[Mac] Copy as powershell (on curl) leads to code execution on mac
Categories
(DevTools :: Netmonitor, defect)
Tracking
(firefox-esr115 wontfix, firefox-esr128138+ fixed, firefox136 wontfix, firefox137 wontfix, firefox138+ fixed, firefox139+ fixed)
People
(Reporter: ameenbasha111, Assigned: bomsy)
References
(Blocks 1 open bug, Regression)
Details
(4 keywords, Whiteboard: [client-bounty-form][adv-main138+][adv-esr128.10+])
Attachments
(3 files, 2 obsolete files)
|
9.18 MB,
video/mp4
|
Details | |
|
48 bytes,
text/x-phabricator-request
|
diannaS
:
approval-mozilla-beta+
diannaS
:
approval-mozilla-esr128+
|
Details | Review |
|
383 bytes,
text/plain
|
Details |
HI team, Firefox latest on mac is vulnerable for code execution, which allows the attacker to trick the user with malicious request to copy as powershell and run it on mac leads to code execution
Note: HTTP method is vulnerable part of the resultant curl.
FYI: we can install the powershell in mac via homebrew (instead of moving to windows, i have used this to run powershell command on mac) - Same possible on directly running in windows powershell too
Fetch Command: (run it on console)
fetch('',{method: '||whoami||'});
Steps to reproduce
- run the above command in browser console (we can achieve this via html file itself)
- copy the request as powershell
- paste and run it on powershell
- you can see the output of whoami command
Note: Issue tested on latest version of firefox
I will attached the poc video for reference shortly
|
Reporter | |
Comment 1•1 year ago
|
||
|
||
Updated•1 year ago
|
|
||
Comment 2•1 year ago
|
||
Where did you find a Mac version of Powershell to paste the command into?
|
|
||
Comment 3•1 year ago
|
||
When I tried to paste the "copy as powershell" string into the standard Mac bash terminal, lines were executed immediately upon pasting—didn't even have to hit "enter". It didn't run the embedded whoami command and basically just returned a bunch of syntax errors, but it's quite believable someone could find the right combination to get something executed.
|
|
Reporter | |
Comment 4•1 year ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #2)
Where did you find a Mac version of Powershell to paste the command into?
Microsoft provides a documentation for this
I have installed using homebrew method
|
||
Comment 5•1 year ago
|
||
Set release status flags based on info from the regressing bug 1795595
|
|
Reporter | |
Comment 6•1 year ago
|
||
https://searchfox.org/mozilla-central/source/devtools/client/netmonitor/src/utils/powershell.js#89
I hope this is the vulnerable place which cause this issue, Similar to body, headers use escapeStr for method too
parameters.push(-Method ${method}); => parameters.push(-Method ${escapeStr(method)});
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
Assignee | |
Updated•1 year ago
|
|
|
Assignee | |
Comment 7•1 year ago
|
||
|
|
||
Comment 8•1 year ago
|
||
Set release status flags based on info from the regressing bug 1795595
|
||
Comment 10•1 year ago
|
||
|
|
||
Comment 11•1 year ago
|
||
The patch landed in nightly and beta is affected.
:bomsy, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox138towontfix.
For more information, please visit BugBot documentation.
|
|
Assignee | |
Comment 12•1 year ago
|
||
Comment on attachment 9476034 [details]
Bug 1956698 - [devtools] Escape the method value r=#devtools
Beta/Release Uplift Approval Request
- User impact if declined/Reason for urgency: Security issue with curl command for powershell on Mac
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Small Javascript to escape HTTP Methods properly
- String changes made/needed:
- Is Android affected?: No
|
||
Comment 13•1 year ago
|
||
Comment on attachment 9476034 [details]
Bug 1956698 - [devtools] Escape the method value r=#devtools
Approved for 138.0b5
|
||
Comment 14•1 year ago
|
||
| uplift | ||
|
|
||
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
||
Comment 15•1 year ago
|
||
Please nominate this for ESR128 uplift also when you get a chance.
|
|
Assignee | |
Comment 16•1 year ago
|
||
Comment on attachment 9476034 [details]
Bug 1956698 - [devtools] Escape the method value r=#devtools
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: This is a security bug
- User impact if declined: Malicious code can be run on user machine
- Fix Landed on Version: 139
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Small JS fix to escape HTTP methods when generating a Curl command for porwershell
|
|
||
Comment 17•1 year ago
|
||
Comment on attachment 9476034 [details]
Bug 1956698 - [devtools] Escape the method value r=#devtools
Approved for 128.10esr
|
|
||
Updated•1 year ago
|
|
|
||
Comment 18•1 year ago
|
||
| uplift | ||
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
||
Comment 19•1 year ago
|
||
|
|
||
Comment 20•1 year ago
|
||
|
|
||
Updated•1 year ago
|
|
|
||
Comment 21•1 year ago
|
||
|
|
||
Updated•8 months ago
|
Description
•