Something in Firefox seems to be writing addons to /tmp/tmpaddon
Categories
(Toolkit :: Add-ons Manager, defect)
Tracking
()
People
(Reporter: 711924474as, Unassigned)
References
Details
Attachments
(1 file)
97.16 KB,
image/png
|
Details |
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Firefox for Android
Steps to reproduce:
I also reproduced this by creating two new profiles through the profile manager. After several runs in each profile, I had two new tmpaddon files in /tmp.
This is a particular problem for obfuscation as each run uses a new metafile, and those files take up /tmp space in test cases.
for the installation process. (It is mentioned in the parable of bugs
https://bugzilla.mozilla.org/show_bug.cgi?id=1385303 seems to confirm this.) This needs confirmation to make sure it's not insecure
The tempfile has a vulnerability, but even if it isn't, you must use a
Lock the temporary file name to avoid conflicts with other users.
These are the only two references to "tmpaddon", and openUnique creates it
Unique file names with the specified prefix. So this should not happen.
Actual results:
$ file /tmp/tmpaddon
/tmp/tmpaddon: Zip archive data, at least v2.0 to extract, compression method=deflate
$ file /tmp/xa-5PV781/libgmpopenh264.so
/tmp/xa-5PV781/libgmpopenh264.so: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, not stripped
$ unzip -l /tmp/tmpaddon
Archive: /tmp/tmpaddon
Length Date Time Name
116 2023-04-27 18:03 gmpopenh264.info
1592408 2023-04-27 18:04 libgmpopenh264.so
1592524 2 files
Through privilege escalation, the attacker can write arbitrary code for the target system
Expected results:
https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1563743.html
Comment 1•1 year ago
|
||
I only see one "tmpaddon" in your screenshot. The unique name should only kick-in on subsequent creations as in bug 1385303
This was supposed to have been fixed long ago in bug 1473837. I wonder if the fact that these are GMP plugins rather than true addons sends it down a different path. In other words, bug 1385303 may have not really been a dupe of bug 1473837.
How do you launch the profile manager in Firefox for Android?
Jesse: does bug 1385303 remain fixed on Linux?
Comment 2•1 year ago
|
||
Lock the temporary file name to avoid conflicts with other users.
What other users are using your phone the same time as you?
Comment 3•1 year ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #1)
How do you launch the profile manager in Firefox for Android?
As far as I know we don't support profile manager in Firefox for Android build on top of GeckoView (we don't even support any extra arguments to point GeckoView based apps to a profile from a given path, which used to be supported by Fennec-based builds in the past), the Firefox for Android profile will be in the application's data (only accessible to the user associated to the android app itself and eventually a root user)
What other users are using your phone the same time as you?
The fact that I don't think the profile manager is actually supported in Firefox for Android, along with the fact that the file manager application and the /tmp directory from the attached screenshot looks like coming from a Linux Desktop system, is making me wonder if the "Firefox for Android" part in comment 0 has been included just by mistake, and the reporter is actually hitting this issue in a Linux Desktop build and not on Android.
Reporter | ||
Comment 4•1 year ago
|
||
Hello, I'm sorry I added Firefox for Android. I'm using a desktop Linux system
I added an addon and then found the reported file in my cache files
Well I had another account for Firefox
Comment 5•1 year ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #1)
Jesse: does bug 1385303 remain fixed on Linux?
Yes, I have two tmpaddons, which look like two different versions of gmpopenh264.
Path = /tmp/tmpaddon-3c8450
Type = zip
Physical Size = 511815
Date Time Attr Size Compressed Name
------------------- ----- ------------ ------------ ------------------------
2019-03-02 12:47:07 ..... 116 97 gmpopenh264.info
2019-03-02 12:47:26 ..... 1381690 511374 libgmpopenh264.so
------------------- ----- ------------ ------------ ------------------------
2019-03-02 12:47:26 1381806 511471 2 files
Path = /tmp/tmpaddon
Type = zip
Physical Size = 583674
Date Time Attr Size Compressed Name
------------------- ----- ------------ ------------ ------------------------
2023-04-27 18:03:37 ..... 116 97 gmpopenh264.info
2023-04-27 18:04:02 ..... 1592408 583233 libgmpopenh264.so
------------------- ----- ------------ ------------ ------------------------
2023-04-27 18:04:02 1592524 583330 2 files
I deleted the 2019 one, launched a few more times and no more were created (just the 2023 one remains). I assume the 2019 one was from testing an older version of Firefox at some point.
Comment 6•1 year ago
•
|
||
Expected results: https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1563743.html
That mail thread seems to say what you've said. Which part of that are the expected results?
Through privilege escalation, the attacker can write arbitrary code for the target system
I'm sorry I'm not able connect those dots. Do you have a PoC that shows how to use Firefox to get privilege escalation?
Reporter | ||
Comment 7•1 year ago
•
|
||
Welcome
PoC that shows how to use Firefox to obtain privilege escalation?
It is to use the command cat `/tmp/tmpaddon`
I find that the permission is denied, and when I type any command, the same command that I wrote returns
like :
>>> cat `/tmp/tmpaddon`
zsh: permission denied: /tmp/tmpaddon
id
id
uname -a
uname -a
>>> cat `/tmp/xa-69JM91/gmpopenh264.info`
zsh: permission denied: /tmp/xa-69JM91/gmpopenh264.info
id
id
uname -a
uname -a
An attacker can craft arbitrary code
Comment 8•1 year ago
|
||
We're not sure how to evaluate this issue. It is not clear to me what the threat vector is, and/or if the GMP system has any protections against it.
Please provide a clear PoC so that we can understand the issue.
Also Jesse, does the GMP system do some sanity checks on the downloaded module that would make this a moot point?
Reporter | ||
Comment 9•1 year ago
|
||
I tried to exploit this problem, but unfortunately I was unable to do so... You can consider that the problem is:
https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1563743.html
And if I discover anything, I will write another report
Updated•1 year ago
|
Reporter | ||
Comment 10•1 year ago
|
||
There is no reward for the report
Description
•