Appcache fallback can be corrupted allowing manifests to poison an entire origin
Categories
(Core :: Networking: Cache, defect, P1)
Tracking
()
People
(Reporter: pauljt, Assigned: valentin)
Details
(Keywords: sec-high, Whiteboard: [necko-triaged][post-critsmash-triage][sec-survey][adv-main78+])
Attachments
(2 files, 1 obsolete file)
|
47 bytes,
text/x-phabricator-request
|
jcristau
:
approval-mozilla-beta-
dveditz
:
sec-approval+
|
Details | Review |
|
300 bytes,
text/plain
|
Details |
There is an issue in our appcache implementation that allows a manifest served from a subdirectory, to confuse the browser into using the appcache to requests to the top level directory. (i.e. we dont enforced the rule that appcache is only supposed to be able to be responsible for requests to sub-directories.
This bug was confirmed by Honza. From email:
I quickly confirmed on IIS 10 with statically served content: when the <html manifest> attribute value is in a form of "/dir%2fsubdir%2fcache.manifest" and the manifest, served at
/dir/subdir/cache.manifest, hasFALLBACK: / some-evil-resource-url, we load the evil resource for anything that can't be found on the web site for the origin the document was loaded in.
An example of a real world attack scenario (which I'm not linking, so as not to draw attention) is given in https://bugzilla.mozilla.org/show_bug.cgi?id=1376459#c4.
While appcache is close to deprecation, as we have had external reports here of this issue, I'm filing this bug to consider if a fix is need in the short term, or if we can just push for appcache deprecation (1237782 ). The consensus from the discussion so far is that deprecation will not make ESR68, so we make need an interim fix.
|
Reporter | |
Comment 1•5 years ago
|
||
As for rating, I'd argue that if you are using a shared origin for sensitive data, you are asking for trouble. But since there might be a real world case here I'm rating this as sec-high (regardless of whose at fault).
|
||
Comment 2•5 years ago
|
||
(In reply to Paul Theriault [:pauljt] (needinfo pls) from comment #0)
There is an issue in our appcache implementation that allows a manifest served from a subdirectory, to confuse the browser into using the appcache to requests to the top level directory. (i.e. we dont enforced the rule that appcache is only supposed to be able to be responsible for requests to sub-directories.
This bug was confirmed by Honza. From email:
I quickly confirmed on IIS 10 with statically served content: when the <html manifest> attribute value is in a form of "/dir%2fsubdir%2fcache.manifest" and the manifest, served at
/dir/subdir/cache.manifest, hasFALLBACK: / some-evil-resource-url, we load the evil resource for anything that can't be found on the web site for the origin the document was loaded in.An example of a real world attack scenario (which I'm not linking, so as not to draw attention) is given in https://bugzilla.mozilla.org/show_bug.cgi?id=1376459#c4.
That was a general case that have been fixed by bug 1376459 - to force fallback entries to be in the directory or a subdir of the manifest.
The problem that we are considering here is escaping of the path that can bypass that check easily (as I demoed in the email). If you make a request to https://foo.com/dir1/dir2/resource it may or may not be the same as https://foo.com/dir1%2fdir2%2fresource (or its variations). For IIS (static) it is the same path, but we see the Directory as '/'; for Apache (static/rewrite) it is not the same path (we are safe there, the attack is not possible). I haven't tested e.g. nginx static/rewrite path escaping behavior, but I probably don't have to.
Based on the different interpretation of a path with escaped slashes by servers, we can't canonicalize the path by unescaping (%2f -> '/') as that would lead to a different resource being requested on, specifically, Apache servers.
We could do the unescaping exclusively for appcache resources (and force reload/cleaning/fallback entries cleanup of existing users' appcaches?) to mitigate this attack. I don't think that modifying the Directory getter on nsIURI(L?) behavior generally to always unescape would be a good idea.
The only proper way IMO is to disable appcache.
