Closed Bug 1619997 Opened 4 years ago Closed 4 years ago

GeckoView: Directory Traversal can lead to network hijacking

Categories

(GeckoView :: General, task, P1)

Product:
GeckoView
Component:
General
Platform:
All
Android
Type:
task

Tracking

(firefox73 wontfix, firefox74 wontfix, firefox75+ fixed, firefox76+ fixed)

Status:
RESOLVED FIXED
Milestone:
mozilla76
Tracking Flags:
Tracking Status
firefox73 --- wontfix
firefox74 --- wontfix
firefox75 + fixed
firefox76 + fixed

People

(Reporter: petru, Assigned: petru)

References

Details

(Keywords: csectype-priv-escalation, sec-high, Whiteboard: [reporter-external] [client-bounty-form][post-critsmash-triage][adv-main75-])

Attachments

(1 file)

Bug 1619997 - Sanitize "content" uri filenames; r?AndreiLazar,snorp
47 bytes, text/x-phabricator-request
Details | Review

+++ This bug was initially created as a clone of Bug #1617928 to resolve the same issue in m-c +++

It has been found the firefox android application accepts Intents from third-parties. When a crafted Intent containing a URI pointing to a custom-defined ContentProvider is sent, the application queries the ContentProvider to fetch files. This allows overwriting files under the private application folder.
By exploiting this vulnerability, it is possible to overwrite /data/data/org.mozilla.firefox/files/mozilla/profiles.ini and put a user.js file into the user's directory which can lead to network hijacking.

Vulnerability in this method:
org.mozilla.gecko.util.ContentUriUtils.getTempFilePathFromContentUri

Firefox Version: 68.5.0

Steps to reproduce:

  1. see the screen recording - https://drive.google.com/open?id=1q6IQP8SCcpqtUTZ-Wb6z73Y8vWcFdLzM

For loading a file exposed through a provider Fennec will first copy the file
in it's cache folder (internal storage).
Tricking Fennec into thinking the file name should contain forward slashes will
result in saving the file to a different than intended location potentially
overwriting important application data.

To mitigate this attack vector we'll always check for forward slashes in the
filename and if so always keep just the leaf.

OS: Unspecified → Android
Product: Firefox for Android → GeckoView
Hardware: Unspecified → All
Version: unspecified → Trunk
Summary: Firefox for Android: Directory Traversal can lead to network hijacking → GeckoView: Directory Traversal can lead to network hijacking
Depends on: 1622781

Is this ready to land in time for 75 or are there blockers?

Flags: needinfo?(petru.lingurar)

I think after discussing with @ryanvm, @snorp and @tritter we concluded that we'd best land the patch from bug 1622781 in GV also.
If it needs to be rebased and pushed against m-c I can do that.

Flags: needinfo?(petru.lingurar) → needinfo?(ryanvm)

Yes, I was assuming we were waiting on a patch for m-c still in bug 1622781. It wasn't clear to me that the ESR68 patch was meant to apply to that branch as well.

Flags: needinfo?(ryanvm)

That has now happened.

Group: mobile-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox75: affectedfixed
status-firefox76: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla76
Whiteboard: [reporter-external] [client-bounty-form] → [reporter-external] [client-bounty-form][post-critsmash-triage]
Whiteboard: [reporter-external] [client-bounty-form][post-critsmash-triage] → [reporter-external] [client-bounty-form][post-critsmash-triage][adv-main75+]
Whiteboard: [reporter-external] [client-bounty-form][post-critsmash-triage][adv-main75+] → [reporter-external] [client-bounty-form][post-critsmash-triage][adv-main75-]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: