Illegal Rendered at Download Feature in Firefox Lite for Android that Lead to Extension Manipulation (with RTLO)
Categories
(Emerging Markets Graveyard :: Security: Firefox Lite, task)
Tracking
(Not tracked)
People
(Reporter: knight11070, Assigned: st3fan)
References
Details
(Keywords: csectype-spoof, reporter-external, sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [verif?])
Attachments
(4 files)
My own host drive with short download link
Summary:
I have found a vulnerability of RTLO download feature in Firefox Lite for Android
Step to Reproduce:
1. Change the filename to: malicious<RTLO_Char><fake_ext>.<real_ext>
For example: regedt<RTLO>jpg.apk
2. When the browser download feature fails to to parse the character perfectly, the filename will be changed to regedtgpj.apk
Impact:
the user will download the .apk file but the file will be saved as jpg. Again, when user wants to open the downloaded file, the file will be executed as .apk and trying to install the program (original format).
systeminfo:
Firefox Lite 2.1.17
WebView version:55.0.2883.91
OS Android HUAWEI
The Reference:
1. opera Mini for Android(CVE-2019–18624): http://www.firstsight.me/2019/10/illegal-rendered-at-download-feature-in-several-apps-including-opera-mini-that-lead-to-extension-manipulation-with-rtlo/
2. Zero-day vulnerability in Telegram:https://securelist.com/zero-day-vulnerability-in-telegram/83800/
3. hackerone RTL override symbol not stripped from file names https://hackerone.com/reports/298
4. the rtlo info : https://blog.malwarebytes.com/cybercrime/2014/01/the-rtlo-method/
Sorry for the mistake, When the browser download feature fails to to parse the character perfectly, the filename will be changed to ******* regedtgpj.apk
the Suffix name is jpg, just like a graph, But it's a apk file
|
||
Updated•5 years ago
|
did you need any information or detail ?
I am willing to help
I have tried found Firefox Lite 2.1.17 for Andriod will rename the file security when the download link is too long.
But it displays and handle the rtlo file in a short link
My own host drive with short download link, It will display as a jpg file that actually it's a apk file
google drive file that with long download link, It will rename the file with the real suffix name.
as the situation It's beahavior good
|
|
||
Comment 7•5 years ago
|
||
:maliu / :jcheng, can you check this is on someone's radar? Thanks.
(In reply to superxx from comment #0)
Created attachment 9160089 [details]
regedtgpj.apkSummary:
I have found a vulnerability of RTLO download feature in Firefox Lite for Android
Step to Reproduce:
1. Change the filename to: malicious<RTLO_Char><fake_ext>.<real_ext>
For example: regedt<RTLO>jpg.apk
2. When the browser download feature fails to to parse the character perfectly, the filename will be changed to regedtgpj.apk
Impact:
the user will download the .apk file but the file will be saved as jpg. Again, when user wants to open the downloaded file, the file will be executed as .apk and trying to install the program (original format).
systeminfo:
Firefox Lite 2.1.17
WebView version:55.0.2883.91
OS Android HUAWEI
The Reference:
1. opera Mini for Android(CVE-2019–18624): http://www.firstsight.me/2019/10/illegal-rendered-at-download-feature-in-several-apps-including-opera-mini-that-lead-to-extension-manipulation-with-rtlo/
2. Zero-day vulnerability in Telegram:https://securelist.com/zero-day-vulnerability-in-telegram/83800/
3. hackerone RTL override symbol not stripped from file names https://hackerone.com/reports/298
4. the rtlo info : https://blog.malwarebytes.com/cybercrime/2014/01/the-rtlo-method/
(In reply to superxx from comment #8)
hi,Is there any update?
|
||
Comment 10•5 years ago
|
||
Thanks for the report. Looking at it now.
|
||
Comment 11•5 years ago
|
||
Thank you superxx for filing this issue.
We will put this into backlog and deal with it in the coming sprints.
Tracking link on github is here : https://github.com/mozilla-tw/FirefoxLite/issues/5238
|
Reporter | |
Comment 12•5 years ago
|
||
Hi,have you completed the investigation and the vulnerability confirmation? or any update
|
||
Updated•5 years ago
|
|
|
Reporter | |
Comment 13•5 years ago
|
||
I think it worth a sec-moderate, it will lure user to download an apk file and install it other than ios
there is some case of opera
opera Mini for Android(CVE-2019–18624): http://www.firstsight.me/2019/10/illegal-rendered-at-download-feature-in-several-apps-including-opera-mini-that-lead-to-extension-manipulation-with-rtlo/
|
|
||
Updated•4 years ago
|
|
|
||
Updated•4 years ago
|
|
Assignee | |
Comment 14•4 years ago
|
||
:superxxx sorry for the late response - would you mind providing the exact character sequence that will trigger this bug? It is unclear if this fixed in Firefox Lite so I would like to confirm that first. Or would you mind confirming this against the just releases version 2.6.0?
|
|
Reporter | |
Comment 15•4 years ago
|
||
you can copy and test the character sequence just like this
realapk_gpj.apk
It's a apk file
and I will test and reply in the next 24 hours
|
|
Assignee | |
Comment 16•4 years ago
|
||
For reference, this is realapk_<202e>gpj.apk
|
|
Reporter | |
Comment 17•4 years ago
|
||
If press and hold , the file name will be
realapk_<202e>gpj.apk
But if press, the buttom text or the download page will display
regedt_kpa.jpg
may be there some problem
|
|
Assignee | |
Comment 18•4 years ago
|
||
Just a heads up that we're working on a fix for this issue.
|
|
Assignee | |
Comment 19•4 years ago
|
||
This patch removes unicode control characters when these filenames are displayed in the UI. Both in the downloads list and in the toast that tells you the download is finished.
|
|
Assignee | |
Comment 20•4 years ago
|
||
This will ship in the coming week or three.
|
||
Comment 21•3 years ago
|
||
|
||
Updated•10 months ago
|
|
|
||
Updated•10 days ago
|
Description
•