Closed Bug 1637903 Opened 5 years ago Closed 5 years ago

You can access Firefox's /dev/fd/ file descriptors from the URL bar

Categories

(Firefox :: Untriaged, defect)

Product:
Firefox
Component:
Untriaged
Version:
76 Branch
Type:
defect

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: abmajid.majid, Unassigned, NeedInfo)

Details

Attached file 89

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0

Steps to reproduce:

Running on Latest Firefox Browser Used that is 76.0.1 (64 bit).
Just by visiting "file:///dev/fd/89" in the url, memory file get downloaded which I have attached below, Initially I was wondering what file is that, so I dig that (filename)89 with cat and string command, I saw all ssl link and visited site links in clear text and there are huge bunch of unreadable ASCII characters. I loaded the file "89" with Ghidra to see what is there, I can just view hexadecimal numbers on it. I am not which not sure which part of memory got leak and why it is throwing that file. I am bit noob in debugging computer browser, but potential hacker can exploit this situation.
I have also seen If I change the file name to file:///dev/fd/61, I so very unusual line which have have some socket line on it (/dev/fd/socket:[146987]%E5%E5%E5%E5%E5%E5%E5%E5%E5%E5%E5%E5%E5%E5%E5%E5%E5%E5%E5%E5%E5%E5%E5%E5%E5%E5%E5%E5%E5%E5%E5%E5%E5%E5%E5%E5%E5%E5%E5%E5%E5%E5%E5%E5%E5%E5%E5%E5%E5). I try with different number and getting different result.
Once more thing the same link if you run again it will not work we need to open in private browser to get the file again.
It is not working on Google Chrome. However, in Android Firefox browser I am seeing the same issue.

Actual results:

memory get download from url.

Expected results:

I don't think this leak file should be access by anyone. I has a huge potential to hijack the browser with root privilege.

(In reply to abmajid.majid from comment #0)

It is not working on Google Chrome.

What happens instead, when you put any of the file:///dev/fd/ items in the URL bar in chrome?

(In reply to abmajid.majid from comment #0)

I don't think this leak file should be access by anyone. I has a huge potential to hijack the browser with root privilege.

They're file descriptors, they are per-program (see some of the answers at https://unix.stackexchange.com/questions/74454/somethings-special-about-dev-fd-3 ), and websites cannot open (any) file: links directly anyway. I don't understand what you believe "root privilege" has to do with anything you described - Firefox is able to access file descriptors it has opened itself, nothing more. This is also not a "memory leak". It's likely one of the file descriptors you checked points at cache/history/cookie data which we have open.

Flags: needinfo?(abmajid.majid)
Summary: In the url bar there is a memory leakage → You can access Firefox's /dev/fd/ file descriptors from the URL bar

I'm hiding the attachment because it almost certainly has private information in it.

websites can't open file: links, and files (if you've downloaded an HTML page with script) can't read the content of other files. If you want to browse to your own files on disk there's no harm here. On unix systems all kinds of things are logical files but it's not always smart to open them. I suppose we could try to protect users from themselves by blocking some of the special directories like /dev/ ?

Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.