TALOS-2020-1088 Mozilla Firefox URL mPath
Categories
(Core :: Networking, defect, P1)
Tracking
()
People
(Reporter: vulndev, Assigned: valentin)
References
Details
(Keywords: csectype-bounds, sec-high, Whiteboard: [necko-triaged][adv-main78+][adv-esr68.10+][sec-survey])
Crash Data
Attachments
(5 files, 1 obsolete file)
722 bytes,
text/html
|
Details | |
32.20 KB,
text/plain
|
Details | |
47 bytes,
text/x-phabricator-request
|
jcristau
:
approval-mozilla-beta+
jcristau
:
approval-mozilla-esr68+
dveditz
:
sec-approval+
|
Details | Review |
497 bytes,
text/html
|
Details | |
213 bytes,
text/plain
|
Details |
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1 Safari/605.1.15
Steps to reproduce:
Summary
An information disclosure vulnerability exists in the URL mPath functionality of Mozilla Firefox Firefox Nightly Version 78.0a1 x64 and Firefox Release Version 76.0.2 x64. A specially crafted URL object can cause an out-of-bounds read. An attacker can visit a webpage to trigger this vulnerability.
Tested Versions:
Mozilla Firefox Firefox Nightly Version 78.0a1 x64
Mozilla Firefox Firefox Release Version 76.0.2 x64
Actual results:
Please review attached advisory and poc file
Expected results:
Please review attached advisory and poc file
Comment 1•4 years ago
|
||
Valentin, can you take a look?
Reporter | ||
Comment 2•4 years ago
|
||
Resubmitting advisory
Assignee | ||
Updated•4 years ago
|
Updated•4 years ago
|
Assignee | ||
Comment 3•4 years ago
|
||
Assignee | ||
Comment 4•4 years ago
|
||
Comment 5•4 years ago
|
||
Attached testcase for use with bugmon.
Comment 6•4 years ago
|
||
Bugmon Analysis: Bug filed against non-supported branch (76) Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Updated•4 years ago
|
Updated•4 years ago
|
Assignee | ||
Comment 7•4 years ago
|
||
Comment on attachment 9152632 [details]
Bug 1641303 - Use query and ref lengths if available r=mayhemer
Security Approval Request
- How easily could an exploit be constructed based on the patch?: A close look at the patch will indicate the likely source of the bug.
Constructing an exploit isn't trivial but a dedicated attacker can probably figure it out. - Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
- Which older supported branches are affected by this flaw?: all
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: Yes
- If not, how different, hard to create, and risky will they be?: Applies cleanly on esr68
- How likely is this patch to cause regressions; how much testing does it need?: Unlikely to create regressions. Manual testing not needed, as automated testing should cover it.
Updated•4 years ago
|
Comment 8•4 years ago
|
||
Comment on attachment 9152631 [details]
Bug 1641303 - Testcase
This testcase gives the game away: I want to give an explicit sec-approval-minus to make it clear not to land this until after the fix is shipped. I set in-testsuite?
as a reminder or you could file a follow-up "land the test" bug if that fits your workflow better.
Comment 9•4 years ago
|
||
Comment on attachment 9152632 [details]
Bug 1641303 - Use query and ref lengths if available r=mayhemer
I think this is more obvious and easy to exploit than you're estimating. We should not land this until closer to shipping Firefox 78, say June 16 or later
Updated•4 years ago
|
Comment 10•4 years ago
|
||
If I increase the leak size in the testcase (say by 10 or 100 times) I'm more likely to get a crash, and it consistently looks like bp-61e8b1c5-d8a5-4c21-8d16-51cf00200608 -- we can watch for this signature to see if anyone's playing with this. So far I only see my two crashes. If we start to see that we might need to chemspill an out of cycle 77.0.x release.
Reporter | ||
Comment 11•4 years ago
|
||
As soon as you have an exact date/timeframe or can can confirm fix in next version, please let us know so we can coordinate disclosure on our end. Is there a CVE assigned/reserved for this issue?
(In reply to Daniel Veditz [:dveditz] from comment #9)
Comment on attachment 9152632 [details]
Bug 1641303 - Use query and ref lengths if available r=mayhemerI think this is more obvious and easy to exploit than you're estimating. We should not land this until closer to shipping Firefox 78, say June 16 or later
Comment 12•4 years ago
|
||
This may already be happening more than we realize. I've added another signature that I think has the same root cause. This was uncovered by work jkratzer has done.
Comment 13•4 years ago
|
||
(In reply to Cisco Talos from comment #11)
As soon as you have an exact date/timeframe or can can confirm fix in next version, please let us know so we can coordinate disclosure on our end. Is there a CVE assigned/reserved for this issue?
We're tracking this for Firefox 78, which will be released on June 30th, but the code has not yet landed in the branch.
We usually do not assign CVE's until the week before release. Does that work for you?
Reporter | ||
Comment 14•4 years ago
|
||
That works for us, we'll aim for a June 30th release of our advisory and will look in the bug for the CVE on June 23rd.
Comment 15•4 years ago
|
||
(In reply to Cisco Talos from comment #14)
That works for us, we'll aim for a June 30th release of our advisory and will look in the bug for the CVE on June 23rd.
To clarify, it will happen the week before release, but likely not on the 23rd. You will get an email when we assign a CVE to this bug.
Updated•4 years ago
|
Comment 18•4 years ago
|
||
Comment on attachment 9152632 [details]
Bug 1641303 - Use query and ref lengths if available r=mayhemer
sec-approval+
Comment 19•4 years ago
|
||
https://hg.mozilla.org/integration/autoland/rev/8150a441755b5f616e8bbd8ffc9d05436109fbf6
Please nominate this for Beta and ESR68 approval when you get a chance. It grafts cleanly to both as-landed.
Assignee | ||
Comment 20•4 years ago
|
||
Comment on attachment 9152632 [details]
Bug 1641303 - Use query and ref lengths if available r=mayhemer
Beta/Release Uplift Approval Request
- User impact if declined: Out of bounds read-write.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Fix addresses a correctness problem. Code is covered by unit tests and fuzzed regularly.
- String changes made/needed:
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: sec-high
- User impact if declined: Out of bounds read-write.
- Fix Landed on Version: 79
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Fix addresses a correctness problem. Code is covered by unit tests and fuzzed regularly.
- String or UUID changes made by this patch:
Comment 21•4 years ago
|
||
https://hg.mozilla.org/integration/autoland/rev/8150a441755b5f616e8bbd8ffc9d05436109fbf6
https://hg.mozilla.org/mozilla-central/rev/8150a441755b
Comment 22•4 years ago
|
||
Comment on attachment 9152632 [details]
Bug 1641303 - Use query and ref lengths if available r=mayhemer
approved for 78.0b9 and 68.10
Comment 23•4 years ago
|
||
uplift |
Assignee | ||
Comment 24•4 years ago
|
||
(In reply to Julien Cristau [:jcristau] from comment #23)
https://hg.mozilla.org/releases/mozilla-beta/rev/ca175625c195
Did it also land on esr?
Assignee | ||
Comment 25•4 years ago
|
||
Ah, nevermind, I just noticed 78 is esr 🙂
Comment 26•4 years ago
|
||
uplift |
Comment 27•4 years ago
|
||
There are two ESRs now and for the next quarter.
Updated•4 years ago
|
Updated•4 years ago
|
Comment 28•4 years ago
|
||
Reproduced the issue on Beta 78.0b6 and Nightly 79.0a1, Build ID 20200611093454 with Mac OS 10.13.
Verified as fixed on Windows 10, MacOS 10.13 and Ubuntu 18.04 with Firefox 78 RC, Nightly 79.0a1 build ID 20200623034439, ESR 78.0esr Build ID 20200623021425, ESR 68.10.0esr Build ID 20200622191537.
Updated•4 years ago
|
Updated•4 years ago
|
Comment 29•4 years ago
|
||
Comment 30•4 years ago
|
||
As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.
Please visit this google form to reply.
Assignee | ||
Comment 31•4 years ago
|
||
(In reply to Release mgmt bot [:sylvestre / :calixte / :marco for bugbug] from comment #30)
As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.
Please visit this google form to reply.
Done.
Updated•4 years ago
|
Updated•4 years ago
|
Updated•3 years ago
|
Updated•3 years ago
|
Description
•