Closed Bug 1817768 (CVE-2023-28163) Opened 3 years ago Closed 3 years ago

Vulnerability in Firefox 'Save As' Dialog Allows Attackers to Steal Environment Variables

Categories

(Firefox :: File Handling, defect)

Product:
Firefox
Component:
File Handling
Platform:
Desktop
All
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
112 Branch
Tracking Flags:
Tracking Status
firefox-esr102 111+ fixed
firefox110 --- wontfix
firefox111 + fixed
firefox112 + fixed

People

(Reporter: fazim.pentester, Assigned: molly)

References

Details

(Keywords: csectype-disclosure, reporter-external, sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [verif?][adv-main111+][adv-esr102.9+])

Attachments

(3 files)

poc.html
866 bytes, text/html
Details
Bug 1817768 - Filter out illegal file extensions. r=gijs
48 bytes, text/x-phabricator-request
dmeehan
: approval-mozilla-beta+
dmeehan
: approval-mozilla-esr102+
tjr
: sec-approval+
Details | Review
advisory.txt
343 bytes, text/plain
Details
Attached file poc.html

Normally, when a file is saved using the "Save As" dialog in the Firefox browser, the user is protected from different types of attacks by filtering out dangerous extensions or characters.

However, there is a remaining vulnerability where an attacker can place environment variables at the end of the file extension, which allows % signs to pass through without being filtered. An attacker can exploit this vulnerability to steal a victim's stored environment variable, such as various secret keys ( AWS, AZURE, Firebase, etc.), or other tokens.

Steps to Reproduce:

This vulnerability works when a user has set the "Save As" dialog as the default download option (Settings → Files and Applications → Downloads → “Always ask you where to save files” is checked). Alternatively, an attacker could lure the victim into using the right-click download method, which always opens the "Save As" dialog for downloading a file.

  1. Download and open the poc.html file in Firefox.
  2. Download the file using one of the methods mentioned above on the poc.html page.
  3. Upload the downloaded file to the poc.html page and observe that the secret is extracted (in this case, the username environment variable is used).

this vulnerability is similar to https://bugzilla.mozilla.org/show_bug.cgi?id=1765049 and https://bugs.chromium.org/p/chromium/issues/detail?id=1247389

Flags: sec-bounty?

Molly, are you able to take a look at this given the similarities to bug 1765049?

Blocks: CVE-2022-31739
Status: UNCONFIRMED → NEW
Component: Security → File Handling
Ever confirmed: true
Flags: needinfo?(mhowell)
OS: Unspecified → All
Hardware: Unspecified → Desktop

Sure.

Assignee: nobody → mhowell
Status: NEW → ASSIGNED
Flags: needinfo?(mhowell)

Comment on attachment 9319066 [details]
Bug 1817768 - Filter out illegal file extensions. r=gijs

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: There unfortunately isn't anything really going on in this patch that wasn't already in bug 1817768, so if it's going to be easy, then it already was easy.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Unknown
  • Which older supported branches are affected by this flaw?: all
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: No
  • If not, how different, hard to create, and risky will they be?: Should be trivial on all counts.
  • How likely is this patch to cause regressions; how much testing does it need?: This is exactly the same fix as bug 1817768, applied to the file extension string instead of just the name, so risk should be very very low.
  • Is Android affected?: No
Attachment #9319066 - Flags: sec-approval?

I assume the bugs references in the sec approval request were intended to be bug 1765049.

Keywords: csectype-priv-escalation, sec-high

That's correct, I apologize.

Comment on attachment 9319066 [details]
Bug 1817768 - Filter out illegal file extensions. r=gijs

Approved to request uplift and land.

Attachment #9319066 - Flags: sec-approval? → sec-approval+

Comment on attachment 9319066 [details]
Bug 1817768 - Filter out illegal file extensions. r=gijs

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration:
  • User impact if declined: Remote information disclosure vulnerability.
  • Fix Landed on Version: 112
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Please see sec-approval request in comment 4.

Beta/Release Uplift Approval Request

  • User impact if declined:
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky):
  • String changes made/needed:
  • Is Android affected?: No
Attachment #9319066 - Flags: approval-mozilla-esr102?
Attachment #9319066 - Flags: approval-mozilla-beta?

Filter out illegal file extensions. r=Gijs
https://hg.mozilla.org/integration/autoland/rev/92e31c77313890eaa09939ab5a367cb1e4f3067b
https://hg.mozilla.org/mozilla-central/rev/92e31c773138

Group: firefox-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox112: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 112 Branch

Thank you for addressing the reported issue in a timely manner. As the bug seems to have been fixed quickly, can I request approval for a security bounty? Thank you.

Flags: needinfo?(dveditz)

The sec-bounty? flag has been set, and the bug has now been closed, so it will be reviewed at the weekly bug bounty meeting.

Flags: needinfo?(dveditz)

Comment on attachment 9319066 [details]
Bug 1817768 - Filter out illegal file extensions. r=gijs

Approved for 111.0b7

Attachment #9319066 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

The rating keywords copied over from the older bug don't match this one. Although the mechanism is similar, the capability is not. The requirement to have to re-upload the file you just downloaded makes this a very unlikely attack to succeed and requires a moderate rating. The value of most standard environment variables are explicitly listed as "moderate" in our criteria. Grabbing a special key value as mentioned in comment 0 would certainly be much more severe and you could plausibly target developers who might have such variables, but you still have the "convince to re-upload" hurdle.

This is a good find, just wrongly rated.

Flags: sec-bounty? → sec-bounty+
Keywords: csectype-priv-escalation, sec-highcsectype-disclosure, sec-moderate

Comment on attachment 9319066 [details]
Bug 1817768 - Filter out illegal file extensions. r=gijs

Approved for 102.9esr.

Attachment #9319066 - Flags: approval-mozilla-esr102? → approval-mozilla-esr102+
QA Whiteboard: [post-critsmash-triage]
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][adv-main111+]
Whiteboard: [reporter-external] [client-bounty-form] [verif?][adv-main111+] → [reporter-external] [client-bounty-form] [verif?][adv-main111+][adv-esr102.9+]
Attached file advisory.txt
Alias: CVE-2023-28163
Blocks: CVE-2023-29545
Group: core-security-release
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: