Download Feature: unicode RTLO char can fake the file extension
Categories
(Firefox for iOS :: General, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| fxios | 28 | --- |
People
(Reporter: knight11070, Assigned: garvan)
References
Details
(Keywords: csectype-spoof, sec-low, Whiteboard: [reporter-external] [client-bounty-form] [verif?])
Attachments
(13 files)
|
127 bytes,
application/x-msdownload
|
Details | |
|
167.83 KB,
image/png
|
Details | |
|
165.51 KB,
image/png
|
Details | |
|
158.35 KB,
image/png
|
Details | |
|
46.06 KB,
image/jpeg
|
Details | |
|
8.43 KB,
image/png
|
Details | |
|
1.84 MB,
video/quicktime
|
Details | |
|
597.07 KB,
video/mp4
|
Details | |
|
336.14 KB,
video/mp4
|
Details | |
|
41.33 KB,
image/png
|
Details | |
|
136 bytes,
application/x-zip-compressed
|
Details | |
|
453.14 KB,
image/png
|
Details | |
|
226 bytes,
text/plain
|
Details |
Simulator Screen Shot - iPhone 8 - 2020-06-29 at 11.38.27.png
Summary:
I have found a vulnerability of RTLO in RTLO in firefox browser’s download feature
Step to Reproduce:
1. Change the filename to: malicious<RTLO_Char><fake_ext>.<real_ext>
For example: regedt<RTLO>jpg.exe
2. When the browser download feature fails to to parse the character perfectly, the filename will be changed to regedtexe.jpg
Impact:
There isn't a good way to utilize to cause a damage in ios, but the vulnerability is there for unkonwn Subsequent attack
system detail:
firefox 27.0(18428)
OS iphone 13.5.1
The Reference:
1. opera Mini for Android(CVE-2019–18624): http://www.firstsight.me/2019/10/illegal-rendered-at-download-feature-in-several-apps-including-opera-mini-that-lead-to-extension-manipulation-with-rtlo/
2. Zero-day vulnerability in Telegram:https://securelist.com/zero-day-vulnerability-in-telegram/83800/
3. hackerone RTL override symbol not stripped from file names https://hackerone.com/reports/298
4. the rtlo info : https://blog.malwarebytes.com/cybercrime/2014/01/the-rtlo-method/
|
||
Updated•4 years ago
|
I checked all three test cases here: https://hackerone.com/reports/298
None repro'd the bug described. See the three screenshots attached.
Please provide a test case that shows the bug thanks.
Maybe hackerone do some filter to the file
I share a google drive file
https://drive.google.com/file/d/1e-uA9ipCdKdzpD9DSnua2ZQiM5bo0NEp/view?usp=sharing
|
Assignee | |
Comment 10•4 years ago
|
||
I see, the file regedt%E2%80%AEgpj.apk downloads as regedtkpa.jpg. I agree naming this according to the name of the file in the URL is a better approach in case someone discovers an exploit using this. What iOS does right however is that the filename doesn't change from what is presented to the user to what is downloaded to disk.
I think for this attack to work on iOS the name would have to change at some point in the process, as the change in the name is a key step to fool the user; I don't actually see how that could be performed in this flow.
In the provided example, is this different than if the attacker named the '.apk' file as a '.jpg'? Wouldn't that produce the exact same result on iOS?
The attacks in the description involve the file presented to the user as one filetype, and then opening as a different type after downloading. Can that happen on iOS? I am not seeing that.
I attached a video showing the flow, and the name behaving consistently during the flow.
|
Reporter | |
Comment 11•4 years ago
|
||
Sorry for I don't approve with you opinion,
for this provided example, Only victim will mistake it's a jpg, But the ios system handle it with apk(because it's real apk file, just like a jpg).(Sorry for the platform, it doesn't execute the apk install)
I will provide another video, that the suffix the file is jpg, but actually the system recoginze it's real suffix zip
And I provide a video that chrome download and recoginze the file real suffix and display for compare
As for the platform, I tried the PC Firefox browser, it actions good that it rename the file as it's real file type(suffix) that just in keeping with the OS(that execute as the suffix name)
As for the andriod, sorry for I don't have a andriod phone beside me, I will test it as soon as possible
The example file :
https://docs.google.com/uc?export=download&id=19aFY5gS7gZLi9nnMLUXtd2ryaciQnzkM
|
|
Reporter | |
Comment 12•4 years ago
|
||
when use firefox download the zip file, the firefox for ios will display it's a jpg, But the system and browser recognize it's a real zip archive, and action as it's a archive (the origin format)
|
|
Reporter | |
Comment 13•4 years ago
|
||
The behaivor of chrome for ios, it would rename the file as it's real suffix name(type)
|
|
Reporter | |
Comment 14•4 years ago
|
||
The behaivor of Firefox for PC browser, it would rename and display as it's real suffix name
|
|
Reporter | |
Comment 15•4 years ago
|
||
the zip archive file: realzipgpj.zip
As you can see the platform display as it's real type
|
|
Reporter | |
Comment 16•4 years ago
|
||
I tried firefox for Android 68.9.0
It display and change the RTLO file to the true suffix
I also tried other firfox product just like firefox Lite, it mistake and display the wrong suffix within short download link, I submit another report at https://bugzilla.mozilla.org/show_bug.cgi?id=1649161.
|
|
Reporter | |
Comment 17•4 years ago
|
||
Firefox for Android 68.9.0 display and rename the file security
|
|
Reporter | |
Comment 18•4 years ago
|
||
Hi,Is there any update
|
||
Comment 19•4 years ago
|
||
Hi, I have tried this one on both Brave and Opera touch and they also allow user to download file as whats described in the extension.
