Path traversal in upload feature allows internal file overwrite
Categories
(Firefox for Android Graveyard :: General, defect)
Tracking
(firefox-esr6879+ verified)
People
(Reporter: kanytu, Assigned: petru)
References
Details
(Keywords: reporter-external, sec-moderate, Whiteboard: [reporter-external] [client-bounty-form][adv-esr68.11+])
Attachments
(5 files)
Summary
A missing sanitisation of file names allows a malicious file picker to overwrite any file in Firefox's internal directory.
Environment
- Device: HTC m8
- OS version: Android 9
- Package name: org.mozilla.firefox
- App version: 68.10.1
Proof of concept
Pre-conditions:
- PoC installed (see attachments)
- Firefox installed
- Server running the attached HTML page (or directly open it)
Steps:
- Open the webpage containing the upload logic
- Tap Upload and choose Files
- Choose
mozillatraverse
as the file picker - Restart Firefox
- Check PoC public app directory
/sdcard/Android/app.kans.mozillatraverse/files/
Result
profile.ini
is overwritten and now points to the location of the profile to another apps directory
Expected result
There should be no private file overwrite.
Detailed explanation
When the PoC app is chosen as the picker, the following URI is returned to Firefox:
content://app.kans.mozillatraverse.provider
This URI is a content://
URI that belongs to the PoC app itself. Firefox will process this URI and queries the contents of the cursor which are:
_display name | _size |
---|---|
/../../../../../../../../../data/data/org.mozilla.firefox/files/mozilla/profiles.ini |
123 |
Firefox will create a temporary file with the contents of content://app.kans.mozillatraverse.provider
and to create this temporary file, it uses the _display_name
column to create a file with the same name.
Because the contents of this column are not sanitised, the path concatenation leads to a path traversal:
String fileName = cursor.getString(0);
//...
tempDir = FileUtils.createTempDir(cacheDir, "tmp_");
File file = new File(tempDir, fileName);
This causes the contents of profile.ini
to be overwritten with:
[Profile0]
Name=default
Default=1
IsRelative=0
Path=/../../../../../../../../../../sdcard/Android/data/app.kans.mozillatraverse/files/
[General]
StartWithLastProfile=1
After restarting Firefox, sensitive information is now stored and under controll of the malicious app.
Vulnerable code
String fileName = cursor.getString(0);
Remediation
Firefox should sanitise the contents of this column before using them:
String fileName = cursor.getString(0);
// sanitize
int index = fileName.lastIndexOf(separatorChar)
fileName = index < prefixLength ? path.substring(prefixLength) : path.substring(index + 1)
Attachments
- PoC.zip - Source code of PoC
- poc.apk - Compiled binary
- index.html - HTML file uploaded
- video.mp4 - Video showing exploit in action
Impact
A malicious file picker could deploy a targeted attack for Firefox (by calling getCallingActivity
for example) and tamper any file inside the private directory of Firefox.
In this PoC, I've changed the path of the profile to another one. Any file can be affected by this.
Reporter | ||
Comment 1•4 years ago
|
||
Reporter | ||
Comment 2•4 years ago
|
||
Reporter | ||
Comment 3•4 years ago
|
||
Reporter | ||
Comment 4•4 years ago
|
||
Video can be seen here:
https://drive.google.com/drive/folders/1T1bv__YQ91lW1JIiAZ508fKFPiYeuMNB?usp=sharing
Updated•4 years ago
|
Updated•4 years ago
|
Updated•4 years ago
|
At first glance this looks to be the same as Bug 1617928. Petru, can you look?
Reporter | ||
Comment 7•4 years ago
|
||
Assignee | ||
Comment 8•4 years ago
|
||
Updated•4 years ago
|
Comment 9•4 years ago
|
||
Petru, thank you for the patch. For completeness, would you mind leaving a comment here what this change does and how it remediates this attack?
Assignee | ||
Comment 10•4 years ago
|
||
Try build for testing - https://treeherder.mozilla.org/#/jobs?repo=try&revision=089fb67663cfd1774847836f62b8ce3204ee57bb
Assignee | ||
Comment 11•4 years ago
|
||
(In reply to Stefan Arentz | :st3fan | ⏰ EST | he/him from comment #9)
Petru, thank you for the patch. For completeness, would you mind leaving a comment here what this change does and how it remediates this attack?
