Closed Bug 1737252 (CVE-2022-22744) Opened 3 years ago Closed 3 years ago

Escape issue in "Copy as cURL" enables execution of arbitrary commands on users computer

Categories

(DevTools :: Netmonitor, defect, P2)

Product:
DevTools
Component:
Netmonitor
Platform:
Unspecified
Windows
Type:
defect

Tracking

(firefox-esr9196+ verified, firefox94 wontfix, firefox95 wontfix, firefox96+ verified)

Status:
VERIFIED FIXED
Milestone:
96 Branch
Tracking Flags:
Tracking Status
firefox-esr91 96+ verified
firefox94 --- wontfix
firefox95 --- wontfix
firefox96 + verified

People

(Reporter: 2pi, Assigned: bomsy, NeedInfo)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-priv-escalation, reporter-external, sec-moderate, Whiteboard: [reporter-external] [client-bounty-form][post-critsmash-triage][adv-main96+][adv-ESR91.5+])

Attachments

(3 files)

POC.html
400 bytes, text/html
Details
Bug 1737252 - [devtools] Escaping back tick signs r=nchevobbe
48 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-esr91+
Details | Review
advisory.txt
345 bytes, text/plain
Details
Attached file POC.html

Description

The constructed curl command from the "Copy as cURL" feature in devtools isn't properly escaped for the platform WINNT. This means that a malicious website can make network requests that, if the user copies and tries to run them in PowerShell, will enable the website to run arbitrary commands on the users computer.

Steps to reproduce

This proof of concept includes three variants, each one work independently, and there should be many more combinations that should produce information leakage and arbitrary code execution.

  1. Start the browser and open devtools. Then visit the attached file POC.html.
  2. Select the "Network" tab in devtools and right click on the POST request and click "Copy as cURL (Windows)" under "Copy".
  3. Paste the command in PowerShell and execute it.
  4. Now three things should happen; the remote server should have your environment variable PATH, the shell should (among other things) show "Hello World", and the "calc.exe" application should open.

How and why does it work?

The attack shown above work because it is possible to use the escape character ` to escape itself and other vital characters. Hence circumventing the escaping preformed by Firefox.

The code responsible for this in Firefox is located in the function at: https://searchfox.org/mozilla-central/source/devtools/client/shared/curl.js#429

See also

Bug 1518026, Bug 1607742, and Bug 1614468 are old bugs with similar issues.

Please let me know if I can be of any help!

Flags: sec-bounty?
Type: task → defect
Component: Security → Netmonitor
Product: Firefox → DevTools

Example

To illustrate what could happen, I thought that I should show the details of Ex. 3 from POC.html. That is, if we remove the headers from the fetch call and thereby Ex. 1 & 2, the generated curl command will be something like;

curl [...] --data-raw "``$(calc.exe)"
                       #^###########

Where the data marked by ^ is added by Firefox and the data marked by # comes from the body tag in fetch. What happens is that Firefox adds a ` to escape the $. However this escape will inadvertently get escaped by the already present `, rendering the $ unescaped. The responsible code is located at 1.

Reasoning around potential solutions

For PowerShell one would probably want to switch to single-quotation marks(2) and potentially use the --% sequence(3). However these, as I understand it, doesn't really work in cmd.exe. Hence to keep the generated curl commands somewhat compatible with both PowerShell and cmd.exe one would probably want to try to escape the ` properly. (Escaping ` in PowerShell is probably wise regardless of the issue at hand, see 3.)

PowerShell and cmd.exe is undeniably quite different. So adding an escape sequence for PowerShell may produce a curl command which when used in cmd.exe executes a request that isn't equivalent to the actual network request being copied. This is another issue however; but this seams to already be happening with for example the $-sign.

My understanding is that Firefox shares (shared?) some code in this area with Chromium. Their solution to this problem seams to be that they created two alternatives; one for PowerShell(not using curl) and one for cmd.exe. These different alternatives seams to be created in a way that purposely makes them not work in the opposite shell. While this solution has its own problems, it might be the best available.

This is just a few ideas I had. However, I will leave it up to you to decide how you want to go about solving this issue.

Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: csectype-priv-escalation, sec-moderate

The severity field is not set for this bug.
:Honza, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(odvarko)

Hubert, could you please look at this, thank you!

Severity: -- → S3
Flags: needinfo?(odvarko) → needinfo?(hmanilla)
Priority: -- → P2

Thanks Honza!

i'll look into it.

Assignee: nobody → hmanilla
Flags: needinfo?(hmanilla)
Attachment #9250468 - Attachment description: Bug 1737252 - [devtools] Escaping tick signs are followed by the dollar sign r=nchevobbe → Bug 1737252 - [devtools] Escaping back tick signs r=nchevobbe

[devtools] Escaping back tick signs r=nchevobbe
https://hg.mozilla.org/integration/autoland/rev/d1a6d4666ba9cf8d834ef1d6390283e5b50476d8
https://hg.mozilla.org/mozilla-central/rev/d1a6d4666ba9

Group: firefox-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox96: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 96 Branch
Flags: qe-verify+
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage]
Blocks: curl
OS: Unspecified → Windows

We probably should fix this on ESR as well. Simple enough patch (low regression risk) and also a simple enough social engineering attack once published.

status-firefox95: --- → wontfix
status-firefox-esr91: --- → affected
tracking-firefox-esr91: --- → 96+
Flags: sec-bounty? → sec-bounty+
Flags: needinfo?(tom)

Please nominate this for ESR approval when you get a chance. It grafts cleanly.

Flags: needinfo?(hmanilla)

Comment on attachment 9250468 [details]
Bug 1737252 - [devtools] Escaping back tick signs r=nchevobbe

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: Proves a security risk as curl can be hijacked to execute commands in windows
  • User impact if declined: Possible security risk
  • Fix Landed on Version:
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Small javascript patch to escape back ticks
  • String or UUID changes made by this patch:
Flags: needinfo?(hmanilla)
Attachment #9250468 - Flags: approval-mozilla-esr91?
QA Whiteboard: [qa-triaged]

Reproduced this bug using POC.html, from comment 0, on Win 10 x64 with an affected Nightly build (95.0a1, 20211022213234).

The issue is not reproducing anymore on Beta 96.0b4 (20211212185725) running Win 10 x64.

status-firefox96: fixedverified
Flags: qe-verify+

Comment on attachment 9250468 [details]
Bug 1737252 - [devtools] Escaping back tick signs r=nchevobbe

Approved for 91.5esr.

Attachment #9250468 - Flags: approval-mozilla-esr91? → approval-mozilla-esr91+

This is also verified as fixed on 91.5 esr, under Win 11.

Status: RESOLVED → VERIFIED
status-firefox-esr91: fixedverified
Whiteboard: [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage] → [reporter-external] [client-bounty-form][post-critsmash-triage][adv-main96+][adv-ESR91.5+]
Attached file advisory.txt
Alias: CVE-2022-22744
See Also: → CVE-2023-23599
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: