Closed Bug 1636882 Opened 5 years ago Closed 5 years ago

Directory Transversal // access arbitrary local file // directory scaling

Categories

(Firefox for Android Graveyard :: General, defect)

Product:
Firefox for Android Graveyard
Component:
General
Version:
Firefox 68
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1636877

People

(Reporter: jesuser14, Unassigned)

Details

Attachments

(3 files)

firefoxTransv.mp4
2.21 MB, video/mp4
Details
poc1.jpeg
120.72 KB, application/octet-stream
Details
nav.mp4
694.83 KB, application/octet-stream
Details
Attached video firefoxTransv.mp4

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36

Steps to reproduce:

1- Download the application from googleplay, https://play.google.com/store/apps/details?id=org.mozilla.firefox

2- I passed it to my pc using ADB

3- for a user without privileges to access the folder of the app, use the following app and once extracted, save it in the sdcard to use ADB and extract it with the following command adb pull /sdcard/name.apk.

4- I use the Jadx-gui or apktool tool to only analyze the AndrodManifest.xml file.

5- the following activity org.mozilla.gecko.LauncherActivity is the one that allows me to do the directory traversal regardless of the directory that I put, the command used is:
  
   adb shell am start -n org.mozilla.firefox / org.mozilla.gecko.LauncherActivity -d "'file: ///data/data/com.transsion.phoenix/app_webview/Default/../../ .. /../../etc/shadow '"(you can see I'm using the directory of another app.)

6- I made several tests to verify if I could download the cookies and I had no luck. the command used is:

adb shell am start -n org.mozilla.firefox / org.mozilla.gecko.LauncherActivity -d "'file: ///data/data/com.transsion.phoenix/app_webview/Default/Cookies'"

7- verify using the following command: javascript: //example.com&0A alert (1); and I did not exist.
8- file:///data/data/org.mozilla.firefox/files/fxa.account.json In the following file I was able to see sensitive data from my account in plain text.

my device is motorolo moto e5 play
version 8.1.0
build number: OPGS28.54-53-8-15

PS: for the effectiveness of this, it should be noted that the application must be in the background or closed. if the application is in the foreground it will not work. although the in logcat is registered.

Actual results:

I do not perform the verification of the uri and charge the request of the same allowing access and control of the files that contain passwords, groups, information of the system in general etc.

once registered in my firefox account I could see in plain text information of the account and the token. this involves several vulnerabilities. exposure of sensitive data and cross directory or directory tour.

Expected results:

he should have disinfected the uri.
I only restricted files from other apps from the rest I have access.

Attached file poc1.jpeg
Attached file nav.mp4

This bug is part of a group of bugs in a security or private group which have the old default Severity of normal which has not been changed, and the default priority of --. This indicates that this bugs Severity should be set to -- so it will show up in triage lists.

Trying to set that severity again.

Severity: normal → --

I marked this as a duplicate of 1636877

Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
Product: Firefox for Android → Firefox for Android Graveyard
Group: mobile-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: