Closed Bug 1802385 (CVE-2023-28160) Opened 2 years ago Closed 2 years ago

After redirect to moz-extension:-URL in the parent process, the URL changes to the underlying jar/file-URL

Categories

(WebExtensions :: Request Handling, defect, P2)

Product:
WebExtensions
Component:
Request Handling
Type:
defect

Tracking

(firefox-esr102 wontfix, firefox109 wontfix, firefox110 wontfix, firefox111 fixed)

Status:
RESOLVED FIXED
Milestone:
111 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- wontfix
firefox109 --- wontfix
firefox110 --- wontfix
firefox111 --- fixed

People

(Reporter: robwu, Assigned: robwu)

References

Details

(Keywords: csectype-disclosure, sec-moderate, Whiteboard: [addons-jira][adv-main111+])

Attachments

(2 files)

Bug 1802385 - Use NS_GetFinalChannelURI in FetchDriver
48 bytes, text/x-phabricator-request
Details | Review
advisory.txt
228 bytes, text/plain
Details

STR:

  1. Open the global browser console.

  2. Run the following snippet:
    await fetch("https://polished-glitter-21ad.hvfcetgxgijelkmhxy.workers.dev/redirect?url=" + WebExtensionPolicy.getByID('webcompat@mozilla.org').getURL('shims/live-test-shim.js') )

  3. Look at the reported URL.

Expected:

  • It should be the moz-extension://uuid/shims/live-test-shim.js URL

Actual:

  • It is the path to the underlying file or jar:-URL.
  • Example from local Firefox build: file:///path/to/mozilla-central/browser/extensions/webcompat/shims/live-test-shim.js
  • Example for a xpi file: jar:file:///path/to/addon-file.xpi!/shims/live-test-shim.js

This is especially a problem on Android, where extensions run in-process (i.e. extensions.webextensions.remote = false, until bug 1535365 is fixed). This means that a fetch from an extension page can leak the path of the underlying filesystem.

See Also: → 1745761
See Also: → CVE-2023-29538

I investigated this issue in bug 1685403 comment 31. Based on my current understanding, I think it has a similar source to the issue in that bug, but a fix for that bug wouldn't necessarily fix this bug.

Group: firefox-core-security

Marking as a sec bug out of an abundance of caution, as bug 1685403 is a security bug as well.

The severity field is not set for this bug.
:zombie, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(tomica)

The underlying bug is being fixed in bug 1685403; I'm going to take this bug to attach a unit test for the specific scenarios.

I'm setting this as S2 because the other bug has the same severity. Marking as P2 because in practice the issue can only be triggered in this context on Android, where then number of supported extensions is limited.

Assignee: nobody → rob
Severity: -- → S2
Status: NEW → ASSIGNED
Depends on: CVE-2023-29538
Flags: needinfo?(tomica)
Priority: -- → P2
See Also: CVE-2023-29538

Depends on D164656

See Also: → https://mozilla-hub.atlassian.net/browse/WEBEXT-898
Whiteboard: [addons-jira]

I'm moving the relevant part for this bug from bug 1685403 to this patch as agreed upon in https://phabricator.services.mozilla.com/D164656#5476661 .

Attachment #9310909 - Attachment description: Bug 1802385 - Remove Android-specific test expectation → Bug 1802385 - Use NS_GetFinalChannelURI in FetchDriver

This bug was marked as a security bug out of caution (comment 2), because it links to another bug that's also marked a security bug. As explained at https://bugzilla.mozilla.org/show_bug.cgi?id=1685403#c42, the "security bug" part of that bug has already been fixed a long time ago. Moreover, there are no comments in this bug or patch that disclose information from bug 1685403. Therefore this bug does not automatically need to be flagged as a security bug.

The worst that this bug can do is that the path to Firefox's profile directory can be leaked on Android, e.g. as seen in the (failing) unit tests at https://bugzilla.mozilla.org/show_bug.cgi?id=1745761#c7 .

On Android, it looks like this: jar:file:///data/app/~~randomchars1==/org.mozilla.firefox_beta-randomchars2==/base.apk!/assets/extensions/webcompat/shims/live-test-shim.js

A potential practical application of this is fingerprinting, but there are other ways to do so (e.g. bug 1792377).

Severity: S2 → S3
No longer depends on: CVE-2023-29538
See Also: → CVE-2023-29538

Use NS_GetFinalChannelURI in FetchDriver r=rpl,valentin
https://hg.mozilla.org/integration/autoland/rev/554a5aa89673b88eda16bfe128656c5702afe5b9
https://hg.mozilla.org/mozilla-central/rev/554a5aa89673

Group: firefox-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox111: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 111 Branch

The patch landed in nightly and beta is affected.
:robwu, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox110 to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(rob)
status-firefox110: affectedwontfix
Flags: needinfo?(rob)
QA Whiteboard: [post-critsmash-triage]
Whiteboard: [addons-jira] → [addons-jira][adv-main111+]
Attached file advisory.txt
Alias: CVE-2023-28160
Group: core-security-release
See Also: → 1826867
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: