Firefox iOS download feature SECURITY_TOKEN check bypass and path traversal
Categories
(Firefox for iOS :: General, defect)
Tracking
()
People
(Reporter: codecolorist, Assigned: garvan)
References
Details
(Keywords: csectype-dos, reporter-external, sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [verif?])
Firefox on iOS injects an object named 'firefox' to every page.
For example, firefox.download is implemented here:
To prevent abuse, it has a random SECURITY_TOKEN check:
if (securityToken !== SECURITY_TOKEN) {
return;
}
It makes no sense at all since we can manually send the message:
const str = 'hello world'
webkit.messageHandlers.downloadManager.postMessage({
filename: '../oops.js',
base64String: btoa(str),
mimeType: 'application/octet-stream',
size: str.length
})
Yeah, poc is pretty simple. DownloadContentScript does no further security check so we can trigger download without user interaction.
This function uniqueDownloadPathForFilename simply takes our filename param and pass to appendingPathComponent, hence it suffers from path traversal:
This bug is less exploitable, because:
- It can only write file in app sandbox
- It does not override existing files. A new file will be created with a suffix like "hello (1).js"
- There's no such thing like "dynamically loading a jar" on iOS
|
||
Updated•6 years ago
|
|
||
Comment 1•6 years ago
|
||
Sounds mostly like a denial of service type bug, but if you filled up someone's phone they could have a really hard time cleaning up zillions of unwanted files. (maybe they get cleared if you uninstall Firefox? dunno enough about iOS).
This is a bug indeed, a page can force a download. Without a 'clear all' function this requires deleting the app to clear out the downloads.
|
|
||
Updated•6 years ago
|
|
Reporter | |
Comment 4•6 years ago
|
||
BTW there are more functions vulnerable to TOKEN check bypass
|
|
||
Updated•6 years ago
|
|
|
||
Updated•6 years ago
|
|
|
||
Updated•5 years ago
|
|
||
Updated•1 year ago
|
Description
•