Closed Bug 1615471 (CVE-2020-12393) Opened 5 years ago Closed 5 years ago

Command injection in the "Copy as cURL (Windows)" feature

Categories

(DevTools :: Netmonitor, task, P1)

Product:
DevTools
Component:
Netmonitor
Type:
task

Tracking

(firefox-esr6876+ verified, firefox75 wontfix, firefox76+ verified, firefox77+ verified)

Status:
VERIFIED FIXED
Milestone:
Firefox 77
Tracking Flags:
Tracking Status
firefox-esr68 76+ verified
firefox75 --- wontfix
firefox76 + verified
firefox77 + verified

People

(Reporter: david.yesland, Assigned: bomsy)

Details

(Keywords: csectype-priv-escalation, reporter-external, sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [post-critsmash-triage][adv-main76+][adv-ESR68.8+])

Attachments

(3 files)

example_POC.html
561 bytes, text/html
Details
Bug 1615471 - Escape dollar sign for curl on windows r=honza
47 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-beta+
RyanVM
: approval-mozilla-esr68+
Details | Review
advisory.txt
518 bytes, text/plain
Details
Attached file example_POC.html

Firefox does not perform any kind of escaping on $ characters in the "Copy as cURL (Windows)" functionality. This allows a PowerShell subexpression to be used in the copied cURL command, which if pasted into PowerShell will lead to command injection. This would be possible by creating a request which contains the $() characters in any portion which does not get URL encoded.

For example, the following code snippet with create a request with an unencoded header containing the value $(calc.exe) which will execute calc.exe if the request is copied using "Copy as cURL (Windows)" and pasted into PowerShell.

xhttp.open("GET", "//example.com:8000", true);
xhttp.setRequestHeader("test", "$(calc.exe)");
xhttp.send();

Steps to reproduce

  1. Use something like python -m SimpleHTTPServer to serve the attached example_POC.html locally.
  2. open http://127.0.0.1:8000/example_POC.html in Firefox
  3. Open dev tools with F12 and click the Network tab
  4. click the "Request data" button
  5. Right click the request that is sent and click "Copy as cURL(windows)"
  6. Open Powershell, paste the command and hit enter
  7. calc.exe will open

I have also attached an HTML page which can be open in Firefox.

Flags: sec-bounty?
Component: Security → Netmonitor
Product: Firefox → DevTools
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: csectype-priv-escalation, sec-moderate

Hubert, could you please look at this one, thanks.

Honza

Flags: needinfo?(hmanilla)

Escape dollar sign for curl on windows,to fix a security issue
where commands such as $(cmd.exe) can be executed.

Assignee: nobody → hmanilla
Status: NEW → ASSIGNED
Flags: needinfo?(hmanilla)

https://hg.mozilla.org/integration/autoland/rev/2bf07308813d315f192658e38e0f5ba88d7118f0
https://hg.mozilla.org/mozilla-central/rev/2bf07308813d

Group: firefox-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox77: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → Firefox 77

Please request Beta and ESR68 approval on this patch when you get a chance.

status-firefox75: --- → wontfix
status-firefox76: --- → affected
status-firefox-esr68: --- → affected
Flags: needinfo?(hmanilla)

Comment on attachment 9138461 [details]
Bug 1615471 - Escape dollar sign for curl on windows r=honza

Beta/Release Uplift Approval Request

  • User impact if declined: Security bug with curl handling in devtools
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Just fixes a security issue with Command injection in the "Copy as cURL" on Windows
  • String changes made/needed: none

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: sec-moderate issue
  • User impact if declined: Security bug with curl handling in devtools
  • Fix Landed on Version: 77 uplifted to 76
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Just fixes a security issue with Command injection in the "Copy as cURL" on Windows
  • String or UUID changes made by this patch: none
Flags: needinfo?(hmanilla)
Attachment #9138461 - Flags: approval-mozilla-esr68?
Attachment #9138461 - Flags: approval-mozilla-beta?

Comment on attachment 9138461 [details]
Bug 1615471 - Escape dollar sign for curl on windows r=honza

Approved for 76.0b7 and 68.8esr.

Attachment #9138461 - Flags: approval-mozilla-esr68?
Attachment #9138461 - Flags: approval-mozilla-esr68+
Attachment #9138461 - Flags: approval-mozilla-beta?
Attachment #9138461 - Flags: approval-mozilla-beta+

Changing the priority to p1 as the bug is tracked by a release manager for the current beta.
See What Do You Triage for more information

Priority: P3 → P1

Will this be valid for a bounty?

Flags: qe-verify+
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage]

I've reproduced this issue with the steps from comment 0, on an affected Nightly build from 2020-02-13.

I can confirm that the cal.exe doesn't open anymore, on any of the fixed builds: latest Nightly 77.0a1, 76.0RC and 68.8.0esr.

Status: RESOLVED → VERIFIED
status-firefox76: fixedverified
status-firefox77: fixedverified
status-firefox-esr68: fixedverified
Flags: qe-verify+
Whiteboard: [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage] → [reporter-external] [client-bounty-form] [post-critsmash-triage][adv-main76+]
Whiteboard: [reporter-external] [client-bounty-form] [post-critsmash-triage][adv-main76+] → [reporter-external] [client-bounty-form] [post-critsmash-triage][adv-main76+][adv-ESR68.8+]
Attached file advisory.txt
Alias: CVE-2020-12393
Flags: sec-bounty? → sec-bounty+
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: