Closed Bug 1801542 (CVE-2023-25731) Opened 1 year ago Closed 1 year ago

Prototype pollution via GET request in network tool inspection

Categories

(DevTools :: Netmonitor, defect, P2)

Product:
DevTools
Component:
Netmonitor
Version:
Firefox 109
Type:
defect

Tracking

(firefox-esr102 wontfix, firefox108 wontfix, firefox109 wontfix, firefox110 fixed)

Status:
RESOLVED FIXED
Milestone:
110 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- wontfix
firefox108 --- wontfix
firefox109 --- wontfix
firefox110 --- fixed

People

(Reporter: school.exams, Assigned: bomsy)

Details

(Keywords: csectype-dos, sec-low, Whiteboard: [adv-main110+])

Attachments

(3 files)

img.png
51.51 KB, image/png
Details
Bug 1801542 - Fix prototype pollution when rendering the UrlPreview r=nchevobbe
48 bytes, text/x-phabricator-request
Details | Review
advisory.txt
238 bytes, text/plain
Details
Attached image img.png

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0

Steps to reproduce:

Open developer tools, Network tab.
Open any website with query parameter __proto__=
Click on the request with our GET parameter, crash.

https://duckduckgo.com/?__proto__=x

I've confrimed this issue on v.105 and v.109-nightly

Actual results:

The Network panel has crashed.
TypeError: map[obj.name].push is not a function

Stacktrace (shortened):
parseUrl/urlObject[method].query<@resource://devtools/client/netmonitor/src/components/previews/UrlPreview.js:215:25
parseUrl@resource://devtools/client/netmonitor/src/components/previews/UrlPreview.js:208:40
render@resource://devtools/client/netmonitor/src/components/previews/UrlPreview.js:245:47

Expected results:

Request inspection as per usual

Due to markdown underscores were made bold, in step to reproduce, query should be the following:
__proto__=

Component: Untriaged → Netmonitor
Product: Firefox → DevTools

I've edited the first post to fix the markdown.

Can confirm.

In the Console tab if I try to expand the request it doesn't crash, but does give the following error

[DEVTOOLS ERROR] We’re sorry, we couldn’t render the message. This shouldn’t have happened - please file a bug at https://bugzilla.mozilla.org/enter_bug.cgi?product=DevTools&component=Console with the message metadata in the description.

The "copy message metadata to clipboard" button did not do anything.

The basic symptoms are annoying, but could this be used to actually redefine one of our prototypes in a malicious way? The Developer toolbox runs as privileged code. Setting a prototype to a string shouldn't be too bad... there isn't anything that will auto-eval this, right?

Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(odvarko)

I was unable to do anything actually impactful, but I marked it as a security issue because it seemed like unexplored attack surface and could come up somewhere else, like in third-party extensions (yeah, out of scope but still).

This bug was found while solving a CTF challenge, very curious when it was introduced as it seems so trivial.

I can reproduce on my machine (MacOS, Nightly)
I see both mentioned problems. One in the Network panel and the other in the Console (also looks like the Console has better error handling of errors occurning in React components)

Feels like nicely actionable report (STRs as well as stack trace available)

Honza

Flags: needinfo?(odvarko)
Whiteboard: [devtools-triage]

As seen in the stack trace, the specific piece of code at issue is this one. This should use a Map instead of a bare object {} to reduce over.

The severity field is not set for this bug.
:Honza, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(odvarko)
Severity: -- → S3
Flags: needinfo?(odvarko)
Priority: -- → P2

Bomsy, could you please look at this? Looks actionable, thank you.

Flags: needinfo?(hmanilla)

Oh sure!

i'll take a look. Thanks Honza!

Assignee: nobody → hmanilla
Flags: needinfo?(hmanilla)

As the since the object that is used to consolidate the query for the url
has its prototype chain, adding a parameter with name __proto__ tries to lookup the
prototype chain and blows up.

Lets amke it a simple dictionary by removing the prototype chain.

Whiteboard: [devtools-triage]

There's a r+ patch which didn't land and no activity in this bug for 2 weeks.
:bomsy, could you have a look please?
If you still have some work to do, you can add an action "Plan Changes" in Phabricator.
For more information, please visit auto_nag documentation.

Flags: needinfo?(jdescottes)
Flags: needinfo?(hmanilla)

This will probably land when :bomsy will come back from PTO.

Flags: needinfo?(jdescottes)

This should land today.

Flags: needinfo?(hmanilla)

Fix prototype pollution when rendering the UrlPreview r=jdescottes
https://hg.mozilla.org/integration/autoland/rev/4343b20a43027647e39c1b3f0f01aabfe45b0ffe
https://hg.mozilla.org/mozilla-central/rev/4343b20a4302

Group: firefox-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 1 year ago
status-firefox110: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 110 Branch
Whiteboard: [adv-main110+]
Alias: CVE-2023-25731

Sorry if it might be too late to ask this: can you add my colleague to the advisory as well?

His name is Alexander Volkov, while we were playing the CTF we both found this independently within minutes of each other. Also, I should have used my primary email address, can you change "school.exams" to "pyakovlev"?

So that the new "reported by" field in the advisory goes like this:

pyakovlev & Alexander Volkov

Thanks in advance!

I've updated the advisory in our back end so the reporter will show up as pyakovlev & Alexander Volkov, thanks!

Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: