Closed Bug 1560291 Opened 6 years ago Closed 6 years ago

Local files theft

Categories

(Firefox :: Security, enhancement)

Product:
Firefox
Component:
Security
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 141212

People

(Reporter: quitten11, Unassigned)

References

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(1 file)

firefoxFilesTheft-2019-06-19_20.44.19.mkv
5.43 MB, video/x-matroska
Details

Hey, I am Barak Tawily, security researcher, after a deep research on the latest (currently 67) Mozilla Firefox browser, I found a bug allows me to fetch requests to local files and directories, and even read its content.
Looks like Firefox are "saving" first loaded frames contexts, and there is a bug in the same origin policy for file schemes.
So in case you are accessing file://home/ this origin is able to read his own directories and subdirectories and files, and fetch requests to get files content.
PoC video attached.

Attack scenario:

  1. Attacker sends email to victim with attachment file to be download / Victim browse to malicious website and download file
  2. The victim opens the HTML malicious file
  3. The file loading the containing folder in an iframe (so my file path is file:///home/user/-malicious.html, and the iframe source will be file:///home/user/)
  4. The victim clicks on a button on the malicious HTML, in fact he is clicking on the malicious file html inside the iframe's directoriy listing (using ClickJacking technique, in order to apply the context switching bug)
  5. The malicious iframe now have the right privileges due to the context switch bug and will be able to read any file on file:///home/user/ and stealing SSH private key by fetching the URL file:///home/user/.ssh/ida_rsa and stealing any file he wishes under the directory file:///home/user/ the malicious script will read the file's content and send it to the attacker via HTTP fetch requests.

I would like to assign CVE for this bug and you are the one who can make it as I understood.

Kind regards.
Barak Tawily.

Flags: sec-bounty?

I think this is a duplicate report. The specification of the Same Origin Policy is unclear here.
Our implementation of the Same Origin Policy allows every file:// URL to get access to files in the same folder and subfolders.

Keywords: dupeme

I'm not sure which bug to dupe this against, but it certainly both public and previously reported. This was the earliest dupe I could find.

Regardless, thank you for your efforts to keep Firefox secure.

Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Type: task → enhancement
Closed: 6 years ago
Resolution: --- → DUPLICATE

This actually isn't the best duplicate, the dupes for this issue are a bit of a mess. But for some more clear explanation about the underlying issues, see

https://developer.mozilla.org/en-US/docs/Archive/Misc_top_level/Same-origin_policy_for_file:_URIs

This will be fixed by bug 803143 when we make that change.

Depends on: 803143

What about the bug allows me to read the directory listing content? due to the fact that you preserved the first opened URL as the origin?
e.g. file:///home/user/poc.html can call file:///home/user/ and read all the files listing on this folder.

Flags: sec-bounty? → sec-bounty-

Hi, can you please elaborate why after you deny this bug and after my blogpost got viral you fix this issue and gave credit someone else?... im quite insultted...
And im still waiting for response regarding my previous comment.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: