Closed Bug 1950001 Opened 1 year ago Closed 11 months ago

Copy As Curl(Windows) Lead to Code Execution in Linux

Categories

(DevTools :: Netmonitor, defect, P2)

Product:
DevTools
Component:
Netmonitor
Type:
defect

Tracking

(firefox-esr115139+ fixed, firefox-esr128139+ fixed, firefox137 wontfix, firefox138 wontfix, firefox139+ fixed)

Status:
RESOLVED FIXED
Milestone:
139 Branch
Tracking Flags:
Tracking Status
firefox-esr115 139+ fixed
firefox-esr128 139+ fixed
firefox137 --- wontfix
firefox138 --- wontfix
firefox139 + fixed

People

(Reporter: ameenbasha111, Assigned: bomsy)

References

(Blocks 2 open bugs)

Details

(Keywords: csectype-priv-escalation, reporter-external, sec-moderate, Whiteboard: [client-bounty-form] [adv-main139+] [adv-esr115.24+] [adv-esr128.11+])

Attachments

(6 files, 2 obsolete files)

firefox-copyascurl(windows).mp4
2.49 MB, video/mp4
Details
1950001-SeparateFix-Needed.mp4
6.85 MB, video/mp4
Details
Bug 1950001 - [devtools] Fix Copy As cURL(Windows) on linux r=#devtools
48 bytes, text/x-phabricator-request
Details | Review
Bug 1950001 - [devtools] Fix Copy As cURL(Windows) on linux
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-esr115+
Details | Review
Bug 1950001 - [devtools] Fix Copy As cURL(Windows) on linux
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-esr128+
Details | Review
advisory.txt
283 bytes, text/plain
Details

Hi team, Firefox latest version lead to Code Execution on linux machine using copy as curl(windows) feature
The body parameters was not properly sanitized leads to code execution on linux environment

Steps to reproduce

  1. Send the request with malicious code in the body
  2. Now from network tab copy the request as curl (windows)
  3. paste it in bash shell and you can find the whoami command executed

Malcious request

 fetch("https://example.com/postit", {
        credentials: "omit",
        headers: {
            "Accept-Language": "en-US",
            "Content-Type": "text/plain",
        },
        body: "query=evil\n\nwhoami",
        method: "POST",
    });

My another vice versa issue reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1949994

Note: Chrome is not vulnerable for this, I have showed this in poc video too.

This should be prevented similar to chrome to avoid accidental code execution on linux while working with multiple environment

Flags: sec-bounty?
Status: UNCONFIRMED → RESOLVED
Closed: 1 year ago
Duplicate of bug: 1949993
Resolution: --- → DUPLICATE
Duplicate of bug: 1949994
No longer duplicate of bug: 1949993

@frederik seems there is some misunderstanding in marking the bugs as duplicate.

1949994 - Copy as curl (posix) feature
1950001(this ticket) - Copy as curl (windows) feature

Both these options are having separate code base and separate options in firefox browser, it will not be fall under duplication.

Kindly reopen this bug.

I agree that this might require more than one fix. However, I think we would all benefit if there was a single discussion in this one bug instead of 3 fragmented discussions.

(In reply to Frederik Braun [:freddy] from comment #4)

I agree that this might require more than one fix. However, I think we would all benefit if there was a single discussion in this one bug instead of 3 fragmented discussions.

It will be fine for a fix discussion, but feature wise it was a 2 different area and here it affects my bounty too if it was handled in single ticket though the fix needs to be in multiple place.

So kindly track this as separate one for bounty

Component: Security → Netmonitor
Product: Firefox → DevTools

I suspect this is actually in the same code and won't require a separate fix, but we can make this "depends on" for now.

Status: RESOLVED → REOPENED
Depends on: 1949994
No longer duplicate of bug: 1949994
Ever confirmed: true
Resolution: DUPLICATE → ---

The severity field is not set for this bug.
:Honza, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(odvarko)
Flags: needinfo?(odvarko)
Whiteboard: [client-bounty-form] → [client-bounty-form][devtools-triage]

The severity field is not set for this bug.
:Honza, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(odvarko)

I'll take a look at this.

Assignee: nobody → hmanilla

Bomsy, please set priority and severity for this bug, thank you.

Flags: needinfo?(odvarko)
Severity: -- → S3
Priority: -- → P2

(In reply to Daniel Veditz [:dveditz] from comment #6)

I suspect this is actually in the same code and won't require a separate fix, but we can make this "depends on" for now.

HI Team, the issue 1949994 is fixed and closed now and i have tested the same in firefox nightly and it is not reproduced. Escaped with ^

As stated by myself before, fix of 1949994 will not fix this issue, since these 2 are handled in different methods it requires fixes in 2 different places.

Kindly initiate a separate fix for this issue. Also since it remains unfixed even after the 1949994 closed it will be considered as an separate issue as stated in comment 3

Note: As stated in description chrome is not vulnerable for this case (It was showed in the first poc video attached)

I have attached a video poc to show 1949994 is fixed in nightly but 1950001 is still vulnerable

Blocks: curl
Status: REOPENED → NEW
No longer depends on: 1949994
See Also: → 1949994
Attachment #9474699 - Attachment description: WIP: Bug 1950001 - [devtools] Fix Cpoy As cURL(Windows) on linux → WIP: Bug 1950001 - [devtools] Fix Copy As cURL(Windows) on linux
Attachment #9474699 - Attachment description: WIP: Bug 1950001 - [devtools] Fix Copy As cURL(Windows) on linux → Bug 1950001 - [devtools] Fix Copy As cURL(Windows) on linux r=#devtools
Blocks: 1957583
Pushed by hmanilla@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/5e3231d83f0d [devtools] Fix Copy As cURL(Windows) on linux r=devtools-reviewers,nchevobbe
Backout by imoraru@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/56155463023a Backed out changeset 5e3231d83f0d for causing xpcshell failures on test_curl.js.

Backed out for causing xpcshell failures on test_curl.js.
Push with failures: https://treeherder.mozilla.org/jobs?repo=autoland&group_state=expanded&selectedTaskRun=B[…]pcshell&revision=5e3231d83f0df129847e9ec56658d5b82cfbc37b
Failure log: https://treeherder.mozilla.org/logviewer?job_id=501986848&repo=autoland&lineNumber=4342
Backout link: https://hg.mozilla.org/integration/autoland/rev/56155463023a4bb562d4446d675573c2b908f8c1

[task 2025-04-02T07:08:06.963Z] 07:08:06     INFO -  TEST-PASS | devtools/client/shared/test/xpcshell/test_curl.js |  - host header ignored - to be generated from url - true == true
[task 2025-04-02T07:08:06.963Z] 07:08:06  WARNING -  TEST-UNEXPECTED-FAIL | devtools/client/shared/test/xpcshell/test_curl.js |  - accept header present in curl command - false == true
[task 2025-04-02T07:08:06.963Z] 07:08:06     INFO -  D:/task_174357691395686/build/tests/xpcshell/tests/devtools/client/shared/test/xpcshell/test_curl.js:null:45
Flags: needinfo?(hmanilla)
Whiteboard: [client-bounty-form][devtools-triage] → [client-bounty-form]

Friendly Reminder, The changes are approved 12 days back, but seems due to test case failure it was pending, can you guys update on this?

Thanks Ameen. I’m on it. tnxs

Pushed by hmanilla@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/991c7b596351 [devtools] Fix Copy As cURL(Windows) on linux r=devtools-reviewers,nchevobbe
Flags: needinfo?(hmanilla)
Backout by amarc@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/81048cca6fa5 Backed out changeset 991c7b596351 for causing xpcshell failures @ test_curl.js CLOSED TREE
Pushed by hmanilla@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/7238f9bd1c5c [devtools] Fix Copy As cURL(Windows) on linux r=devtools-reviewers,nchevobbe

Backed out for causing xpcshell failures of test_curl.js:
https://hg.mozilla.org/integration/autoland/rev/d1cfe436879aa5f39e94e0781d10f2f792d30d9a

Push with failures
Failure log

[task 2025-04-15T11:37:57.519Z] 11:37:57     INFO -  TEST-PASS | devtools/client/shared/test/xpcshell/test_curl.js |  - host header ignored - to be generated from url - true == true
[task 2025-04-15T11:37:57.519Z] 11:37:57  WARNING -  TEST-UNEXPECTED-FAIL | devtools/client/shared/test/xpcshell/test_curl.js |  - accept header present in curl command - false == true
[task 2025-04-15T11:37:57.519Z] 11:37:57     INFO -  D:/task_174471600302589/build/tests/xpcshell/tests/devtools/client/shared/test/xpcshell/test_curl.js:null:45
Flags: needinfo?(hmanilla)
Pushed by hmanilla@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/875d51727bbd [devtools] Fix Copy As cURL(Windows) on linux r=devtools-reviewers,nchevobbe
Backout by csabou@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/fb67bbe47c99 Backed out changeset 875d51727bbd for causing xpcshell failures on test_curl. CLOSED TREE

Backed out changeset 875d51727bbd for causing xpcshell failures on test_curl

Push with failures

Failure log

Backout link

Pushed by hmanilla@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/ad7e5f6817ce [devtools] Fix Copy As cURL(Windows) on linux r=devtools-reviewers,nchevobbe
Flags: needinfo?(hmanilla)

https://hg.mozilla.org/mozilla-central/rev/ad7e5f6817ce

Group: firefox-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 1 year ago11 months ago
status-firefox139: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 139 Branch
Flags: sec-bounty? → sec-bounty+
QA Whiteboard: [sec] [qa-triage-done-c140/b139]
Flags: qe-verify-

:bomsy could you please add uplift requests for ESR115 and ESR128

Flags: needinfo?(hmanilla)
Attachment #9487207 - Flags: approval-mozilla-esr115?
Attachment #9487208 - Flags: approval-mozilla-esr128?
Flags: needinfo?(hmanilla)
Attachment #9487208 - Attachment description: Bug 1950001 - [devtools] Fix Copy As cURL(Windows) on linux r=#devtools → Bug 1950001 - [devtools] Fix Copy As cURL(Windows) on linux
Attachment #9487208 - Flags: approval-mozilla-esr128? → approval-mozilla-esr128+
Attachment #9487207 - Attachment description: Bug 1950001 - [devtools] Fix Copy As cURL(Windows) on linux r=#devtools → Bug 1950001 - [devtools] Fix Copy As cURL(Windows) on linux
Attachment #9487207 - Flags: approval-mozilla-esr115? → approval-mozilla-esr115+
QA Whiteboard: [sec] [qa-triage-done-c140/b139] → [qa-triage-done-c140/b139]
Whiteboard: [client-bounty-form] → [client-bounty-form] [adv-main139+] [adv-ESR115.24+] [adv-ESR128.11+]
Whiteboard: [client-bounty-form] [adv-main139+] [adv-ESR115.24+] [adv-ESR128.11+] → [client-bounty-form] [adv-main139+] [adv-esr115.24+] [adv-esr128.11+]
Attached file advisory.txt (obsolete) —
Attached file advisory.txt (obsolete) —
Attachment #9490177 - Attachment is obsolete: true
Attached file advisory.txt
Attachment #9490469 - Attachment is obsolete: true
See Also: → CVE-2025-8030
See Also: CVE-2025-8030
Duplicate of this bug: 1784436
Regressions: 1970351
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: