of those branches made and nominated too.
status-firefox62:
--- → affected
tracking-firefox62:
--- → +
Updated•7 years ago
|
Attachment #8973241 -
Flags: sec-approval? → sec-approval+
Assignee | ||
Comment 14•7 years ago
|
||
Comment on attachment 8973241 [details] [diff] [review]
security.patch
Approval Request Comment
[Feature/Bug causing the regression]: webkitdirectory attribute
[User impact if declined]: if the content process is hacked, it can retrieve the list of files of a directory using this IPC method.
[Is this code covered by automated tests?]: n/a
[Has the fix been verified in Nightly?]: n/a
[Needs manual test from QE? If yes, steps to reproduce]: n/a
[List of other uplifts needed for the feature/fix]: none
[Is the change risky?]: no
[Why is the change risky/not risky?]: Similar approach is used in Entries API
[String changes made/needed]: none
Attachment #8973241 -
Flags: approval-mozilla-esr60?
Attachment #8973241 -
Flags: approval-mozilla-esr52?
Attachment #8973241 -
Flags: approval-mozilla-beta?
Comment hidden (obsolete) |
Comment 16•7 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM] from comment #15)
> This was pushed to inbound:
> https://hg.mozilla.org/integration/mozilla-inbound/rev/05ad0f66aa8f
Whoops, that one got backed out for mochitest issues. It then re-landed as:
https://hg.mozilla.org/integration/mozilla-inbound/rev/a3ebab26f0d9
Comment 17•7 years ago
|
||
Comment on attachment 8973241 [details] [diff] [review]
security.patch
Fixes a sec-high, approved for 61.0b4. We'll revisit the ESR requests later in the cycle.
Attachment #8973241 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
Comment 18•7 years ago
|
||
uplift |
Group: dom-core-security → core-security-release
Comment 19•7 years ago
|
||
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
Comment 20•7 years ago
|
||
Comment on attachment 8973241 [details] [diff] [review]
security.patch
sec-high fix for 52.9esr and 60.1esr
Attachment #8973241 -
Flags: approval-mozilla-esr60?
Attachment #8973241 -
Flags: approval-mozilla-esr60+
Attachment #8973241 -
Flags: approval-mozilla-esr52?
Attachment #8973241 -
Flags: approval-mozilla-esr52+
Reporter | ||
Updated•7 years ago
|
Blocks: libfuzzer-ipc
Comment 21•7 years ago
|
||
uplift |
Comment 22•7 years ago
|
||
uplift |
Comment 23•7 years ago
|
||
uplift |
Updated•7 years ago
|
Whiteboard: [adv-main61+][adv-esr52.9+][adv-esr60.1+]
Comment 24•7 years ago
|
||
sec-moderate seems more appropriate: a list of files is not as severe as reading the actual content or a sandbox escape that we call sec-high.
Keywords: sec-high → sec-moderate
Updated•7 years ago
|
Flags: qe-verify-
Whiteboard: [adv-main61+][adv-esr52.9+][adv-esr60.1+] → [adv-main61+][adv-esr52.9+][adv-esr60.1+][post-critsmash-triage]
Updated•7 years ago
|
Alias: CVE-2018-12365
Updated•6 years ago
|
Group: core-security-release
Updated•3 years ago
|
Keywords: csectype-sandbox-escape
You need to log in
before you can comment on or make changes to this bug.
Description
•