Command injection in the "Copy as cURL (Windows)" feature
Categories
(DevTools :: Netmonitor, task, P1)
Tracking
(firefox-esr6876+ verified, firefox75 wontfix, firefox76+ verified, firefox77+ verified)
People
(Reporter: david.yesland, Assigned: bomsy)
Details
(Keywords: csectype-priv-escalation, reporter-external, sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [post-critsmash-triage][adv-main76+][adv-ESR68.8+])
Attachments
(3 files)
561 bytes,
text/html
|
Details | |
47 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-esr68+
|
Details | Review |
518 bytes,
text/plain
|
Details |
Firefox does not perform any kind of escaping on $ characters in the "Copy as cURL (Windows)" functionality. This allows a PowerShell subexpression to be used in the copied cURL command, which if pasted into PowerShell will lead to command injection. This would be possible by creating a request which contains the $() characters in any portion which does not get URL encoded.
For example, the following code snippet with create a request with an unencoded header containing the value $(calc.exe) which will execute calc.exe if the request is copied using "Copy as cURL (Windows)" and pasted into PowerShell.
xhttp.open("GET", "//example.com:8000", true);
xhttp.setRequestHeader("test", "$(calc.exe)");
xhttp.send();
Steps to reproduce
- Use something like python -m SimpleHTTPServer to serve the attached example_POC.html locally.
- open http://127.0.0.1:8000/example_POC.html in Firefox
- Open dev tools with F12 and click the Network tab
- click the "Request data" button
- Right click the request that is sent and click "Copy as cURL(windows)"
- Open Powershell, paste the command and hit enter
- calc.exe will open
I have also attached an HTML page which can be open in Firefox.
Updated•5 years ago
|
Updated•5 years ago
|
Updated•5 years ago
|
Comment 1•5 years ago
|
||
Hubert, could you please look at this one, thanks.
Honza
Assignee | ||
Comment 2•5 years ago
|
||
Escape dollar sign for curl on windows,to fix a security issue
where commands such as $(cmd.exe) can be executed.
Updated•5 years ago
|
Assignee | ||
Updated•5 years ago
|
![]() |
||
Comment 3•5 years ago
|
||
https://hg.mozilla.org/integration/autoland/rev/2bf07308813d315f192658e38e0f5ba88d7118f0
https://hg.mozilla.org/mozilla-central/rev/2bf07308813d
Comment 4•5 years ago
|
||
Please request Beta and ESR68 approval on this patch when you get a chance.
Assignee | ||
Comment 5•5 years ago
|
||
Comment on attachment 9138461 [details]
Bug 1615471 - Escape dollar sign for curl on windows r=honza
Beta/Release Uplift Approval Request
- User impact if declined: Security bug with curl handling in devtools
- Is this code covered by automated tests?: No
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Just fixes a security issue with Command injection in the "Copy as cURL" on Windows
- String changes made/needed: none
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: sec-moderate issue
- User impact if declined: Security bug with curl handling in devtools
- Fix Landed on Version: 77 uplifted to 76
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Just fixes a security issue with Command injection in the "Copy as cURL" on Windows
- String or UUID changes made by this patch: none
Comment 6•5 years ago
|
||
Comment on attachment 9138461 [details]
Bug 1615471 - Escape dollar sign for curl on windows r=honza
Approved for 76.0b7 and 68.8esr.
Comment 7•5 years ago
|
||
Comment 8•5 years ago
|
||
Changing the priority to p1 as the bug is tracked by a release manager for the current beta.
See What Do You Triage for more information
Comment 9•5 years ago
|
||
uplift |
Reporter | ||
Comment 10•5 years ago
|
||
Will this be valid for a bounty?
Updated•5 years ago
|
Comment 11•5 years ago
|
||
I've reproduced this issue with the steps from comment 0, on an affected Nightly build from 2020-02-13.
I can confirm that the cal.exe doesn't open anymore, on any of the fixed builds: latest Nightly 77.0a1, 76.0RC and 68.8.0esr.
Updated•5 years ago
|
Updated•5 years ago
|
Comment 12•5 years ago
|
||
Updated•5 years ago
|
Updated•5 years ago
|
Updated•5 years ago
|
Updated•8 months ago
|
Description
•