While appcache is close to deprecation, as we have had external reports here of this issue, I'm filing this bug to consider if a fix is need in the short term, or if we can just push for appcache deprecation (1237782 ). The consensus from the discussion so far is that deprecation will not make ESR68, so we make need an interim fix.
|
||
Updated•5 years ago
|
|
|
||
Comment 3•5 years ago
|
||
P3, but if I hear voices this should be fixed soon-ish, we can re-prioritize.
|
|
||
Updated•5 years ago
|
|
||
Updated•5 years ago
|
|
||
Comment 4•5 years ago
|
||
Not sure what the status is of this, but it's clearly not getting fixed in any active releases.
|
||
Updated•4 years ago
|
|
|
||
Comment 5•4 years ago
|
||
Valentin, if we aim for progress here and not perfection, I think just unescaping the URL will do. What do you think? Fixing this bug only makes sense if we want to leave appcache on for ESR 78, IMO.
|
|
||
Comment 6•4 years ago
|
||
[Tracking Requested - why for this release]:
We would like to have at least an imperfect mitigation for 78, which is ESR. Appcache will be left enabled for 78 ESR and this is the last well known security bug in appcache.
|
||
Updated•4 years ago
|
|
||
Comment 7•4 years ago
|
||
Changing the priority to p2 as the bug is tracked by a release manager for the current nightly.
See What Do You Triage for more information
|
Assignee | |
Comment 9•4 years ago
|
||
|
|
Assignee | |
Comment 10•4 years ago
|
||
Depends on D75796
|
|
Assignee | |
Comment 11•4 years ago
|
||
It seems this is the easiest fix to the problem.
We could also add the check to nsContentUtils::GetOfflineAppManifet, so that we don't even parse a manifest that is served from a path containing %2f.
What do you think?
|
||
Updated•4 years ago
|
|
|
Assignee | |
Comment 12•4 years ago
|
||
Comment on attachment 9150419 [details]
Bug 1586630 - Add check to GetURIDirectory r=mayhemer
Security Approval Request
- How easily could an exploit be constructed based on the patch?: Relatively easily.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
- Which older supported branches are affected by this flaw?: all
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: Yes
- If not, how different, hard to create, and risky will they be?: Applies cleanly on esr68
- How likely is this patch to cause regressions; how much testing does it need?: Unlikely to cause any regressions.
Minimal testing required - mostly just to check that appcache websites still work as expected.
|
|
||
Comment 13•4 years ago
|
||
Comment on attachment 9150419 [details]
Bug 1586630 - Add check to GetURIDirectory r=mayhemer
sec-approval+ to get this into Fx78
|
|
||
Comment 14•4 years ago
|
||
Add check to GetURIDirectory r=mayhemer
https://hg.mozilla.org/integration/autoland/rev/4626bc2c944d531971159e127b663e8232427a24
|
|
Assignee | |
Updated•4 years ago
|
|
|
||
Comment 15•4 years ago
|
||
|
|
Assignee | |
Comment 16•4 years ago
|
||
Comment on attachment 9150419 [details]
Bug 1586630 - Add check to GetURIDirectory r=mayhemer
Beta/Release Uplift Approval Request
- User impact if declined:
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): The change is minimal - we now return an error code if the manifest's path contains %2f or %2F
- String changes made/needed:
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: sec-high
- User impact if declined: Potential for an attacker to hijack resources on the same server that they should not be able to.
- Fix Landed on Version: 78
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): The change is minimal - we now return an error code if the manifest's path contains %2f or %2F
- String or UUID changes made by this patch:
|
|
||
Comment 17•4 years ago
|
||
Comment on attachment 9150419 [details]
Bug 1586630 - Add check to GetURIDirectory r=mayhemer
77 is already built, and the next beta will be 78 after the merge next week.
|
||
Comment 18•4 years ago
|
||
Valentin, is there a reason to want this patch in esr68? It landed in 78 so it will be part of the next ESR which is what was requested in comment #6 and it had been set as wontfix for esr68 previously.
|
|
Assignee | |
Comment 19•4 years ago
|
||
(In reply to Pascal Chevrel:pascalc from comment #18)
had been set as wontfix for esr68 previously.
Oh, I missed that. Then we probably don't need it in 68.
|
|
Assignee | |
Updated•4 years ago
|
|
||
Updated•4 years ago
|
|
|
||
Comment 20•4 years ago
|
||
As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.
Please visit this google form to reply.
|
|
||
Updated•4 years ago
|
|
||
Updated•4 years ago
|
|
|
||
Comment 22•4 years ago
|
||
Credit to Kevin Higgs, this issue was passed to us by a third party.
|
|
||
Updated•4 years ago
|
|
|
||
Updated•4 years ago
|
|
|
||
Updated•4 years ago
|
Description
•