Not sure if I full understand but to me if I rename my file extension from an .mkv file to .mp4 then I'd download it as an .mp4 (That's how desktop browser also works)
|
|
||
Comment 20•4 years ago
|
||
I have few question(s)
a) If we were to change the extension name our self to reflect whats real then wouldn't that mean Firefox iOS is meddling with the file?
b) And say for sec reason we do change it then wouldn't that confuse the user as they are presented with some file but now in their downloads its different?
|
|
Reporter | |
Comment 21•4 years ago
|
||
(In reply to Nishant Bhasin from comment #20)
I have few question(s)
a) If we were to change the extension name our self to reflect whats real then wouldn't that mean Firefox iOS is meddling with the file?
b) And say for sec reason we do change it then wouldn't that confuse the user as they are presented with some file but now in their downloads its different?
a)I think change the extension name to relect whats real doesn't mean medding with the file. It exposes the real extension name that user can do what they really want to do other than frauded to do. The user can avoid take wrong action because the RTLO illusory visual effect.
b) I don't think this is a problem Just like the Firefox for PC and Firefox for Andriod that change the '<RTLO_Char>' to '_'
the behavior of firefox for Andriod : https://bug1649160.bmoattachments.org/attachment.cgi?id=9160293&t=PS55KmgVKVoJSgv6l7o6Nr
the behavior of firefox for PC : https://bug1649160.bmoattachments.org/attachment.cgi?id=9160262&t=Hb3tkuPFYY4IVyHRVjB3ip
|
|
Reporter | |
Comment 22•4 years ago
|
||
(In reply to Nishant Bhasin from comment #19)
Hi, I have tried this one on both Brave and Opera touch and they also allow user to download file as whats described in the extension.
Not sure if I full understand but to me if I rename my file extension from an .mkv file to .mp4 then I'd download it as an .mp4 (That's how desktop browser also works)
I think there is something wrong,
- the file name: malicious<RTLO_Char><fake_ext>.<real_ext> . The system will handle as it's real suffix name real_ext, For example: regedt<RTLO>jpg.exe
- But it looks that regedtexe.jpg , it's real suffix name is exe. The system will action as it's the exe. The user will mistake it's a jpg, when they download something.
there has similarities to the Address Bar Spoofing As you can see:https://www.rafaybaloch.com/2017/06/google-chrome-firefox-address-bar.html
And the Opera(desktop browser) also change the name :
you can use the file :https://drive.google.com/file/d/1e-uA9ipCdKdzpD9DSnua2ZQiM5bo0NEp/view
the real plain name: regedt<RTLO>jpg.exe
the name with special char display: regedtgpj.exe
downloaded:regedt_gpj.apk
you can copy the string and rename a exe extension file in windows that looks like a jpg with system execute as a exe:
regedtgpj.exe
and try to taste the strangeness of the string
|
|
Assignee | |
Comment 23•4 years ago
•
|
||
PR: https://github.com/mozilla-mobile/firefox-ios/pull/6942
Security Peers: I don't see on iOS how this is a particularly useful exploit due iOS file handling restrictions built-in to the OS. Android is less restrictive and can do things like install APKs and such, I don't see anything analogous to this on iOS.
|
|
Reporter | |
Comment 24•4 years ago
|
||
I agree with you to some extent
I found another similar flaw in Firefox Lite for Andriod that would do things like install APKs , I think the vulnerability is sec-high as spoofing the full URI and I submit the report in https://bugzilla.mozilla.org/show_bug.cgi?id=1649161. Would you like to merge the reports?
|
|
Assignee | |
Comment 25•4 years ago
|
||
Android apps are an unrelated codebase, this bug will be kept iOS-only.
|
|
Assignee | |
Comment 26•4 years ago
|
||
|
||
Comment 27•4 years ago
|
||
The severity field is not set for this bug.
:garvan, could you have a look please?
For more information, please visit auto_nag documentation.
|
|
Reporter | |
Comment 29•4 years ago
|
||
(In reply to :garvan from comment #28)
putting in your ni queue for a CVE
Hi, if I have some opportunity to be Hall of Fame,I want to use this name
Xiong Xiao of Qihoo 360 CERT
|
|
Assignee | |
Comment 31•4 years ago
|
||
Hopefully it is ok i am setting this keyword to sec-low, the sec advisory script won't run without the keyword being set.
|
||
Updated•4 years ago
|
|
|
||
Updated•4 years ago
|
|
|
||
Comment 32•4 years ago
|
||
This bug doesn't meet the severity criteria for our bug bounty program
|
||
Updated•4 years ago
|
|
|
||
Updated•3 years ago
|
Description
•