Closed Bug 1731779 (CVE-2021-38510) Opened 3 years ago Closed 3 years ago

download protection bypass on macOS with .inetloc

Categories

(Firefox :: File Handling, defect, P1)

Product:
Firefox
Component:
File Handling
Platform:
Desktop
macOS
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
95 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- wontfix
firefox-esr91 94+ verified
firefox93 --- wontfix
firefox94 + verified
firefox95 + verified

People

(Reporter: houjingyi647, Assigned: Gijs)

References

Details

(Keywords: csectype-priv-escalation, sec-moderate, sec-vector, Whiteboard: [reporter-external] [client-bounty-form] [verif?][adv-main94+][adv-esr91.3+])

Attachments

(3 files, 1 obsolete file)

test.inetloc
295 bytes, application/xml
Details
Bug 1731779 - r?dveditz!,dimi!
48 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-beta+
RyanVM
: approval-mozilla-esr91+
Details | Review
advisory.txt
331 bytes, text/plain
Details
Attached file test.inetloc

firefox Version: 92.0
Operating System: macOS Big Sur, 11.5.2

Vladimir Metnew reported that .fileloc files on macOS can bypass download protection in 2019:https://bugzilla.mozilla.org/show_bug.cgi?id=1596668
However, .inetloc files are similar to .fileloc files and .inetloc is not in blacklist.
When open a .fileloc file in firefox, firefox will warn:" 'test.fileloc' is an executable file. Executable files may contain viruses or other malicious code that could harm your computer. Use caution when opening this file. Are you sure you want to launch 'test.fileloc'? "
But when open a .inetloc file in firefox there is no warning and attacker may execute arbitrary commands.
I provided a test.inetloc which can open calc for test.

Flags: sec-bounty?

https://drive.google.com/drive/folders/1HW7iHrsBeL3J-ACt9mm2Ct13qXN1PrCk?usp=sharing

I also recorded a video and you can see how fiefox handle .inetloc and .fileloc differently.

Status: UNCONFIRMED → NEW
Type: task → defect
Component: Security → File Handling
Ever confirmed: true
OS: Unspecified → macOS
Hardware: Unspecified → Desktop

This is only a thing because Apple didn't lowercase file:// before doing their checks on inetloc files, right? (cf. https://www.tomsguide.com/uk/news/macos-finder-inetloc-flaw )

That doesn't seem like something for which we should add warnings to all inetloc files now; it'd just be a patch race between us and Apple - but adding this executable warning to the file would be inaccurate in the vast majority of cases (ie non-file:// inetloc files) and isn't that likely to help protect users (if they were gonna click on it anyway...), and only appears if opened from Firefox (not if opened from Finder or other applications). So my impression is that Firefox is not the right place to fix this issue. Dan?

Flags: needinfo?(dveditz)
Blocks: 1733775

Clearly Apple doesn't intend this behavior because they do block lowercase file://, but warning would be both not enough and not always correct.

On the other hand this is a strange file type to be asking someone to download so maybe warning "too much" isn't all that bad? We do treat both .lnk and .url files on Windows as executables, and this file type seems to function like .url files.

Flags: needinfo?(dveditz)
Keywords: csectype-priv-escalation, sec-moderate, sec-vector

The severity field is not set for this bug.
:Gijs, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(gijskruitbosch+bugs)
Assignee: nobody → gijskruitbosch+bugs
Status: NEW → ASSIGNED
Severity: -- → S3
Flags: needinfo?(gijskruitbosch+bugs)
Priority: -- → P1

Comment on attachment 9245224 [details]
Bug 1731779 - r?dveditz!,dimi!

Beta/Release Uplift Approval Request

  • User impact if declined: Potential for security risk through inetloc
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: Yes
  • If yes, steps to reproduce: See comment 0
  • List of other uplifts needed: n/a
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): We're just adding the extension to a bunch of lists, and updating tests accordingly.
  • String changes made/needed: Nope
Attachment #9245224 - Flags: approval-mozilla-beta?
Flags: qe-verify+

https://hg.mozilla.org/mozilla-central/rev/2b186723942d

Group: firefox-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox95: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 95 Branch

Comment on attachment 9245224 [details]
Bug 1731779 - r?dveditz!,dimi!

Approved for 94.0b9 and 91.3esr.

Attachment #9245224 - Flags: approval-mozilla-esr91+
Attachment #9245224 - Flags: approval-mozilla-beta?
Attachment #9245224 - Flags: approval-mozilla-beta+
QA Whiteboard: [post-critsmash-triage]

Reproduced the reported issue as of comment 0 using Firefox 92.0, verified that the Warning message is successfully displayed when downloading the attached testcase using Firefox 94.0b9, latest Nightly 95.0a1 and latest 91 ESR build from treeherder.

Status: RESOLVED → VERIFIED
status-firefox94: fixedverified
status-firefox95: fixedverified
status-firefox-esr91: fixedverified
Flags: qe-verify+
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][adv-main94+]
Flags: sec-bounty? → sec-bounty+
Whiteboard: [reporter-external] [client-bounty-form] [verif?][adv-main94+] → [reporter-external] [client-bounty-form] [verif?][adv-main94+][adv-esr91.3+]
Attached file advisory.txt
Attachment #9248038 - Attachment is obsolete: true
Alias: CVE-2021-38510

Hello, could you please acknowledge me as "Hou JingYi (@hjy79425575)" instead of "houjingyi647"? Thank you!

Flags: needinfo?(tom)

I've updated the advisories and in the HoF we'll include the link to your twitter account.

Flags: needinfo?(tom)
See Also: → CVE-2022-46875
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: