Closed Bug 1837675 (CVE-2023-37208) Opened 2 years ago Closed 2 years ago

Diagcab file extension = Executable files may contain viruses or other malicious code

Categories

(Firefox :: File Handling, defect, P1)

Product:
Firefox
Component:
File Handling
Version:
Firefox 115
Platform:
Desktop
Windows
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
116 Branch
Tracking Flags:
Tracking Status
firefox-esr102 115+ verified
firefox114 --- wontfix
firefox115 + verified
firefox116 + verified

People

(Reporter: Puf, Assigned: Gijs)

References

Details

(Keywords: reporter-external, sec-moderate, sec-vector, Whiteboard: [adv-main115+][adv-esr102.13+])

Attachments

(5 files, 3 obsolete files)

Firefox POC.mp4
268.69 KB, video/mp4
Details
Bug 1837675, r?mak,mtigley
48 bytes, text/x-phabricator-request
Details | Review
Bug 1837675, r?mak,mtigley
48 bytes, text/x-phabricator-request
Details | Review
Bug 1837675, r=dmeehan
48 bytes, text/x-phabricator-request
dmeehan
: approval-mozilla-esr102+
Details | Review
advisory.txt
158 bytes, text/plain
Details
Attached video Firefox POC.mp4

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36 Edg/113.0.1774.42

Steps to reproduce:

Create Diagcab file.

Download In Firefox Browser And Open From Firefox Browser

No " Executable files may contain viruses or other malicious code that could harm your computer "

Actual results:

Diagcab File Comes Under harmful files.

Diagcab file extension Should Be blocklisted to prevent users To Open Directly from Firefox Browser

Diagcab file extension Leads to One-Click Exploits in Windows

This File is Already Blocklisted In Chrome & Edge Browsers

it's better to Add Popop Warning [ Executable files may contain viruses or other malicious code that could harm your computer]
To Diagcab file To Keep Safe System from Exploits

Status: UNCONFIRMED → NEW
Component: Untriaged → File Handling
Ever confirmed: true
Assignee: nobody → gijskruitbosch+bugs
Status: NEW → ASSIGNED

Uplift Approval Request

  • Fix verified in Nightly: no
  • Risk associated with taking this patch: Low
  • Is Android affected?: yes
  • Needs manual QE test: yes
  • Code covered by automated testing: yes
  • User impact if declined: sec-moderate
  • String changes made/needed: No
  • Steps to reproduce for manual QE testing: Try downloading a diagcab file. If you can't find one easily, rename one in a local file explorer and drag to the tabstrip. Expected behaviour is that once downloaded there's a prompt when trying to open it, rather than it immediately opening a Windows wizard to install something
  • Explanation of risk level: just adding an extension to a list
Severity: -- → S2
OS: Unspecified → Windows
Priority: -- → P1
Hardware: Unspecified → Desktop

Note from uplift request on phab, copying for visibility:

The android bits here are a bit confusing - this code is compiled in on Android so in that sense, yes, it's affected. But on the flip side it's not affected by the sec bug... so what does that make of it? I dunno.

r=mak
https://hg.mozilla.org/integration/autoland/rev/b289ac5d9c2a586f78a29e0b54ec2dae1c132aad
https://hg.mozilla.org/mozilla-central/rev/b289ac5d9c2a

Group: firefox-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox116: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 116 Branch

Hello, For the Bounty, I Have to Email security@mozilla.org?

(In reply to Puf from comment #10)

Hello, For the Bounty, I Have to Email security@mozilla.org?

I think the bounty flag needs setting, which I've just done for you. Pinging :tjr to check if there's anything else to do.

Flags: sec-bounty?
Flags: needinfo?(tom)

Thank You :)

Nope, thanks!

Flags: needinfo?(tom)

:mak, since :gijs is on PTO, could you take a look at adding an esr uplift request on this and a patch based on esr?

Flags: needinfo?(mak)
Attached file Bug 1837675. (obsolete) —

Original Revision: https://phabricator.services.mozilla.com/D181082

Comment on attachment 9340449 [details]
Bug 1837675.

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: sec-moderate security issue, patched in other browsers
  • User impact if declined: diagcab files don't show the executable warning
  • Fix Landed on Version: 116
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): just adding an extension to a list
Flags: needinfo?(mak)
Attachment #9340449 - Flags: approval-mozilla-esr115?

Sorry I tried to insert the request on phabricator but it keeps giving errors.

Comment on attachment 9340449 [details]
Bug 1837675.

Moving request to esr102

Attachment #9340449 - Flags: approval-mozilla-esr115? → approval-mozilla-esr102?
QA Whiteboard: [qa-triaged]

Reproduced the initial issue using and old Nightly from 2023-06-16, the windows wizard is opened immediately after trying to open the .diagcab files.
Verified that using latest Nightly 2023-06-25 and latest Firefox 115.0b9 Beta version there is a prompt now when trying to open the .diagcab files on both Windows 10 64bit and Windows 11.

Prompt:
"<name>.diagcab is an executable file. Executable files may contain viruses or other malicious code that could harm your computer. Use caution when opening this file. Are you sure you want to launch "<name>.diagcab"?
Removing the qe-verify+ for now, will verify this as well on ESR once/if the fix reaches this branch.

status-firefox115: fixedverified
status-firefox116: fixedverified
Flags: qe-verify+
Attached file Bug 1837675, r=dmeehan (obsolete) —

Comment on attachment 9341131 [details]
Bug 1837675, r=dmeehan

ESR Uplift Approval Request

See comment 16

Attachment #9341131 - Flags: approval-mozilla-esr102?
Attachment #9339285 - Flags: approval-mozilla-esr102?
Attachment #9339803 - Flags: approval-mozilla-esr102?
Attachment #9340449 - Attachment is obsolete: true
Attachment #9340449 - Flags: approval-mozilla-esr102?
Attachment #9339803 - Flags: approval-mozilla-esr102?
Attachment #9339285 - Flags: approval-mozilla-esr102?
Attachment #9341131 - Attachment is obsolete: true
Attachment #9341131 - Flags: approval-mozilla-esr102?
Attached file Bug 1837675, r=dmeehan (obsolete) —
Attachment #9341136 - Attachment is obsolete: true

Comment on attachment 9341137 [details]
Bug 1837675, r=dmeehan

ESR Uplift Approval Request

see comment 16

This one is on ESR branch. Sorry for the confusion, moz-phab was not doing what I was expecting.

Attachment #9341137 - Flags: approval-mozilla-esr102?

Comment on attachment 9341137 [details]
Bug 1837675, r=dmeehan

Approved for 102.13esr.

Attachment #9341137 - Flags: approval-mozilla-esr102? → approval-mozilla-esr102+

Please Any Status on Bounty?

Whiteboard: [adv-main115+]
Attachment #9341306 - Attachment filename: file_1837675.txt → advisory.txt
Whiteboard: [adv-main115+] → [adv-main115+][adv-esr102.13+]
Flags: sec-bounty? → sec-bounty+
Alias: CVE-2023-37208

(In reply to Bogdan Maris, Desktop QA from comment #19)

Reproduced the initial issue using and old Nightly from 2023-06-16, the windows wizard is opened immediately after trying to open the .diagcab files.
Verified that using latest Nightly 2023-06-25 and latest Firefox 115.0b9 Beta version there is a prompt now when trying to open the .diagcab files on both Windows 10 64bit and Windows 11.

Prompt:
"<name>.diagcab is an executable file. Executable files may contain viruses or other malicious code that could harm your computer. Use caution when opening this file. Are you sure you want to launch "<name>.diagcab"?
Removing the qe-verify+ for now, will verify this as well on ESR once/if the fix reaches this branch.

Also verified that this is fixed on 102.13esr-build2 on the same configurations as above.

Status: RESOLVED → VERIFIED
status-firefox-esr102: fixedverified
See Also: → CVE-2023-4054
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: