Closed Bug 1846061 Opened 1 year ago Closed 1 year ago

Something in Firefox seems to be writing addons to /tmp/tmpaddon

Categories

(Toolkit :: Add-ons Manager, defect)

Firefox 115
defect

Tracking

()

RESOLVED INCOMPLETE

People

(Reporter: 711924474as, Unassigned)

References

Details

Attachments

(1 file)

Attached image h1.png

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Firefox for Android

Steps to reproduce:

I also reproduced this by creating two new profiles through the profile manager. After several runs in each profile, I had two new tmpaddon files in /tmp.

This is a particular problem for obfuscation as each run uses a new metafile, and those files take up /tmp space in test cases.

for the installation process. (It is mentioned in the parable of bugs
https://bugzilla.mozilla.org/show_bug.cgi?id=1385303 seems to confirm this.) This needs confirmation to make sure it's not insecure
The tempfile has a vulnerability, but even if it isn't, you must use a
Lock the temporary file name to avoid conflicts with other users.

These are the only two references to "tmpaddon", and openUnique creates it
Unique file names with the specified prefix. So this should not happen.

Actual results:

$ file /tmp/tmpaddon
/tmp/tmpaddon: Zip archive data, at least v2.0 to extract, compression method=deflate

$ file /tmp/xa-5PV781/libgmpopenh264.so
/tmp/xa-5PV781/libgmpopenh264.so: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, not stripped

$ unzip -l /tmp/tmpaddon
Archive: /tmp/tmpaddon
Length Date Time Name


  116  2023-04-27 18:03   gmpopenh264.info

1592408 2023-04-27 18:04 libgmpopenh264.so


1592524 2 files

Through privilege escalation, the attacker can write arbitrary code for the target system

Expected results:

https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1563743.html

I only see one "tmpaddon" in your screenshot. The unique name should only kick-in on subsequent creations as in bug 1385303

This was supposed to have been fixed long ago in bug 1473837. I wonder if the fact that these are GMP plugins rather than true addons sends it down a different path. In other words, bug 1385303 may have not really been a dupe of bug 1473837.

How do you launch the profile manager in Firefox for Android?

Jesse: does bug 1385303 remain fixed on Linux?

Component: Untriaged → Add-ons Manager
Flags: needinfo?(jschwartzentruber)
Product: Firefox → Toolkit
See Also: → 1473837

Lock the temporary file name to avoid conflicts with other users.

What other users are using your phone the same time as you?

Flags: needinfo?(711924474as)

(In reply to Daniel Veditz [:dveditz] from comment #1)

How do you launch the profile manager in Firefox for Android?

As far as I know we don't support profile manager in Firefox for Android build on top of GeckoView (we don't even support any extra arguments to point GeckoView based apps to a profile from a given path, which used to be supported by Fennec-based builds in the past), the Firefox for Android profile will be in the application's data (only accessible to the user associated to the android app itself and eventually a root user)

What other users are using your phone the same time as you?

The fact that I don't think the profile manager is actually supported in Firefox for Android, along with the fact that the file manager application and the /tmp directory from the attached screenshot looks like coming from a Linux Desktop system, is making me wonder if the "Firefox for Android" part in comment 0 has been included just by mistake, and the reporter is actually hitting this issue in a Linux Desktop build and not on Android.

Hello, I'm sorry I added Firefox for Android. I'm using a desktop Linux system
I added an addon and then found the reported file in my cache files
Well I had another account for Firefox

Flags: needinfo?(711924474as)

(In reply to Daniel Veditz [:dveditz] from comment #1)

Jesse: does bug 1385303 remain fixed on Linux?

Yes, I have two tmpaddons, which look like two different versions of gmpopenh264.

Path = /tmp/tmpaddon-3c8450                                                                                                             
Type = zip                                                                                                                              
Physical Size = 511815                                                                                                                  
                                                                                                                                        
   Date      Time    Attr         Size   Compressed  Name                                                                               
------------------- ----- ------------ ------------  ------------------------                                              
2019-03-02 12:47:07 .....          116           97  gmpopenh264.info                                                     
2019-03-02 12:47:26 .....      1381690       511374  libgmpopenh264.so                                                      
------------------- ----- ------------ ------------  ------------------------                                                          
2019-03-02 12:47:26            1381806       511471  2 files
Path = /tmp/tmpaddon                                                                                                                    
Type = zip                                                                                                                              
Physical Size = 583674                                                                                                                  
                                                                                                                                        
   Date      Time    Attr         Size   Compressed  Name                                                                               
------------------- ----- ------------ ------------  ------------------------                      
2023-04-27 18:03:37 .....          116           97  gmpopenh264.info                                                                   
2023-04-27 18:04:02 .....      1592408       583233  libgmpopenh264.so                                                                  
------------------- ----- ------------ ------------  ------------------------                                                           
2023-04-27 18:04:02            1592524       583330  2 files                                   

I deleted the 2019 one, launched a few more times and no more were created (just the 2023 one remains). I assume the 2019 one was from testing an older version of Firefox at some point.

Flags: needinfo?(jschwartzentruber)

Expected results: https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1563743.html

That mail thread seems to say what you've said. Which part of that are the expected results?

Through privilege escalation, the attacker can write arbitrary code for the target system

I'm sorry I'm not able connect those dots. Do you have a PoC that shows how to use Firefox to get privilege escalation?

Flags: needinfo?(711924474as)

Welcome
PoC that shows how to use Firefox to obtain privilege escalation?
It is to use the command cat `/tmp/tmpaddon`
I find that the permission is denied, and when I type any command, the same command that I wrote returns
like :

>>> cat  `/tmp/tmpaddon`                   
zsh: permission denied: /tmp/tmpaddon
id
id
uname -a
uname -a

>>> cat  `/tmp/xa-69JM91/gmpopenh264.info`
zsh: permission denied: /tmp/xa-69JM91/gmpopenh264.info
id
id
uname -a
uname -a

An attacker can craft arbitrary code

Flags: needinfo?(711924474as)

We're not sure how to evaluate this issue. It is not clear to me what the threat vector is, and/or if the GMP system has any protections against it.

Please provide a clear PoC so that we can understand the issue.

Also Jesse, does the GMP system do some sanity checks on the downloaded module that would make this a moot point?

I tried to exploit this problem, but unfortunately I was unable to do so... You can consider that the problem is:
https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1563743.html
And if I discover anything, I will write another report

Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 1 year ago
Resolution: --- → INCOMPLETE

There is no reward for the report

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: