Closed Bug 1817768 (CVE-2023-28163) Opened 1 year ago Closed 1 year ago

Vulnerability in Firefox 'Save As' Dialog Allows Attackers to Steal Environment Variables

Categories

(Firefox :: File Handling, defect)

Desktop
All
defect

Tracking

()

VERIFIED FIXED
112 Branch
Tracking Status
firefox-esr102 111+ fixed
firefox110 --- wontfix
firefox111 + fixed
firefox112 + fixed

People

(Reporter: fazim.pentester, Assigned: molly)

References

Details

(Keywords: csectype-disclosure, sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [verif?][adv-main111+][adv-esr102.9+])

Attachments

(3 files)

Attached file poc.html

Normally, when a file is saved using the "Save As" dialog in the Firefox browser, the user is protected from different types of attacks by filtering out dangerous extensions or characters.

However, there is a remaining vulnerability where an attacker can place environment variables at the end of the file extension, which allows % signs to pass through without being filtered. An attacker can exploit this vulnerability to steal a victim's stored environment variable, such as various secret keys ( AWS, AZURE, Firebase, etc.), or other tokens.

Steps to Reproduce:

This vulnerability works when a user has set the "Save As" dialog as the default download option (Settings → Files and Applications → Downloads → “Always ask you where to save files” is checked). Alternatively, an attacker could lure the victim into using the right-click download method, which always opens the "Save As" dialog for downloading a file.

  1. Download and open the poc.html file in Firefox.
  2. Download the file using one of the methods mentioned above on the poc.html page.
  3. Upload the downloaded file to the poc.html page and observe that the secret is extracted (in this case, the username environment variable is used).

this vulnerability is similar to https://bugzilla.mozilla.org/show_bug.cgi?id=1765049 and https://bugs.chromium.org/p/chromium/issues/detail?id=1247389

Flags: sec-bounty?

Molly, are you able to take a look at this given the similarities to bug 1765049?

Status: UNCONFIRMED → NEW
Component: Security → File Handling
Ever confirmed: true
Flags: needinfo?(mhowell)
OS: Unspecified → All
Hardware: Unspecified → Desktop

Sure.

Assignee: nobody → mhowell
Status: NEW → ASSIGNED
Flags: needinfo?(mhowell)

Comment on attachment 9319066 [details]
Bug 1817768 - Filter out illegal file extensions. r=gijs

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: There unfortunately isn't anything really going on in this patch that wasn't already in bug 1817768, so if it's going to be easy, then it already was easy.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Unknown
  • Which older supported branches are affected by this flaw?: all
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: No
  • If not, how different, hard to create, and risky will they be?: Should be trivial on all counts.
  • How likely is this patch to cause regressions; how much testing does it need?: This is exactly the same fix as bug 1817768, applied to the file extension string instead of just the name, so risk should be very very low.
  • Is Android affected?: No
Attachment #9319066 - Flags: sec-approval?

I assume the bugs references in the sec approval request were intended to be bug 1765049.

That's correct, I apologize.

Comment on attachment 9319066 [details]
Bug 1817768 - Filter out illegal file extensions. r=gijs

Approved to request uplift and land.

Attachment #9319066 - Flags: sec-approval? → sec-approval+

Comment on attachment 9319066 [details]
Bug 1817768 - Filter out illegal file extensions. r=gijs

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration:
  • User impact if declined: Remote information disclosure vulnerability.
  • Fix Landed on Version: 112
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Please see sec-approval request in comment 4.

Beta/Release Uplift Approval Request

  • User impact if declined:
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky):
  • String changes made/needed:
  • Is Android affected?: No
Attachment #9319066 - Flags: approval-mozilla-esr102?
Attachment #9319066 - Flags: approval-mozilla-beta?
Group: firefox-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → 112 Branch

Thank you for addressing the reported issue in a timely manner. As the bug seems to have been fixed quickly, can I request approval for a security bounty? Thank you.

Flags: needinfo?(dveditz)

The sec-bounty? flag has been set, and the bug has now been closed, so it will be reviewed at the weekly bug bounty meeting.

Flags: needinfo?(dveditz)

Comment on attachment 9319066 [details]
Bug 1817768 - Filter out illegal file extensions. r=gijs

Approved for 111.0b7

Attachment #9319066 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

The rating keywords copied over from the older bug don't match this one. Although the mechanism is similar, the capability is not. The requirement to have to re-upload the file you just downloaded makes this a very unlikely attack to succeed and requires a moderate rating. The value of most standard environment variables are explicitly listed as "moderate" in our criteria. Grabbing a special key value as mentioned in comment 0 would certainly be much more severe and you could plausibly target developers who might have such variables, but you still have the "convince to re-upload" hurdle.

This is a good find, just wrongly rated.

Flags: sec-bounty? → sec-bounty+

Comment on attachment 9319066 [details]
Bug 1817768 - Filter out illegal file extensions. r=gijs

Approved for 102.9esr.

Attachment #9319066 - Flags: approval-mozilla-esr102? → approval-mozilla-esr102+
QA Whiteboard: [post-critsmash-triage]
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][adv-main111+]
Whiteboard: [reporter-external] [client-bounty-form] [verif?][adv-main111+] → [reporter-external] [client-bounty-form] [verif?][adv-main111+][adv-esr102.9+]
Alias: CVE-2023-28163
Group: core-security-release
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: