Closed Bug 1843032 Opened 2 years ago Closed 1 year ago

Spoofing via filename download (firefox android)

Categories

(Firefox for Android :: Downloads, defect, P3)

Product:
Firefox for Android
Component:
Downloads
Version:
Firefox 117
Platform:
Unspecified
Android
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
127 Branch
Tracking Flags:
Tracking Status
firefox116 --- wontfix
firefox117 --- wontfix
firefox118 --- wontfix
firefox127 --- fixed
firefox128 --- fixed
firefox129 --- fixed

People

(Reporter: sas.kunz, Assigned: rsainani)

References

Details

(Keywords: csectype-spoof, reporter-external, sec-moderate, Whiteboard: [fixed in bug 1873528][client-bounty-form])

Attachments

(4 files)

firefox_downloadspoof.mp4
2.45 MB, video/mp4
Details
downloadspoof.html
524 bytes, text/html
Details
spoof.jpg
23.67 KB, image/jpeg
Details
downloadff.jpg
21.57 KB, image/jpeg
Details

I found vulnerability via filename donwload using \n or \r . lead to spoof filename

step to produce:

  1. open http://103.186.0.20/downloadspoof.html or downloadspoof.html
  2. click "open" button

impact : victim can be spoofed will think that it is a document file and even though it is an apk file

Flags: sec-bounty?
Attached file downloadspoof.html
Attached image spoof.jpg

using filename : "fakeapk.doc\r\r\n\n\n\rhacked\n\rlink\rdownload\r:\rattacker.com\n.apk"

Group: firefox-core-security → mobile-core-security
Component: Security → Downloads
Product: Firefox → Fenix
See Also: → 1843037

The severity field is not set for this bug.
:mavduevskiy, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(mavduevskiy)
Severity: -- → N/A
status-firefox116: --- → affected
status-firefox117: --- → affected
status-firefox118: --- → affected
Flags: needinfo?(mavduevskiy)
OS: Unspecified → Android
Priority: -- → P3
Version: unspecified → Firefox 117

Thanks for reporting this bug! It looks like were are displaying the file name exactly the way it is.

There are a few paths that we could take. Firefox desktop replaces special characters with a single space, while Android Chrome with the underscore. I would actually vote for underscore in this case, as files names with empty spacing in the name often leads to unexpected problems – though generally Linux is capable of handling those.

It might also be a good idea to ask the UX team to take a look into this.

The severity field is not set for this bug.
:mavduevskiy, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(mavduevskiy)

Firefox Desktop uses spaces, but it's careful to make sure the filename is shown on one line. It doesn't linebreak on those spaces, and formats the dialog to clearly distinguish between the part that is the filename and the part that comes from Firefox. With the simple Android panel (visually more appealing than the desktop one) you can see there's lots of room for an attacker to add text that might look like explanation "from Firefox" to further the spoof. We need to coalesce whitespace to prevent that. [On desktop they have to be careful to show the end of the filename in case the single-line filename is "too long": they truncate the front of the filename.]

Can we simply not, though? No download for you, you malicious bastard! Do we have a fallback if the download attribute isn't given at all, or is entirely invalid characters? If so, would that work? For an https link we try to use the filename in the URL, but that doesn't apply here with a data: url. Sadly we can't be that strict: a site might use a valid character on their tested platform that happens to be invalid on Android, but we shouldn't punish Firefox users for the site's problems.

Bug 1822968 is a completely different issue, but coordinate work so we don't stomp on the dialog changes

If android coalesces whitespaces, it will cause linebreak given how limited screen width is available for a phone. I do believe that going with coalesced underscore is a safer bet.

If the name is not provided, Fenix will use to come up with a based on url file name, with a fallback 'downloadfile'

We don't truncate really long file-names though, we display some lines and the rest of context is scrollable. Maybe it's also something we should look into.

I don't think we could manipulate heavily (like denying) with logic depending on the naming, but some form of sanitizing is definitely needed.
There is another bug related to not sanitized names – 1815613. A good sanitizing function would kill two birds, but the usecase is different and I won't mark it as duplicate.

I wonder what's inside the bug? I don't have access

Flags: needinfo?(mavduevskiy) → needinfo?(dveditz)
Blocks: 1843037
Flags: needinfo?(dveditz)
Keywords: csectype-spoof, sec-moderate
See Also: 1843037

Hello any updates?

Attached image downloadff.jpg

I tried it on the latest Firefox Nightly and I can't reproduce it. The file name if there is a space has been changed to "_" have you fixed it?

Flags: needinfo?(mavduevskiy)
Flags: needinfo?(dveditz)
Flags: needinfo?(cpeterson)
Duplicate of this bug: 1843037

It appears this was fixed in bug 1873528 (patch https://hg.mozilla.org/mozilla-central/rev/38e15afaa78d) by folks who likely couldn't see this bug.

If that hadn't been fixed first, the fix for bug 1815613 (filed earlier, but fixed later) may have led to blocking the control characters too. Or maybe it would not have.

The description of a spoofing attack here is different from what the developers thought they were fixing in that other bug. Therefore I'm going to close this one as "FIXED" depending on that other bug rather than make it a duplicate merely because the fix was the same. That will work better for judging this for the bug bounty.

status-firefox116: affectedwontfix
status-firefox117: affectedwontfix
status-firefox118: affectedwontfix
status-firefox127: --- → fixed
status-firefox128: --- → fixed
status-firefox129: --- → fixed
Depends on: 1873528
Flags: needinfo?(mavduevskiy)
Flags: needinfo?(dveditz)
Flags: needinfo?(cpeterson)
See Also: → 1815613
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [fixed in bug 1873528][client-bounty-form]
Status: NEW → RESOLVED
Closed: 1 year ago
Flags: sec-bounty? → sec-bounty+
Resolution: --- → FIXED
Assignee: nobody → rsainani
Group: mobile-core-security → core-security-release
Target Milestone: --- → 127 Branch
See Also: → CVE-2024-9395
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: