Closed Bug 1840777 (CVE-2023-4054) Opened 10 months ago Closed 9 months ago

.appref-ms file extension = Executable file may contain viruses or other malicious code

Categories

(Firefox :: File Handling, defect)

defect

Tracking

()

VERIFIED FIXED
117 Branch
Tracking Status
firefox-esr102 116+ verified
firefox-esr115 116+ verified
firefox115 --- wontfix
firefox116 + verified
firefox117 + verified

People

(Reporter: Puf, Assigned: mak)

References

Details

(Keywords: sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [verif?] [adv-main116+] [adv-ESR115.1+] [adv-ESR102.14+])

Attachments

(6 files, 2 obsolete files)

Firefox Version: [115.0] + [116.0a1]
Operating System: [Windows 10]

.appref-ms = ClickOnce application reference. Basically a .lnk for ClickOnce apps.

An appref-ms file can be created that will act similar to an LNK or shortcut file that will contain the URL of the deployment manifest and some other pieces of information.

Chrome Browser & Microsoft Edge :

file_types {

ClickOnce application reference. Basically a .lnk for ClickOnce apps.

extension: "appref-ms"
uma_value: 144
ping_setting: FULL_PING
platform_settings {
platform: PLATFORM_TYPE_WINDOWS
danger_level: ALLOW_ON_USER_GESTURE
auto_open_hint: DISALLOW_AUTO_OPEN
}
}

This File is Already Blocklisted in Chrome & Edge Browsers

it's better to Add Popop Warning [ Executable files may contain viruses or other malicious code that could harm your computer]
To .appref-ms file To Keep Safe System from malicious file/code

Flags: sec-bounty?
Attached video Firefox appref-ms.mp4

Step To Reproduce:

  1. Create .appref-ms File.
  2. Download Using Firefox Browser
  3. Open File [No Warning]

I haven't tested this myself, but I do see ".appref-ms" in ApplicationReputationService::kBinaryFileExtensions. I'm not sure if that's supposed to be sufficient or what.

Component: Security → File Handling

(It looks like that got added in bug 1291472.)

(In reply to Andrew McCreight [:mccr8] from comment #3)

I haven't tested this myself, but I do see ".appref-ms" in ApplicationReputationService::kBinaryFileExtensions. I'm not sure if that's supposed to be sufficient or what.

But There Is No Popop Warning [ Executable files may contain viruses or other malicious code that could harm your computer] For this File ".appref-ms". I Have Attached POC Video Please Check Out Once

I Have Done Testing in Both Latest Beta Version & nightly (64-bit)

There is [ No Warning]

https://youtu.be/4FtVwiuBtx4 = Video Black Hat Explanation on Click Once Appref-ms Abuse

(It looks like that got added in bug 1291472.)

That was for SafeBrowsing "application reputation" checking, but that doesn't necessarily block all files with that extension. It would only block "known bad ones" which isn't going to happen for a one-off attack.

It needs to be added to the executable list in nsLocalFileCommon.cpp

How hard would it be to set up some kind of auto-update or at least alerting for when Chrome updates their list?

Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: sec-moderate

Chrome has marked a lot of files as DISALLOW_AUTO_OPEN that we don't consider executable. But yes, it's a good idea to have a notification, we should speak with Marco Castelluccio and see if some automated tool could be setup. For now we can use third party tools to monitor their source page.
This addition was made quite in the past anyway (2016), I'm not sure why at the time it was only added to apprep.

Attached file Bug 1840777. r=mtigley
Assignee: nobody → mak
Status: NEW → ASSIGNED
Attached file Bug 1840777. r=mtigley (obsolete) —
Attached file Bug 1840777.
Attachment #9342693 - Attachment is obsolete: true

Comment on attachment 9342694 [details]
Bug 1840777.

Beta/Release Uplift Approval Request

  • User impact if declined: sec-moderate
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: Yes
  • If yes, steps to reproduce: Try downloading a appref-ms file. If you can't find one easily, rename one in a local file explorer and drag to the tabstrip. Expected behaviour is that once downloaded there's a prompt when trying to open it, rather than it immediately opening a Windows wizard to install something
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): just adding an extension to a list
  • String changes made/needed:
  • Is Android affected?: Yes
Attachment #9342694 - Flags: approval-mozilla-beta?
Flags: qe-verify+
Attached file Bug 1840777. r=mtigley (obsolete) —
Attachment #9342698 - Attachment is obsolete: true

Apart from ESR115 (looks like lando is broken yet, so waiting), Is it worth uplifting to ESR102?

Flags: needinfo?(dveditz)
Attachment #9342694 - Attachment description: Bug 1840777. r=mtigley → Bug 1840777.
Group: firefox-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 9 months ago
Resolution: --- → FIXED
Target Milestone: --- → 117 Branch
QA Whiteboard: [qa-triaged]

Using Firefox 116.0b3 I don't get any notification once the .appref-ms file is downloaded and I click on the file. Using latest Nightly 117.0a1 with the fix on Windows 10 64bit the ".appref-ms" is the executable file. Executable files may contain viruses or other malicious code that could harm your computer. Use caution when opening this file. Are you sure you want to launch ".appref-ms"? prompt is displayed when clicking on the downloaded file.
Here is the file I used, not mine (https://github.com/jiaminliu/HW4/blob/master/Desktop/GitHub.appref-ms) for testing purposes.

Comment on attachment 9342694 [details]
Bug 1840777.

Approved for 116.0b4

Attachment #9342694 - Attachment description: Bug 1840777. → Bug 1840777. r=mtigley
Attachment #9342694 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

(In reply to Bogdan Maris, Desktop QA from comment #17)

Using Firefox 116.0b3 I don't get any notification once the .appref-ms file is downloaded and I click on the file. Using latest Nightly 117.0a1 with the fix on Windows 10 64bit the ".appref-ms" is the executable file. Executable files may contain viruses or other malicious code that could harm your computer. Use caution when opening this file. Are you sure you want to launch ".appref-ms"? prompt is displayed when clicking on the downloaded file.
Here is the file I used, not mine (https://github.com/jiaminliu/HW4/blob/master/Desktop/GitHub.appref-ms) for testing purposes.

Also verified as fixed using beta build https://treeherder.mozilla.org/jobs?repo=mozilla-beta&revision=1dcdc0d37b33c854558ec0ef2561545b2254d192 which contains this fix.

Flags: qe-verify+

Uplift Approval Request

  • Steps to reproduce for manual QE testing: Try downloading a appref-ms file. If you can't find one easily, rename one in a local file explorer and drag to the tabstrip. Expected behaviour is that once downloaded there's a prompt when trying to open it, rather than it immediately opening a Windows wizard to install something
  • Explanation of risk level: just adding an extension to a list
  • Code covered by automated testing: yes
  • Needs manual QE test: yes
  • Is Android affected?: yes
  • User impact if declined: sec-moderate
  • Risk associated with taking this patch: low
  • String changes made/needed: none
  • Fix verified in Nightly: yes
Flags: qe-verify+

A patch has been attached on this bug, which was already closed. Filing a separate bug will ensure better tracking. If this was not by mistake and further action is needed, please alert the appropriate party. (Or: if the patch doesn't change behavior -- e.g. landing a test case, or fixing a typo -- then feel free to disregard this message)

(In reply to Marco Bonardo [:mak] from comment #15)

Apart from ESR115 (looks like lando is broken yet, so waiting), Is it worth uplifting to ESR102?

Yes, we should. ESR-102 is supported for another 3 months and this sec-moderate fix is essentially riskless.

Flags: sec-bounty?
Flags: sec-bounty+
Flags: needinfo?(dveditz)
See Also: → CVE-2023-37208

(In reply to Bogdan Maris, Desktop QA from comment #20)

(In reply to Bogdan Maris, Desktop QA from comment #17)

Using Firefox 116.0b3 I don't get any notification once the .appref-ms file is downloaded and I click on the file. Using latest Nightly 117.0a1 with the fix on Windows 10 64bit the ".appref-ms" is the executable file. Executable files may contain viruses or other malicious code that could harm your computer. Use caution when opening this file. Are you sure you want to launch ".appref-ms"? prompt is displayed when clicking on the downloaded file.
Here is the file I used, not mine (https://github.com/jiaminliu/HW4/blob/master/Desktop/GitHub.appref-ms) for testing purposes.

Also verified as fixed using beta build https://treeherder.mozilla.org/jobs?repo=mozilla-beta&revision=1dcdc0d37b33c854558ec0ef2561545b2254d192 which contains this fix.

Also verified as fixed using 115esr build https://treeherder.mozilla.org/jobs?repo=mozilla-esr115&revision=6d84a1a2d030251a166f188a6bae95bb83fcd213 which contains this fix.

Attached file Bug 1840777

Uplift Approval Request

  • Code covered by automated testing: yes
  • Fix verified in Nightly: yes
  • Risk associated with taking this patch: low
  • Is Android affected?: yes
  • Explanation of risk level: just adding an extension to a list
  • String changes made/needed: none
  • Needs manual QE test: yes
  • User impact if declined: sec-moderate
  • Steps to reproduce for manual QE testing: Try downloading a appref-ms file. If you can't find one easily, rename one in a local file explorer and drag to the tabstrip. Expected behaviour is that once downloaded there's a prompt when trying to open it, rather than it immediately opening a Windows wizard to install something
Attachment #9343449 - Attachment description: WIP: Bug 1840777. → Bug 1840777
Attachment #9343449 - Flags: approval-mozilla-esr102?

Comment on attachment 9343449 [details]
Bug 1840777

Approved for 102.14esr

Attachment #9343449 - Flags: approval-mozilla-esr102? → approval-mozilla-esr102+
Attachment #9343210 - Flags: approval-mozilla-esr115+
Attachment #9342694 - Attachment description: Bug 1840777. r=mtigley → Bug 1840777.
Status: RESOLVED → VERIFIED
Flags: qe-verify+
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][adv-main116+][adv-ESR115.1+][adv-ESR112.14+]
Whiteboard: [reporter-external] [client-bounty-form] [verif?][adv-main116+][adv-ESR115.1+][adv-ESR112.14+] → [reporter-external] [client-bounty-form] [verif?] [adv-main116+] [adv-ESR115.1+] [adv-ESR102.14+]
Group: core-security-release
Alias: CVE-2023-4054
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: