1813376 - (CVE-2023-25741) Same-Origin Policy Bypass Image Size Leak in Drag and Drop

Status: VERIFIED FIXED

(Core :: DOM: Copy & Paste and Drag & Drop, defect, P2)

Description

[D4ni31]

Attachment: poc.html

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36

Steps to reproduce:

Title

• Same-Origin Policy Bypass Image Size Leak in Drag and Drop

Summary

• A Same-Origin Policy Bypass vulnerability exists in the Drag and Drop
• If this vulnerability is exploited, it is possible to bypass the Same-Origin Policy and leak the size of the Image.

Test environment

• Product : Mozilla Firefox 109
• OS : Windows 10 (21H2), macOS Ventura 13.2

Proof-of-Concept

• Please check the attached file!

Reproduce

• Open the server and access the poc page.
• When you drag and drop an image, the size of the image is leaked.

CREDIT Information

• Dohyun Lee (@l33d0hyun) of SSD Labs

Comment 1

[D4ni31]

Attachment: leak.jpg

Comment 2

[D4ni31]

similar case:
CVE-2022-42824 : Same-Origin Policy Bypass Image Size Leak in Apple Safari
https://support.apple.com/ko-kr/HT213495

Comment 3

[D4ni31]

This bug is subject to a 90-day disclosure deadline. If a fix for this
issue is made available to users before the end of the 90-day deadline,
this bug report will become public 30 days after the fix was made
available. Otherwise, this bug report will become public at the deadline.
The scheduled deadline is 2023-04-29.

Comment 4

[Tom S [:evilpie]]

Bug 1812611 should fix this case, we would simply not allow access to the image data when dragging in the same tab.

Comment 5

[Andrew McCreight [:mccr8]]

Does that mean this is also a regression from bug 1437126?

Comment 6

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1437126

Comment 7

[D4ni31]

This vulnerability works in the same way as the Safari SOP Bypass vulnerabilities I recently reported to Apple, CVE-2022-42824 and CVE-2022-46698.
There was no mention of firefox, but the PoC(CVE-2022-42824, CVE-2022-46698) for it has been released to some people, so a quick patch may be needed.

+crbug.com/1264873 has a very similar poc.

• Please set the sec-level and severity.

Comment 8

[Andrew McCreight [:mccr8]]

We'll look at this bug later today in our security triage meeting and assign a rating, hopefully.

Comment 9

[BugBot [:suhaib / :marco/ :calixte]]

The bug is marked as tracked for firefox110 (beta) and tracked for firefox111 (nightly). We have limited time to fix this, the soft freeze is in 7 days. However, the bug still isn't assigned.

:hsinyi, could you please find an assignee for this tracked bug? Given that it is a regression and we know the cause, we could also simply backout the regressor. If you disagree with the tracking decision, please talk with the release managers.

For more information, please visit auto_nag documentation.

Comment 10

[Andrew McCreight [:mccr8]]

Tom, could you mark this bug as fixed if it was indeed entirely fixed by bug 1812611? Thanks.

Comment 11

[Tom Schuster (MoCo)]

This indeed entirely fixed by disabling the feature as done in bug 1812611.

Comment 12

[D4ni31]

Hi!

can i get a cve id??

Comment 13

[Tom S [:evilpie]]

Please stop need-infoing me. Other people will look at this.

Comment 14

[Andrew McCreight [:mccr8]]

(In reply to DoHyun Lee from comment #12)

can i get a cve id??

CVEs are typically assigned closer to release of the versions where fixes are shipped. If you are wondering about bug bounties, the bug bounty committee typically meets once a week to make decisions about those. This bug will be updated when either of those things happens.

Comment 15

[Tom Ritter [:tjr]]

Attachment: advisory.txt

Comment 16

[D4ni31]

CREDIT Information,

Dohyun Lee (@l33d0hyun) of SSD Labs

Thanks!

Comment 17

[D4ni31]

(In reply to DoHyun Lee from comment #16)

CREDIT Information,

Dohyun Lee (@l33d0hyun) of SSD Labs

Thanks!

Please check comment 16!

Comment 18

[Frederik Braun [:freddy]]

Attachment: advisory.txt

Comment 19

[Frederik Braun [:freddy]]

Done.

Comment 20

[D4ni31]

Thank you :)

Comment 21

[Alexandru Trif, Desktop QA [:atrif] [PTO: 1-8 May, please ni? :mboldan]]

Reproduced the issue with Firefox 111.0a1 (2023-01-29) on Windows 10x64. Loaded the attached test case inside a simple python server and dragged an image which resulted in showing the image size in an alert box.
The image size alert box is no longer displayed when dragging the images from the attached test case with Firefox 110.0.1, 111.0b8 and 112.0a1 (2023-03-05) on Windows 10x64, macOS 12 and Ubuntu 20.04.

Just to be extra safe, is the above verification enough? I am not sure if I should look for anything else in order to verify this issue. Thank you in advance!

Comment 22

[Tom Schuster (MoCo)]

Thanks Alexandru!

Just to be extra safe, is the above verification enough? I am not sure if I should look for anything else in order to verify this issue. Thank you in advance!

That is good enough. I had previously verified the fix on Nightly myself as well.

Comment 23

[Alexandru Trif, Desktop QA [:atrif] [PTO: 1-8 May, please ni? :mboldan]]

(In reply to Tom Schuster (MoCo) from comment #22)

Thanks Alexandru!

Just to be extra safe, is the above verification enough? I am not sure if I should look for anything else in order to verify this issue. Thank you in advance!

That is good enough. I had previously verified the fix on Nightly myself as well.

Thank you!
Closing per comment 21 and comment 22.