1800425 - (CVE-2023-23598) Arbitrary file exposure with Drag&Drop on GTK (maybe only across Firefox instances?)

Status: VERIFIED FIXED

(Core :: DOM: Copy & Paste and Drag & Drop, defect)

Description

[Tom Schuster]

Attachment: dnd.html

The GTK drag&drop code treats all text/plain MIMEs containing file URLs as files being dragged: https://searchfox.org/mozilla-central/source/widget/gtk/nsDragService.cpp#789-792.

This makes it highly trivial for websites to do something like dt.setData('text/plain', 'file:///etc/os-release') and for GTK to treat this as an actual file being dragged.

The easiest way to reproduce this to have two running Firefox instances, one with attached test case and another with something like https://evercoder.github.io/clipboard-inspector/. Dragging from the test case in one instance to the clipboard inspect in another should show the file instead of the text.

I haven't verified yet, if it possible somehow to do this in a single Firefox instance.

Comment 1

[Tom Schuster]

Looking at the code it seemed to me like we also convert text/x-moz-url to text/uri-list (source), but I wasn't able to exploit that yet at least.

Comment 2

[Tom Schuster]

Attachment: Bug 1800425 - Support text/uri-list for file drag&drop. r?stransky

Comment 3

[Andrew McCreight [:mccr8]]

Nika says we should conservatively rate it like the other bug.

Comment 4

[Martin Stránský [:stransky] (ni? me)]

Tom, can you explain exactly what D&D scenario do you target here?
Thanks.

Comment 5

[Tom Schuster]

1. As described in comment 0, when dragging between two instances of Firefox it is possible to fake the dragging of a file and thus accidentally leak local data. (Notably child processes can't directly use text/uri-list after bug 1799156)
2. There is also the (unverified) possibility that an exploited child process might be able to fake a drag start using "text/plain" and then force a drop somehow and thus gain access to an arbitrary file.

I don't see a good reason why we should ever treat a simple text as a file drag&drop in GTK when the more precise text/uri-list exists.

Comment 6

[Tom Schuster]

Comment on attachment 9303316 [details]
Bug 1800425 - Support text/uri-list for file drag&drop. r?stransky

Security Approval Request

• How easily could an exploit be constructed based on the patch?: Not easily. Either manual drag&drop is required, automatically exploiting this might be impossible
• Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Unknown
• Which older supported branches are affected by this flaw?: all
• If not all supported branches, which bug introduced the flaw?: None
• Do you have backports for the affected branches?: No
• If not, how different, hard to create, and risky will they be?: This code doesn't really change.
• How likely is this patch to cause regressions; how much testing does it need?: Unlikely to cause regressions.
• Is Android affected?: Yes

Comment 7

[Tom Ritter [:tjr]]

Comment on attachment 9303316 [details]
Bug 1800425 - Support text/uri-list for file drag&drop. r?stransky

I think it is too late in the cycle to land this and have it uplifted, so we'll need to wait until next cycle.

Comment 8

[Tom Ritter [:tjr]]

Comment on attachment 9303316 [details]
Bug 1800425 - Support text/uri-list for file drag&drop. r?stransky

Approved to land and request uplift

Comment 9

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

Support text/uri-list for file drag&drop. r=stransky
https://hg.mozilla.org/integration/autoland/rev/a3fb01c6e76a9f4545290c6c7caf5f3ec056575d
https://hg.mozilla.org/mozilla-central/rev/a3fb01c6e76a

Comment 10

[BugBot [:suhaib / :marco/ :calixte]]

The patch landed in nightly and beta is affected.
:tschuster, is this bug important enough to require an uplift?

• If yes, please nominate the patch for beta approval.
• If no, please set status-firefox109 to wontfix.

For more information, please visit auto_nag documentation.

Comment 11

[Tom Schuster]

Comment on attachment 9303316 [details]
Bug 1800425 - Support text/uri-list for file drag&drop. r?stransky

Beta/Release Uplift Approval Request

• User impact if declined: Very low probability of stealing local files.
• Is this code covered by automated tests?: No
• Has the fix been verified in Nightly?: Yes
• Needs manual test from QE?: Yes
• If yes, steps to reproduce: (The test case only really works on Linux, because it expects a specific file: /etc/os-release.

• Open two Firefox instances with different profiles (i.e. using -p)
• Open https://bug1800425.bmoattachments.org/attachment.cgi?id=9303254&t=lSvr7fWZuRToJuutRvbYTb in the first instance
• Open https://evercoder.github.io/clipboard-inspector/ in the second instance
• Drag from the first to the second instance.
• The inspector should show just
  type: text/plain getData(type): file:///etc/os-release

• List of other uplifts needed: None
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky): Linux-only and dragging files is in general is probably uncommon.
• String changes made/needed:
• Is Android affected?: No

Comment 12

[Ryan VanderMeulen [:RyanVM]]

Comment on attachment 9303316 [details]
Bug 1800425 - Support text/uri-list for file drag&drop. r?stransky

Approved for 109.0b5 and 102.7esr.

Comment 13

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-beta/rev/ce2cc4a5651c

Comment 14

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-esr102/rev/2b365c2e03ca

Comment 15

[Ciprian Georgiu, Desktop QA]

I have reproduced this bug using STR from comment 11, on an affected Nightly (2022-11-04) with Ubuntu 18.04 x64.

The issue is verified as fixed on the latest builds, Beta 109.0b5 Esr 102.7 and Nightly 110.0a1 with Ubuntu 18.04 x64.

Comment 16

[Frederik Braun [:freddy]]

Attachment: advisory.txt