Closed Bug 1800832 (CVE-2023-23603) Opened 1 year ago Closed 1 year ago

console.log allows loading images via %c formatter, also bypasses page CSP

Categories

(DevTools :: Console, defect, P2)

defect

Tracking

(firefox-esr102109+ verified, firefox108 wontfix, firefox109+ verified, firefox110+ verified)

VERIFIED FIXED
110 Branch
Tracking Status
firefox-esr102 109+ verified
firefox108 --- wontfix
firefox109 + verified
firefox110 + verified

People

(Reporter: dveditz, Assigned: nchevobbe)

References

Details

(Keywords: csectype-disclosure, sec-low, Whiteboard: [adv-main109+][adv-esr102.7+])

Attachments

(2 files, 1 obsolete file)

Despite attempting to filter out loading URLs from the styles supported by the console.log() %c format directive, this is done by fragile regexp and can be bypassed.
Inspired by recently-unhidden https://bugs.chromium.org/p/chromium/issues/detail?id=1349493.

#1 loading a remote image

The second example in that chrome bug works in Firefox, for pretty much the same reasons: the regexp is trying to forbid bad stuff rather than saying "no url() at all unless it's a data: url" (support for data: was added in bug 1579663 by removing it from the list of bad schemes). Find a weakness in the regexp and you can get around it. You can copy the line below and run it in a devtool console

console.log("%cMozilla", "background:url(https\\0009://www.mozilla.org/favicon.ico); font-size:50px; border:solid green; margin:50px; padding:50px; display:inline-block;")

#2 CSP bypass

If you make the console.log() call from the page content this also bypasses the page CSP. On the one hand the image isn't being incorporated into the page content, but on the other it could be used as a way to exfiltrate data. I assume we can't apply the page's CSP to the toolbox without breaking a bunch of things, so fixing this comes down to preventing console logging from loading external images at all.

The intended "data:" urls might also violate the CSP, but since there's no exfiltration avenue it seems fine to allow it.

#3 no restriction on other schemes

There is a forbidden list of schemes which means any new scheme we think up won't be on it. For example, Firefox supports moz-extension urls so you could use any web-accessible resource, if you can figure out the random UUID assigned to each extension at install time. Some extensions make this easy by injecting elements into web content where they can be detected.

Take the case of Firefox Relay, for example. If your victim has Relay installed and active you could go to a page with an email field (like any page on www.mozilla.org) and do something like:

let relayUrl = document.querySelector("#fx-relay-button")?.style["background-image"];
console.log("%cMozilla", `background:${relayUrl}; font-size:50px; border:solid green; margin:50px; padding:50px; display:inline-block;`)

moz-extension:// itself isn't a problem (like data:, nothing is exfiltrated) but it shows the limitations of the regexp.

Severity: -- → S3
Flags: needinfo?(nchevobbe)
Priority: -- → P2
Assignee: nobody → nchevobbe
Status: NEW → ASSIGNED
Flags: needinfo?(nchevobbe)
Attachment #9305124 - Attachment description: Bug 1800832 - [devtools] Explicitely allow data urls in cleanupStyle. r=jdescottes. → Bug 1800832 - [devtools] Explicitly allow data urls in cleanupStyle. r=jdescottes.

Comment on attachment 9306057 [details]
Bug 1800832 - [devtools] Fix require call in console stubs template. r=jdescottes

Revision D163489 was moved to bug 1803508. Setting attachment 9306057 [details] to obsolete.

Attachment #9306057 - Attachment is obsolete: true

Comment on attachment 9305124 [details]
Bug 1800832 - [devtools] Explicitly allow data urls in cleanupStyle. r=jdescottes.

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: quite easily I guess if people can make the link from this patch to using console API with custom styling
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?: all supported branches
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: No
  • If not, how different, hard to create, and risky will they be?:
  • How likely is this patch to cause regressions; how much testing does it need?: quite unlikely
    this is a very localized changed, covered by an automated test, on a small visual feature for console.log
  • Is Android affected?: No
Attachment #9305124 - Flags: sec-approval?

Comment on attachment 9305124 [details]
Bug 1800832 - [devtools] Explicitly allow data urls in cleanupStyle. r=jdescottes.

Approved to land; and if we're landing the test with it, we should uplift it.

Attachment #9305124 - Flags: sec-approval? → sec-approval+

Comment on attachment 9305124 [details]
Bug 1800832 - [devtools] Explicitly allow data urls in cleanupStyle. r=jdescottes.

Beta/Release Uplift Approval Request

  • User impact if declined: devtools user would be vulnerable to security issue described in https://bugzilla.mozilla.org/show_bug.cgi?id=1800832#c0
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: Yes
  • If yes, steps to reproduce: 1. Open the console
  1. Evaluate console.log("%cMozilla", "background:url(https\\0009://www.mozilla.org/favicon.ico); font-size:50px; border:solid green; margin:50px; padding:50px; display:inline-block;")

-> the Mozilla icon shouldn't be displayed in the resulting message

  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): devtools-only change covered by automated test.
  • String changes made/needed:
  • Is Android affected?: Yes
Attachment #9305124 - Flags: approval-mozilla-beta?
Flags: qe-verify+
Group: firefox-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → 110 Branch
Attachment #9305124 - Flags: approval-mozilla-esr102?
QA Whiteboard: [qa-triaged]

I have managed to reproduce this issue using STR from comment 6, on an affected Nightly build (20221115214157), with macOS 11.

The issue is verified as fixed across platforms, Win 10 x64, macOS 11 and Ubuntu 18.04 x64 with latest Nightly 110.0a1.

Flags: qe-verify+

Comment on attachment 9305124 [details]
Bug 1800832 - [devtools] Explicitly allow data urls in cleanupStyle. r=jdescottes.

Approved for 109.0b3 and 102.7esr.

Attachment #9305124 - Flags: approval-mozilla-esr102?
Attachment #9305124 - Flags: approval-mozilla-esr102+
Attachment #9305124 - Flags: approval-mozilla-beta?
Attachment #9305124 - Flags: approval-mozilla-beta+

This bug is also verified as fixed on latest Beta 109.0b3 and Esr 102.7, under Win 7 x64, macOS 11 and Ubuntu 18.04 x64.

Status: RESOLVED → VERIFIED
Whiteboard: [adv-main109+][adv-esr102.7+]
Alias: CVE-2023-23603
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.