Firefox for Android - Directory Traversal can lead to network hijacking
Categories
(Firefox for Android Graveyard :: General, defect, P1)
Tracking
(firefox-esr6875+ fixed, firefox73 unaffected, firefox74 unaffected, firefox75 unaffected, firefox76 unaffected)
| Tracking | Status | |
|---|---|---|
| firefox-esr68 | 75+ | fixed |
| firefox73 | --- | unaffected |
| firefox74 | --- | unaffected |
| firefox75 | --- | unaffected |
| firefox76 | --- | unaffected |
People
(Reporter: gnehsoah, Assigned: petru)
References
Details
(Keywords: csectype-priv-escalation, reporter-external, sec-high, Whiteboard: [reporter-external] [client-bounty-form][adv-esr68.7+])
Attachments
(2 files, 1 obsolete file)
It has been found the firefox android application accepts Intents from third-parties. When a crafted Intent containing a URI pointing to a custom-defined ContentProvider is sent, the application queries the ContentProvider to fetch files. This allows overwriting files under the private application folder.
By exploiting this vulnerability, it is possible to overwrite /data/data/org.mozilla.firefox/files/mozilla/profiles.ini and put a user.js file into the user's directory which can lead to network hijacking.
Vulnerability in this method:
org.mozilla.gecko.util.ContentUriUtils.getTempFilePathFromContentUri
Firefox Version: 68.5.0
Steps to reproduce:
- see the screen record
Here is the screen record https://drive.google.com/open?id=1q6IQP8SCcpqtUTZ-Wb6z73Y8vWcFdLzM
|
||
Comment 2•5 years ago
|
||
Stefan, Snorp, can you please take a look at this? I can't really say how viable an attack through crafted intents is, but overwriting arbitrary prefs/files in the app directory is almost as bad as it can get.
Thanks!
|
||
Updated•5 years ago
|
Ugh. Yup, this is pretty bad.
It looks like in order to fix, we should just use the leaf file name here: https://searchfox.org/mozilla-central/rev/b2ccce862ef38d0d150fcac2b597f7f20091a0c7/mobile/android/geckoview/src/main/java/org/mozilla/gecko/util/FileUtils.java#321
If we don't do this, the filename can look like "../../files/mozilla/profiles.ini", which causes us to overwrite our own profiles.ini, etc. We should treat it as "profiles.ini" instead.
Petru, do you have time to write a patch for this? See comment #3.
|
||
Comment 5•5 years ago
|
||
This affects Fennec and Fenix, doesn't it?
We ought to patch both.
|
|
||
Comment 6•5 years ago
|
||
Sebastian tells me this only affects Fennec.
From what I understand, we want to roll out fenix gradually to existing beta users, which means we can't easily ship a security update without delaying that. But updating to would fix this problem for beta population over the course of the next ~2 weeks.
This would still leave fennec release users affected until we start the roll out in early April (~5 weeks from now).
Maybe we could do the fenix roll-out for beta and fix fennec-release directly after beta has gone to 100% (i.e., after those two weeks)?
I'd still very much like to hear what st3fan and Dan think.
|
Assignee | |
Comment 7•5 years ago
|
||
(In reply to James Willcox (:snorp) (jwillcox@mozilla.com) (he/him) from comment #4)
Petru, do you have time to write a patch for this? See comment #3.
Sure!
This is interesting...
|
||
Updated•5 years ago
|
|
|
||
Updated•5 years ago
|
|
|
||
Comment 8•5 years ago
|
||
Marking this a P1 - lets try to ship this in the next release.
|
|
Assignee | |
Comment 9•5 years ago
|
||
For loading a file exposed through a provider Fennec will first copy the file
in it's cache folder (internal storage).
Tricking Fennec into thinking the file name should contain forward slashes will
result in saving the file to a different than intended location potentially
overwriting important application data.
To mitigate this attack vector we'll always check for forward slashes in the
filename and if so always keep just the leaf.
|
|
Assignee | |
Comment 10•5 years ago
|
||
James, I see FileUtils still exists in m-c.
If it needs this change also I can file a bug and post a similar patch for it.
(In reply to Petru-Mugurel Lingurar[:petru] from comment #10)
James, I see
FileUtilsstill exists in m-c.
If it needs this change also I can file a bug and post a similar patch for it.
That would be great. I could see us trying to use it in the future to handle content://.
|
|
||
Comment 12•5 years ago
|
||
Sebastian tells me this only affects Fennec.
The vuln combination, maybe, because we block it at the intents end. We should fix FileUtils for both just in case there's another or future way to get there in other GeckoView products (what snorp said in comment 11).
Does shipping Focus respond to or ignore those intents?
(In reply to Daniel Veditz [:dveditz] from comment #12)
Sebastian tells me this only affects Fennec.
The vuln combination, maybe, because we block it at the intents end. We should fix FileUtils for both just in case there's another or future way to get there in other GeckoView products (what snorp said in comment 11).
Does shipping Focus respond to or ignore those intents?
It does not support content:// at the moment.
|
||
Updated•5 years ago
|
|
|
Assignee | |
Comment 14•5 years ago
|
||
Comment on attachment 9130800 [details]
Bug 1617928 - Sanitize "content" uri filenames; r?AndreiLazar,snorp
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: sec-high - privacy escalation
- User impact if declined: Network hijacking, settings overridden.
- Fix Landed on Version:
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Small change
- String or UUID changes made by this patch:
|
|
Assignee | |
Comment 15•5 years ago
|
||
Comment on attachment 9130800 [details]
Bug 1617928 - Sanitize "content" uri filenames; r?AndreiLazar,snorp
Security Approval Request
- How easily could an exploit be constructed based on the patch?: Medium effort
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
- Which older supported branches are affected by this flaw?: All branches. Bug was probably introduced in bug 1499618
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: No
- If not, how different, hard to create, and risky will they be?: The solution is simple.
- How likely is this patch to cause regressions; how much testing does it need?: Very low chances of regressions. Testing based on the provided poc should be enough.
|
|
Assignee | |
Updated•5 years ago
|
|
|
Assignee | |
Updated•5 years ago
|
|
||
Comment 16•5 years ago
|
||
Comment on attachment 9130800 [details]
Bug 1617928 - Sanitize "content" uri filenames; r?AndreiLazar,snorp
Per discussion this is going to land under a public bug, with the comments changes so it looks less like a security fix.
|
|
Assignee | |
Comment 17•5 years ago
|
||
As a public ticket I created bug 1622781.
|
||
Comment 18•5 years ago
|
||
| uplift | ||
|
|
||
Updated•5 years ago
|
|
|
||
Updated•5 years ago
|
|
|
||
Updated•5 years ago
|
|
|
||
Updated•5 years ago
|
|
|
||
Updated•5 years ago
|
|
|
||
Comment 19•5 years ago
|
||
|
|
||
Updated•5 years ago
|
|
|
||
Updated•4 years ago
|
|
||
Updated•4 years ago
|
|
||
Updated•6 months ago
|
|
||
Updated•6 months ago
|
Description
•