Closed Bug 1964385 (CVE-2025-6426) Opened 9 months ago Closed 8 months ago

MacOS Download protection bypass With Terminal File

Categories

(Firefox :: File Handling, defect, P1)

Product:
Firefox
Component:
File Handling
Version:
Firefox 125
Platform:
Desktop
All
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
141 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- wontfix
firefox-esr128 140+ verified
firefox139 --- wontfix
firefox140 + verified
firefox141 + verified

People

(Reporter: pwn2car, Assigned: Gijs)

Details

(Keywords: reporter-external, sec-moderate, Whiteboard: [adv-main140+][adv-esr128.12+])

Attachments

(5 files)

test.terminal
468 bytes, application/octet-stream
Details
Bug 1964385 - improve handling of .terminal files, r?mak
48 bytes, text/x-phabricator-request
Details | Review
Bug 1964385 - improve handling of .terminal files, r?mak
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-beta+
Details | Review
Bug 1964385 - improve handling of .terminal files, r?mak
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-esr128+
Details | Review
advisory.txt
269 bytes, text/plain
Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36

Steps to reproduce:

The .terminal file extension is natively supported by Apple. When a .terminal file is opened, it launches the Terminal.app and executes the command specified within the file.

For example, consider the following test.terminal file:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>CommandString</key>
    <string>id</string>
    <key>ProfileCurrentVersion</key>
    <real>2.1</real>
    <key>RunCommandAsShell</key>
    <false/>
    <key>name</key>
    <string>exploit</string>
    <key>type</key>
    <string>Window Settings</string>
</dict>
</plist>

Previously reported cases like fileloc (Bug 1596668) and inetloc (Bug 1731779) could launch .app files but were limited in their ability to execute arbitrary commands.

In contrast, .terminal files can not only execute scripts but also allow passing arguments to them, potentially expanding the attack surface or automation capabilities.

Assignee: nobody → gijskruitbosch+bugs
Severity: -- → S2
Status: NEW → ASSIGNED
Component: Untriaged → File Handling
Flags: needinfo?(gijskruitbosch+bugs)
OS: Unspecified → All
Priority: -- → P1
Hardware: Unspecified → Desktop
Attached file test.terminal

Does Mac's "Gatekeeper" not warn about downloaded .terminal files? Does it ignore them because they're "just" .bat-file like and not actual "applications"?

We should treat these as dangerous anyway, but seems like Apple has some responsibility too

Keywords: sec-moderate
Flags: needinfo?(gijskruitbosch+bugs)
Attachment #9491720 - Flags: approval-mozilla-beta?

firefox-beta Uplift Approval Request

  • User impact if declined: security impact
  • Code covered by automated testing: yes
  • Fix verified in Nightly: no
  • Needs manual QE test: yes
  • Steps to reproduce for manual QE testing: see comment 0. Expected result is that there's a warning before opening the file.
  • Risk associated with taking this patch: Low
  • Explanation of risk level: We have lists of problematic extensions and this is just a small addition to that list
  • String changes made/needed: No
  • Is Android affected?: no
Flags: qe-verify+

https://hg.mozilla.org/mozilla-central/rev/48adeaa0c7dc

Group: firefox-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 8 months ago
status-firefox141: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 141 Branch
Attachment #9491720 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
QA Whiteboard: [sec] [qa-triage-done-c141/b140] [qa-ver-needed-c141/b140]
QA Whiteboard: [sec] [qa-triage-done-c141/b140] [qa-ver-needed-c141/b140] → [sec] [uplift] [qa-triage-done-c141/b140] [qa-ver-needed-c141/b140]

Reproduced it on Firefox 140.0a1 (2025-05-05) on macOS 15.5 by following the infos provided in Comment 0.

The warning prompt is present on Firefox 140.0b4 (treeherder build) and Firefox 141.0a1 (2025-06-01) on the same system.

Status: RESOLVED → VERIFIED
QA Whiteboard: [sec] [uplift] [qa-triage-done-c141/b140] [qa-ver-needed-c141/b140] → [sec] [uplift] [qa-triage-done-c141/b140] [qa-ver-done-c141/b140]
status-firefox140: fixedverified
status-firefox141: fixedverified
Flags: qe-verify+

Please nominate this for ESR128 also. It grafts cleanly.

status-firefox139: --- → wontfix
status-firefox-esr115: --- → wontfix
status-firefox-esr128: --- → affected
tracking-firefox140: --- → +
tracking-firefox141: --- → +
tracking-firefox-esr128: --- → 140+
Flags: needinfo?(gijskruitbosch+bugs)
Attachment #9494384 - Flags: approval-mozilla-esr128?

firefox-esr128 Uplift Approval Request

  • User impact if declined: dodgy terminal downloads
  • Code covered by automated testing: no
  • Fix verified in Nightly: yes
  • Needs manual QE test: yes
  • Steps to reproduce for manual QE testing: see comment 0. Expected result is that there's a warning before opening the file.
  • Risk associated with taking this patch: Low
  • Explanation of risk level: We have lists of problematic extensions and this is just a small addition to that list
  • String changes made/needed: No
  • Is Android affected?: no
Flags: qe-verify+
Flags: needinfo?(gijskruitbosch+bugs)
Attachment #9494384 - Flags: approval-mozilla-esr128? → approval-mozilla-esr128+

Verified that the prompt is shown on Firefox 128.12.0esr (treeherder build) on macOS 15.5.

status-firefox-esr128: fixedverified
Whiteboard: [adv-main140+]
Whiteboard: [adv-main140+] → [adv-main140+][adv-esr128.12+]
Alias: CVE-2025-6426

Is there a Bounty?

Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: