Closed Bug 1468217 (CVE-2018-12368) Opened 4 years ago Closed 4 years ago

.SettingContent-ms file extension bypasses 'dangerous file' prompt leading to WebExt RCE

Categories

(WebExtensions :: Untriaged, defect)

61 Branch
defect
Not set
normal

Tracking

(firefox-esr5261+ verified, firefox-esr6061+ verified, firefox60 wontfix, firefox61+ verified, firefox62+ verified)

VERIFIED FIXED
mozilla62
Tracking Status
firefox-esr52 61+ verified
firefox-esr60 61+ verified
firefox60 --- wontfix
firefox61 + verified
firefox62 + verified

People

(Reporter: qab, Assigned: Paolo)

References

(Depends on 1 open bug)

Details

(Keywords: sec-moderate, Whiteboard: [adv-main61+][adv-esr52.9+][adv-esr60.1+][post-critsmash-triage])

Attachments

(5 files)

Attached file download.openRCE.zip
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36

Steps to reproduce:

Download attached SettingContent-ms file, or install attached extension for RCE.


Actual results:

SettingContent-ms is a new windows 10 extension that can be used to execute arbitrary local files with parameters.


Expected results:

Treat it as executable.

I am CCing Matt Nelson who originally found this file, I simply connected the dots with the browser RCE potential. 

He wrote about this file in public https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39

Web Extension RCE part is not mentioned.
Attached file test.SettingContent-ms
Bob, do you have any idea what we should do with this? It looks like it could be kind of Windows platform integration-y.
Flags: needinfo?(bobowencode)
FWIW, this was reported to MSRC and they responded that the severity of the issue is below the bar for servicing and that the case will be closed.

Cheers,
Matt N.
I should be more clear, the "this" in the above comment was the .SettingContent-ms file format. The MS disclosure timeline is at the bottom of this post: https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39


Cheers,
Matt N.
Would also like to highlight an important part of the article Matt wrote (in case you didn't read it, worth a read tho!)  - The mark of web is created for the file once downloaded with healthy content, but for some reason windows does not show any warning before executing. So this is a clean RCE requiring a single user click. (after installing malicious extension ofc)
The extension is calling browser.downloads.open, at which point the OS is up to protect you against arbitrary RCE. Microsoft is apparently considering this issue too low severity to fix. Now, we could either follow them and WONTFIX or we say that we consider this severe enough to add a blacklist of sorts to prevent opening this filetype via the downloads API.

In any case it seems to me like that decision should be made at the WebExtensions API level, so moving this to WebExtensions for now...
Group: firefox-core-security → toolkit-core-security
Component: Untriaged → WebExtensions: Untriaged
Product: Firefox → Toolkit
(In reply to Johann Hofmann [:johannh] from comment #6)
> The extension is calling browser.downloads.open, at which point the OS is up
> to protect you against arbitrary RCE. Microsoft is apparently considering
> this issue too low severity to fix. Now, we could either follow them and
> WONTFIX or we say that we consider this severe enough to add a blacklist of
> sorts to prevent opening this filetype via the downloads API.

I thought we had a similar blacklist to what Windows does in terms of which files are executable, e.g. the stuff in $PATHEXT or whatever the env var is? I would expect us to warn for calling downloads.open() on this filetype in the same way as when a user clicks a download that would pop up the 'this file is executable, are you sure you want to run it' warning.

:paolo might know more about this too, but he's not accepting needinfo requests...
+ni to keep this on Paolo's radar. :-)
Flags: needinfo?(paolo.mozmail)
I don't know too much about how we interact with this sort of thing I'm afraid.
Flags: needinfo?(bobowencode)
Attached patch The patchSplinter Review
Adding "SettingContent-ms" to the list of executable file extensions solves the issue of the missing warning, both when opening from the Downloads Panel and from extension code.

In fact, we had other cases where Windows didn't warn before executing some file types even when they had the zone information, hence we now display our own warning dialog for every executable extension except "exe", even if it may be redundant.

The patch is straightforward and the general issue is public, so I've just stated what it does in the commit message, without any details on the steps to reproduce.

I already tested this with a local build that I ran on Windows 10. I believe it should be quite safe to land the patch in all branches, even at RC stage, so it may be already available to users in the release next week.
Assignee: nobody → paolo.mozmail
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Flags: needinfo?(paolo.mozmail)
Attachment #8985901 - Flags: review?(gijskruitbosch+bugs)
Comment on attachment 8985901 [details] [diff] [review]
The patch

Since this patch is quite straightforward, I'm already requesting the uplift flags so we can get this on the Release Management radar sooner. As mentioned in the previous comment, I think this is quite safe to land on all branches.

Let us know if you'd like us to land this on mozilla-central first, or just have the sheriffs land everywhere at the same time.

Approval Request Comment
[Feature/Bug causing the regression]: Recently announced security issue
[User impact if declined]: Code execution on the local machine without warning if an extension creates a file with a "SettingContent-ms" extension
[Is this code covered by automated tests?]: Not automatically testable, it effectively patches a Windows issue with a missing warning even if the file is correctly marked as having a remote source
[Has the fix been verified in Nightly?]: Yes, but only on one local build
[Needs manual test from QE? If yes, steps to reproduce]: Yes, using the proof of concept attached to this bug
[List of other uplifts needed for the feature/fix]: None
[Is the change risky?]: Very low risk
[Why is the change risky/not risky?]: This only affects the download and file opening code path, and we don't actually use this file extension for anything in the source tree anyways.
[String changes made/needed]: None
[If this is not a sec:{high,crit} bug, please state case for ESR consideration]: Improves security from code execution on the local machine with minimal risk.
Attachment #8985901 - Flags: approval-mozilla-esr60?
Attachment #8985901 - Flags: approval-mozilla-esr52?
Attachment #8985901 - Flags: approval-mozilla-beta?
Comment on attachment 8985901 [details] [diff] [review]
The patch

Review of attachment 8985901 [details] [diff] [review]:
-----------------------------------------------------------------

rs=me.

For a separate follow-up: Is there no Windows API we can use here that would avoid forever playing catch-up with whatever Windows decides are executable files?
Attachment #8985901 - Flags: review?(gijskruitbosch+bugs) → review+
This needs to get sec-approval first (or at least be assessed a sec rating of moderate or lower) before it can land. Also, we're about to build the RC of Fx61, so I'm a bit iffy about taking this at this point in the cycle.
(In reply to :Gijs (he/him) from comment #12)
> Comment on attachment 8985901 [details] [diff] [review]
> The patch
> 
> Review of attachment 8985901 [details] [diff] [review]:
> -----------------------------------------------------------------
> For a separate follow-up: Is there no Windows API we can use here that would
> avoid forever playing catch-up with whatever Windows decides are executable
> files?

Looks like AssocIsDangerous is what Explorer itself uses. Ironically it doesn't appear to pick up ".settingcontent-ms" when testing on my machine.
https://msdn.microsoft.com/en-us/library/windows/desktop/bb773465(v=vs.85).aspx
Dan/Al, can you rate this?

As filed, the webextensions side of things is limited to sec-moderate anyway, so then it wouldn't need sec-approval.

I don't think the "manual" download + open side of things is severe enough to be sec-high/sec-crit, but even if it is, given the time in the cycle we're at and the safety of the patch (1 entry addition to a list of file extensions), I think we should just land this on all branches in time for shipping 61.

(In reply to Ryan VanderMeulen [:RyanVM] from comment #13)
> This needs to get sec-approval first (or at least be assessed a sec rating
> of moderate or lower) before it can land. Also, we're about to build the RC
> of Fx61, so I'm a bit iffy about taking this at this point in the cycle.

So, to be really clear, I think this is about as safe a C++ patch as we're likely to see, and we should take it.
Flags: needinfo?(dveditz)
Flags: needinfo?(abillings)
This looks like a sec-moderate to me, for the reasons stated in comment 15.
Flags: needinfo?(abillings)
Keywords: sec-moderate
Comment on attachment 8985901 [details] [diff] [review]
The patch

I'm building the Fx61 RC build today, so this needs to land on inbound ASAP to have any chance of being included.
Flags: needinfo?(dveditz)
Attachment #8985901 - Flags: approval-mozilla-beta? → approval-mozilla-release?
(In reply to Ryan VanderMeulen [:RyanVM] from comment #17)
> Comment on attachment 8985901 [details] [diff] [review]
> The patch
> 
> I'm building the Fx61 RC build today, so this needs to land on inbound ASAP
> to have any chance of being included.

Your wish etc.

https://hg.mozilla.org/integration/mozilla-inbound/rev/ca7b77362ad3f1740eb866e3435cd3acddfe3ce9
Thanks Gijs for landing this sooner, I was traveling today.

(In reply to Aaron Klotz [:aklotz] from comment #14)
> Looks like AssocIsDangerous is what Explorer itself uses. Ironically it
> doesn't appear to pick up ".settingcontent-ms" when testing on my machine.

This may be the reason why Windows Explorer does not warn about the file, as the documentation mentions that "ShellExecuteEx uses AssocIsDangerous to trigger zone checking".

Ideally we would have a way to serve additional entries in this list remotely using one of the already available mechanisms, or at least have the list defined in JavaScript so we could use a hotfix if necessary. We can also supplement the list using AssocIsDangerous, but it wouldn't handle cases like this bug.

While we're thinking about possible improvements, one thing I noticed is that the warning can be disabled globally and permanently using the checkbox. I think this ability should be removed, because it applies to every file type, not just the individual file being opened, and also applies to actions triggered by browser extensions. This is unclear from the current user interface, and there is no way to undo this action save from editing "about:config".
Flags: needinfo?(paolo.mozmail)
(In reply to :Paolo Amadini from comment #19)
> Thanks Gijs for landing this sooner, I was traveling today.
> 
> (In reply to Aaron Klotz [:aklotz] from comment #14)
> > Looks like AssocIsDangerous is what Explorer itself uses. Ironically it
> > doesn't appear to pick up ".settingcontent-ms" when testing on my machine.
> 
> This may be the reason why Windows Explorer does not warn about the file, as
> the documentation mentions that "ShellExecuteEx uses AssocIsDangerous to
> trigger zone checking".
> 
> Ideally we would have a way to serve additional entries in this list
> remotely using one of the already available mechanisms, or at least have the
> list defined in JavaScript so we could use a hotfix if necessary. We can
> also supplement the list using AssocIsDangerous, but it wouldn't handle
> cases like this bug.
> 
> While we're thinking about possible improvements, one thing I noticed is
> that the warning can be disabled globally and permanently using the
> checkbox. I think this ability should be removed, because it applies to
> every file type, not just the individual file being opened, and also applies
> to actions triggered by browser extensions. This is unclear from the current
> user interface, and there is no way to undo this action save from editing
> "about:config".

Can you file bugs for these follow-ups? I think we should at least split off the webextensions usage from the 'normal' usage of the pref (ie prompt for the webext case even if the user turns off the prompt generally).
Yes, I planned to do this next week after the release.

For the checkbox, I can consider replacing it with two separate "about:config" settings, but if there is no way to undo the choice from "about:preferences" then I don't think we should have the checkbox in the first place. The equivalent Windows warnings can also only be disabled globally from the registry. We can also ask the UX team for an opinion on this. We should also not reuse the existing "about:config" setting just in case users disabled the warning accidentally, possibly years in the past.
Comment on attachment 8985901 [details] [diff] [review]
The patch

Safe fix for a Windows sec issue. Approved for 61.0rc1, ESR 60.1, and ESR 52.9.
Attachment #8985901 - Flags: approval-mozilla-release?
Attachment #8985901 - Flags: approval-mozilla-release+
Attachment #8985901 - Flags: approval-mozilla-esr60?
Attachment #8985901 - Flags: approval-mozilla-esr60+
Attachment #8985901 - Flags: approval-mozilla-esr52?
Attachment #8985901 - Flags: approval-mozilla-esr52+
Whiteboard: [adv-main61+][adv-esr52.9+][adv-esr60.1+]
https://hg.mozilla.org/mozilla-central/rev/ca7b77362ad3
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
Whiteboard: [adv-main61+][adv-esr52.9+][adv-esr60.1+] → [adv-main61+][adv-esr52.9+][adv-esr60.1+][post-critsmash-triage]
Attached file screenshots.zip
I've tested the issue on:
Firefox 61.0 (20180618212916)
Firefox 60.0.3esr (20180618213404)
Firefox 52.8.2 (20180618215607) - Still reproducible

The extension scenarios works as shown in (open file notification.gif)the gif attached, and the warning is displayed but the second scenario with downloading the file does not trigger any warning as you can see in (download 1.gif).
Please provide alternative steps or a new file to test both scenarios and validate this issue.
Issue is still reproducible in both scenarios on Firefox 52.8.2 (20180618215607), no warning is displayed for the user when opening the file from the browser.
Flags: needinfo?(paolo.mozmail)
If you guys need a truly hosted PoC, I have one up here: https://nofile.io/f/ctDCYhkUnob/ControlPanel.settingcontent-ms

Just click "download". Not sure if the format is pulled differently linked vs attached here. 

Cheers,
Matt N.
Thanks Matt for the link!

