Closed Bug 1793551 (CVE-2022-45415) Opened 1 year ago Closed 1 year ago

Create arbitrary binary(.hta,.exe,.bat,.vb)/file when web page is downloaded/saved in firefox browser

Categories

(Firefox :: Downloads Panel, defect, P2)

Product:
Firefox
Component:
Downloads Panel
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
108 Branch
Tracking Flags:
Tracking Status
firefox-esr102 107+ fixed
firefox106 --- wontfix
firefox107 --- verified
firefox108 --- verified

People

(Reporter: jayateertha043, Assigned: enndeakin)

References

Details

(Keywords: sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage][adv-main107+][adv-esr102.5+])

Attachments

(2 files)

index.html
1.02 KB, text/html
Details
advisory.txt
348 bytes, text/plain
Details
Attached file index.html

Products affected:

Latest Firefox for Windows as on 04/10/22

POC:

See this Video POC - https://youtu.be/5PBJ1MlikFk

  1. Host malicious webpage (index.html) [See attached file].
  2. Click save as to download the website to view offline or press (ctrl + s).
  3. Save the file & open downloaded file

Impact

  1. Create arbitrary files instead of html file, which might result in code execution when opened.

Fix

  1. Sanitize filename properly & append .html to filename created from title tag by default as done by major browsers such as Google Chrome.
Flags: sec-bounty?

Hi team,

Hope this is eligible for bounty.
Incase eligible kindly nominate this for bounty, I am not sure of the bounty nomination process followed by firefox.

Component: Security → Untriaged

(In reply to Jayateertha Guruprasad from comment #1)

Incase eligible kindly nominate this for bounty, I am not sure of the bounty nomination process followed by firefox.

Setting the sec-bounty? flag like you did is sufficient for it to be considered.

Status: UNCONFIRMED → NEW
Component: Untriaged → Downloads Panel
Ever confirmed: true
Keywords: sec-moderate

This is basically a dupe of bug 1778597, but with security impact. :-(

Depends on: 1778597
Severity: -- → S2
Priority: -- → P2

Hi team,

I don't think this is the exact same bug, I have not seen that before and have reported by my own research.

After going through bug (1778597)[https://bugzilla.mozilla.org/show_bug.cgi?id=1778597] , I assume that bug is about ending the extensions with TLD (.com, .in etc), and no where talks about the security impact or the exploit I mentioned in my report, although the fix might be same. (Appending .html/.htm at the end).

CVE's can be assigned only for reports with security impact or affecting security triads (Confidentiality, Integrity, Availability).

So, I would like to know if my report is eligible for a CVE rather than (1778597)[https://bugzilla.mozilla.org/show_bug.cgi?id=1778597] which also seems to be internally reported if I am not wrong.

Thanks and Regards
Jayateertha G

Also just a suggestion, Kindly make (https://bugzilla.mozilla.org/show_bug.cgi?id=1778597)[bug 1778597] as private so that, as that report might give an idea of exploit to other researchers.

Hi team,

Any updates on this issue ?

Please feel free to contact me if you need any assistance reproducing the issue or anything else required from my side.

Thanks and Regards
Jayateertha G

(In reply to Jayateertha Guruprasad from comment #4)

I don't think this is the exact same bug,

It's the window/document title ending in .foo resulting in a .foo file extension when saving the page. I don't see any difference.

no where talks about the security impact or the exploit I mentioned in my report,

If you were wanting to drop a file on the user's machine you could just start a download when clicking on the page, which is probably an easier thing to convince the user to do than to use "save page as" and then open the result, and also allows controlling the full contents of the result.

CVE's can be assigned only for reports with security impact or affecting security triads (Confidentiality, Integrity, Availability).
So, I would like to know if my report is eligible for a CVE rather than (1778597)[https://bugzilla.mozilla.org/show_bug.cgi?id=1778597]

--> Tom ?

which also seems to be internally reported

Not really, jscher is a volunteer contributor, not an employee.

(In reply to Jayateertha Guruprasad from comment #6)

Any updates on this issue ?

Please do not comment just to ask for updates. Any updates will be on the bug and unless you changed your bugzilla settings you'll get email for them. If there are no updates on the bug then there are no updates.

Flags: needinfo?(tom)

Thanks for the info, as I have not reported much in bugzilla, there were many flags which were confusing.

I didn't know, if I set the flags right or would recieve update.

Thanks and Regards
Jayateertha G

Presently the report is a sec-moderate, so yes, when it is fixed it will receive a CVE. If it is a duplicate, we typically include all of the reporters who have meaningfully contributed new information to the report, so in this case although Bug 1778597 was filed first, you were the first (AFAICT) to detail the security impact of it, so you would both be credited. A decision about rewarding a bounty is similar.

Flags: needinfo?(tom)

Team,

Thanks very much for your valuable reply.
Will wait for the bug to be fixed.

Thanks and Regards
Jayateertha G

I believe this should have been fixed now by bug 1778597.

Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED

Hi team ,

I would like to retest the reported vulnerability, kindly share the retest build url.

Also as the reported vulnerability is said to be fixed, may I know about the CVE and bounty process.

Thanks very much for the quick fix and response.

Thanks and Regards
Jayateertha G

Flags: needinfo?(mak)
Assignee: nobody → enndeakin
Group: firefox-core-security → core-security-release
status-firefox106: --- → wontfix
status-firefox107: --- → affected
status-firefox108: --- → fixed
status-firefox-esr102: --- → affected
Target Milestone: --- → 108 Branch

Updates will be posted to the bug when available

Flags: needinfo?(mak)
Flags: needinfo?(tom)

Sorry, I don't think Marco noticed Neil's comment. You can test this on Firefox Nightly - https://www.mozilla.org/en-US/firefox/channel/desktop/#nightly The next time we meet to process bug bounties, this will be in the queue, it will typically take 1-2 weeks for a decision, as we meet weekly.

Thanks very much @Tom ,
will retest and let you know soon.

Also will wait for the CVE/Bounty decision.

Thanks and Regards
Jayateertha G

Flags: sec-bounty? → sec-bounty+
Flags: qe-verify+
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage]

Hi team,

Sorry for late update, was in vacation last week.

I have retested in the latest nightly build for windows,
The issue seems to have been fixed! 🎊

Kindly let me know when the bounty process is initiated/CVE published.

Thanks and Regards
Jayateertha G

Reproduced issue on 107.0b8 Firefox.
Issue is verified-fixed in 108.0a1 Nightly build: 2022-11-01-21-36-59-mozilla-central.

status-firefox108: fixedverified

Verified fixed in Firefox 107.0b9.

Status: RESOLVED → VERIFIED
status-firefox107: fixedverified
Flags: qe-verify+
Whiteboard: [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage] → [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage][adv-main107+]
Attached file advisory.txt
Alias: CVE-2022-45415
tracking-firefox-esr102: --- → 107+
Whiteboard: [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage][adv-main107+] → [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage][adv-main107+][adv-esr102.5+]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.