The attack vector used here is the file name returned from the rogue provider that would contain ../
for upstream traversal.
By cleaning that filename to only get the last child from the path upstream traversal would not be possible anymore.
/../../../../../../../../../data/data/org.mozilla.firefox/files/mozilla/profiles.ini
becomes just profiles.ini
.
Comment 12•4 years ago
|
||
(In reply to Petru-Mugurel Lingurar [:petru] from comment #10)
Try build for testing - https://treeherder.mozilla.org/#/jobs?repo=try&revision=089fb67663cfd1774847836f62b8ce3204ee57bb
For future reference, please sanitize commit messages for trypushes that involve security bugs (at least don't mention the bug number or "security bug" or whatever). Yes, people watch our commits, and that includes try. There's work for a push hook to catch these cases (ie it would stop you pushing) but unfortunately it got disabled because it broke legit trypushes after people land sec bug fixes on nightly...
Where are we tracking the Fenix fix per comment #7 ? We should probably make sure they get a fix at the same time.
Assignee | ||
Comment 13•4 years ago
|
||
Added Diana and Sorina for helping us with a quick test in the case a decision to land this is made.
Updated•4 years ago
|
Comment 14•4 years ago
|
||
Thank you all for moving so quickly on this.
Comment 15•4 years ago
|
||
Tested on the try build provided here, and I can confirm the fix with LG G7 FIT (Android 8) following the steps provided and the additional pieces of information.
Comment 16•4 years ago
|
||
(In reply to :Gijs (he/him) from comment #12)
(In reply to Petru-Mugurel Lingurar [:petru] from comment #10)
Try build for testing - https://treeherder.mozilla.org/#/jobs?repo=try&revision=089fb67663cfd1774847836f62b8ce3204ee57bb
For future reference, please sanitize commit messages for trypushes that involve security bugs (at least don't mention the bug number or "security bug" or whatever). Yes, people watch our commits, and that includes try. There's work for a push hook to catch these cases (ie it would stop you pushing) but unfortunately it got disabled because it broke legit trypushes after people land sec bug fixes on nightly...
Where are we tracking the Fenix fix per comment #7 ? We should probably make sure they get a fix at the same time.
I'm working on the Fenix fix, I will that land it at the same time as the equivalent of the bug 1652364, we are tracking it here
Updated•4 years ago
|
Assignee | ||
Comment 17•4 years ago
|
||
Comment on attachment 9163237 [details]
Bug 1652360 - Sanitize file picker file names; r?snorp
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: Important security issue
- User impact if declined: In a certain scenario a malicious app could overwrite Fennec's internal storage.
- Fix Landed on Version:
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Small change, verified by QA on a try build.
- String or UUID changes made by this patch:
Updated•4 years ago
|
Updated•4 years ago
|
Updated•4 years ago
|
Comment 18•4 years ago
|
||
Comment on attachment 9163237 [details]
Bug 1652360 - Sanitize file picker file names; r?snorp
Approved for Fennec 68.11.
Comment 19•4 years ago
|
||
uplift |
Updated•4 years ago
|
Comment 20•4 years ago
|
||
The AC fix has been a approved and on process to be merged it can be tracked in this pull request, Fenix will need to update to a new version of AC that contains the patch.
Comment 21•4 years ago
|
||
Verified as fixed on Fennec RC 68.11.0 with LG G7 FIT (Android 8). For the Fenix issue, we will leave a comment on bug 1652364.
Reporter | ||
Comment 22•4 years ago
|
||
Hey team,
This issue and 1652364 were already fixed in a stable channel (68.11.0, already available in Play Store). Will they be part of any security advisory?
Thanks,
Pedro
Updated•4 years ago
|
Comment 23•4 years ago
|
||
This issue and 1652364 were already fixed in a stable channel (68.11.0, already available in Play Store). Will they be part of any security advisory?
Thank you for pointing out. That was my mistake. I'll fix the advisories soon.
Updated•4 years ago
|
Updated•4 years ago
|
Comment 24•4 years ago
|
||
Comment 25•4 years ago
|
||
Should be up within a couple of hours. Let me know if you don't see them by the end of the day (CEST).
Updated•4 years ago
|
Updated•4 years ago
|
Updated•6 months ago
|
Description
•