(In reply to marius.santa from comment #25)
> The extension scenarios works as shown in (open file notification.gif)the
> gif attached, and the warning is displayed but the second scenario with
> downloading the file does not trigger any warning as you can see in
> (download 1.gif).

In your case, the file was downloaded with a ".xml" extension, which depends on the content type of the attachment, which is "application/xml". Whether the extension is added or not may depend on the local configuration, but when it's added, there is no security issue because the file will not be executed by Windows.

The link Matt provided may solve this issue. If this doesn't you may have to set up a local HTTP server, which is what I did for testing.

> Issue is still reproducible in both scenarios on Firefox 52.8.2
> (20180618215607), no warning is displayed for the user when opening the file
> from the browser.

This can be an issue with the build being tested not having the patch, the preference to disable the warning being accidentally enabled in the profile, or the WebExtensions API not going through the same code path as the newer versions.

If you can test the Downloads Panel flow there, this will tell us if we are in the latter scenario.
Flags: needinfo?(paolo.mozmail)
Flags: needinfo?(marius.santa)
Summary: SettingContent-ms extension bypasses 'dangerous file' prompt leading to WebExt RCE → .SettingContent-ms file extension bypasses 'dangerous file' prompt leading to WebExt RCE
Product: Toolkit → WebExtensions
Attached file screenshots 2.zip
Retested and verified on Windows 10 64Bit:
Firefox 60.1.0esr| (20180619173714)
Firefox 61.0 (20180618212916)
Screenshot for working scenarios is attached.

Issue is still reproducible on:
Firefox 52.9.0 (20180619102821).
Screenshot reproducing the bug is attached.
The same profile was used to test on 52est and the other builds, so this is not a profile related issue.
Flags: needinfo?(marius.santa)
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
We typically don't reopen bugs for branch-specific verification issues. Setting the status back to affected and NI the assignee is a better way :). Also, was this verified on Nightly?
Status: REOPENED → RESOLVED
Closed: 4 years ago4 years ago
Flags: needinfo?(paolo.mozmail)
Resolution: --- → FIXED
(In reply to marius.santa from comment #25)
> Firefox 52.8.2 (20180618215607) - Still reproducible
> Firefox 52.9.0 (20180619102821).

I don't know how to go from the build date to the exact changeset from which it was built, so we can verify that the revision from comment 23 is actually included. Ryan, can you help here? This is the first thing that I would check, since the verification fails on both the Downloads Panel flow and the extension flow, which is strange.
Flags: needinfo?(paolo.mozmail) → needinfo?(ryanvm)
The 52.9.0 build would definitely have this patch. It landed before the version was bumped.
Flags: needinfo?(ryanvm)
Ah, so what we miss in Firefox 52 is bug 1369771, which only landed in 55. I'm not sure this is upliftable at this point in the cycle though, especially given the rating of sec-moderate. Opinions?
Flags: needinfo?(ryanvm)
Flags: needinfo?(dveditz)
(In reply to :Gijs (he/him) from comment #12)
> Is there no Windows API we can use here that would avoid forever playing
> catch-up with whatever Windows decides are executable files?

Apparently not since the blog post was about getting Microsoft's star application to open these files, because it's not on the list they use either.

(In reply to :Paolo Amadini from comment #32)
> Ah, so what we miss in Firefox 52 is bug 1369771, which only landed in 55.
> I'm not sure this is upliftable at this point in the cycle though,
> especially given the rating of sec-moderate. Opinions?

bug 1369771 looks like it would land pretty cleanly so I could support taking it. ESR-52 doesn't have WebExtensions, but without bug 1369771 the problem is arguably worse.
Depends on: 1369771
Flags: needinfo?(dveditz)
We may have ESR 52.9 candidate builds already though.
Alias: CVE-2018-12368
Regarding AssocIsDangerous, it’s a good API to use. I’m reaching out to MS to see if they will consider adding this file format, but if they do, it will probably only be in new Windows 10 builds.

Thanks for the quick response to this!!
Flags: needinfo?(ryanvm)
Retested and verified in Windows 10 64Bit on Firefox 62.0a1 (20180621100048).
I'm assuming the change to 52 status in comment 37 was not intentional.
Retested and verified in Windows 10 64Bit on Firefox 52.9.0 (20180621064021).
Flags: sec-bounty?
Flags: sec-bounty? → sec-bounty+
Status: RESOLVED → VERIFIED
Flags: qe-verify+
This is now described in the release notes, so I'll go ahead and file the dependent bugs.
Depends on: 1472631
Depends on: 1472635
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.