GeckoView: Directory Traversal can lead to network hijacking
Categories
(GeckoView :: General, task, P1)
Tracking
(firefox73 wontfix, firefox74 wontfix, firefox75+ fixed, firefox76+ fixed)
People
(Reporter: petru, Assigned: petru)
References
Details
(Keywords: csectype-priv-escalation, sec-high, Whiteboard: [reporter-external] [client-bounty-form][post-critsmash-triage][adv-main75-])
Attachments
(1 file)
+++ This bug was initially created as a clone of Bug #1617928 to resolve the same issue in m-c +++
It has been found the firefox android application accepts Intents from third-parties. When a crafted Intent containing a URI pointing to a custom-defined ContentProvider is sent, the application queries the ContentProvider to fetch files. This allows overwriting files under the private application folder.
By exploiting this vulnerability, it is possible to overwrite /data/data/org.mozilla.firefox/files/mozilla/profiles.ini and put a user.js file into the user's directory which can lead to network hijacking.
Vulnerability in this method:
org.mozilla.gecko.util.ContentUriUtils.getTempFilePathFromContentUri
Firefox Version: 68.5.0
Steps to reproduce:
- see the screen recording - https://drive.google.com/open?id=1q6IQP8SCcpqtUTZ-Wb6z73Y8vWcFdLzM
Assignee | ||
Comment 1•4 years ago
|
||
For loading a file exposed through a provider Fennec will first copy the file
in it's cache folder (internal storage).
Tricking Fennec into thinking the file name should contain forward slashes will
result in saving the file to a different than intended location potentially
overwriting important application data.
To mitigate this attack vector we'll always check for forward slashes in the
filename and if so always keep just the leaf.
Updated•4 years ago
|
Updated•4 years ago
|
Assignee | ||
Updated•4 years ago
|
Updated•4 years ago
|
Comment 2•4 years ago
|
||
Is this ready to land in time for 75 or are there blockers?
Assignee | ||
Comment 3•4 years ago
|
||
I think after discussing with @ryanvm, @snorp and @tritter we concluded that we'd best land the patch from bug 1622781 in GV also.
If it needs to be rebased and pushed against m-c I can do that.
Comment 4•4 years ago
|
||
Yes, I was assuming we were waiting on a patch for m-c still in bug 1622781. It wasn't clear to me that the ESR68 patch was meant to apply to that branch as well.
Comment 5•4 years ago
|
||
That has now happened.
Updated•4 years ago
|
Updated•4 years ago
|
Updated•4 years ago
|
Updated•4 years ago
|
Description
•