Closed Bug 1614468 (CVE-2020-12392) Opened 5 years ago Closed 5 years ago

'Copy As Curl' in the network panel of the devtools uses '--data' instead of '--data-raw', leading to arbitrary local file access

Categories

(DevTools :: Netmonitor, task, P2)

Product:
DevTools
Component:
Netmonitor
Type:
task

Tracking

(firefox-esr6876+ fixed, firefox75 wontfix, firefox76+ fixed, firefox77+ fixed)

Status:
RESOLVED FIXED
Milestone:
Firefox 77
Tracking Flags:
Tracking Status
firefox-esr68 76+ fixed
firefox75 --- wontfix
firefox76 + fixed
firefox77 + fixed

People

(Reporter: pere.jobs, Assigned: Gijs)

References

Details

(Keywords: reporter-external, sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [post-critsmash-triage][adv-main76+][adv-ESR68.8+])

Attachments

(3 files)

bug.html
67 bytes, text/html
Details
Bug 1614468, r?Honza
47 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-beta+
RyanVM
: approval-mozilla-esr68+
Details | Review
advisory.txt
352 bytes, text/plain
Details
Attached file bug.html

After the discussion about the patch for bug 1607742, I made a few more experiments with the "Copy as curl" functionality, and found another vulnerability : POST data is sent using '--data' instead of '--data-raw'. This means that if the body of an HTTP request starts with the character '@', the rest of the body will be interpreted as a file name to send instead of raw data.

An attacker can use this bug to read local files on the computer of an user of the "Copy as curl" functionality. The only thing he has to do is making a request such as the following :

fetch('', {body: '@/etc/passwd', method:'POST'})

When the user will use 'copy as curl' on the generated request, and then execute the curl command, the contents of /etc/passwd will be send to the attacker's server.

Fixing this bug is as simple as using --data-raw instead of --data.

Flags: sec-bounty?
Component: Security → Netmonitor
Product: Firefox → DevTools
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: sec-moderate

Ophir, interested in fixing this one?
Honza

Flags: needinfo?(pere.jobs)

I really like contributing to free software, but after looking at the instructions for the devtools (https://docs.firefox-dev.tools/getting-started/build.html), I feel like it's not worth pulling gigabytes of dependencies, including several compilers, for just a 1-line javascript fix. So I'll have to decline the offer.
It would be nice if the Firefox dev tools could be decoupled from Firefox itself, just like the chrome dev tools: https://github.com/ChromeDevTools/devtools-frontend

Flags: needinfo?(pere.jobs)

Yes, the reporter of the chromium bug is also me. The bug existed in both browsers, and opened two independent bugs.

Attached file Bug 1614468, r?Honza
Assignee: nobody → gijskruitbosch+bugs
Status: NEW → ASSIGNED

https://hg.mozilla.org/mozilla-central/rev/a8704ad66a0b

Group: firefox-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox77: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → Firefox 77

Sec-bug with a trivial fix, so I'm assuming we can uplift this. bomsy, do you agree?

Flags: needinfo?(hmanilla)

yes i do thanks!

Flags: needinfo?(hmanilla)

Please nominate this for Beta and ESR68 approval when you get a chance. It grafts cleanly to both as-landed.

status-firefox75: --- → wontfix
status-firefox76: --- → affected
status-firefox-esr68: --- → affected
Flags: needinfo?(gijskruitbosch+bugs)
Flags: in-testsuite+

Comment on attachment 9140819 [details]
Bug 1614468, r?Honza

Beta/Release Uplift Approval Request

  • User impact if declined: sec bug in curl handling in devtools
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce: n/a
  • List of other uplifts needed: n/a
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Basically find/replace for the curl command, fixing a security issue that happens based on how curl interprets the data provided to a commandline argument
  • String changes made/needed: none

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: sec-moderate issue
  • User impact if declined: sec bug in curl handling in devtools
  • Fix Landed on Version: 77 uplifted to 76
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Basically find/replace for the curl command, fixing a security issue that happens based on how curl interprets the data provided to a commandline argument
  • String or UUID changes made by this patch: none
Flags: needinfo?(gijskruitbosch+bugs)
Attachment #9140819 - Flags: approval-mozilla-esr68?
Attachment #9140819 - Flags: approval-mozilla-beta?

Comment on attachment 9140819 [details]
Bug 1614468, r?Honza

Approved for 76.0b6 and 68.6esr.

Attachment #9140819 - Flags: approval-mozilla-esr68?
Attachment #9140819 - Flags: approval-mozilla-esr68+
Attachment #9140819 - Flags: approval-mozilla-beta?
Attachment #9140819 - Flags: approval-mozilla-beta+

(In reply to Ryan VanderMeulen [:RyanVM] from comment #11)

Comment on attachment 9140819 [details]
Bug 1614468, r?Honza

Approved for 76.0b6 and 68.6esr.

That should be (only) 68.8esr?

Flags: needinfo?(ryanvm)

Yes, typo.

Flags: needinfo?(ryanvm)
Flags: qe-verify-
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage]
Whiteboard: [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage] → [reporter-external] [client-bounty-form] [post-critsmash-triage][adv-main76+]
Whiteboard: [reporter-external] [client-bounty-form] [post-critsmash-triage][adv-main76+] → [reporter-external] [client-bounty-form] [post-critsmash-triage][adv-main76+][adv-ESR68.8+]
Attached file advisory.txt
Alias: CVE-2020-12392
Flags: sec-bounty? → sec-bounty+
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: