Closed Bug 200691 Opened 22 years ago Closed 22 years ago

Reading local files using helper apps and XBL

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: security-bugs, Assigned: security-bugs)

References

Details

Attachments

(5 files, 1 obsolete file)

localfile.html
398 bytes, text/html
Details
localfile2.html
156 bytes, text/html
Details
raw4.pl
857 bytes, application/octet-stream
Details
raw4xbl.pl
1.14 KB, application/octet-stream
Details
Better patch - no perf hit, moved check at bryner's request
1.49 KB, patch
bryner
: review+
hjtoi-bugzilla
: superreview+
asa
: approval1.4b+
Details | Diff | Splinter Review
It is possible to read local files with the help of external applications and a bug in xbl. Works at least on linux, probably with small modifications on other OSes. The problem is that when an external document is opened with external application, a file with known filename is created in /tmp. So locxbl.xbl is created in /tmp. Then xxxx.html is created in /tmp. (both with content-type video/mpeg). localfile2.html uses locxbl.xbl from the local filesystem. Then locxbl.xbl opens xxxx.html which reads /etc/groups. How to reproduce on localhost (may work on another hosts, but localhost should be changed and the perl scripts should be started on the other host). 1. start raw4xbl.pl on localhost 2. start raw4.pl on localhost 3. open localfile.html from the web. 4. In localfile.html first click on the "1. ..." link then chose "open ...using application" if prompted. 5. In localfile.html first click on the "2. ..." link then chose "open ..." if prompted. 6. In localfile.html click on 3. and see the contents of /etc/group read. In case the user has chosen to always open certain filetypes (which seems the default after first opening) the exploit works automatically. Shall check on windows - media files seems more suitable for this attack. On windoze /tmp should be replaced with something else and change of the content may be needed. In case netscape registers winamp or other player they may be used. All needed files are attached. Georgi
Attached file localfile.html
Attached file localfile2.html
Attached file raw4.pl
Attached file raw4xbl.pl
I'm a little confused... is the issue that remote content can load XBL from a file:// url, basically? If not, what is the problem?
Boris, There are several small problems which make one big problem. Here are they: 1. It is possible to do XBL binding to local XBL via style="-moz-binding: url('file:///tmp/locxbl.xbl#root')"> 2. XBL loaded from file URL allows loading local files via location.replace() 3. External applications create files with known names in a known location which allows creating local xbl and html. This exploit requires minimal user interaction, but if some file types are always opened, then the risk is greatly increased.
> 1. It is possible to do XBL binding to local XBL via style="-moz-binding: > url('file:///tmp/locxbl.xbl#root')"> This is not a little problem. This is a major security hole. You should not be able to do that if you're not a local file or chrome yourself. > 2. XBL loaded from file URL allows loading local files via location.replace() Nothing wrong with that, imo.... Local HTML allows that too.... > 3. External applications create files with known names in a known location > which allows creating local xbl and html. Yeah... we used to not do this, but there was a lot of noise about it, because people want to be able to get at the files after the helper app is done with them... Any ideas? :(
Note: I see no CheckLoadURI calls in nsXBLService. This is very wrong....
>> 2. XBL loaded from file URL allows loading local files via location.replace() >Nothing wrong with that, imo.... Local HTML allows that too.... This wrong IMHO. The XBL is loaded from html/xml via <style> and not directly. It is not like a standalone document, it seems more like <script> or xul-overlay. XBL is not the same as local HTML IMHO. Not an expert in XBL though, so may be wrong. >> 3. External applications create files with known names in a known location >> which allows creating local xbl and html. >Yeah... we used to not do this, but there was a lot of noise about it, because >people want to be able to get at the files after the helper app is done with >them... Any ideas? :( I vote for removing this dangerous stuff. This may open path to more exploits. People can always shift click on the link and do save as.
> it seems more like <script> or xul-overlay Yes, but a local script or overlay takes the permissions of the URL it was loaded from as well...For example, a <script> loaded from file:/// can XMLHttpRequest from anywhere (no SameOrigin check). As for the naming issue, I totally agree from a security standpoint. But in practice, that was pretty much unacceptable (see the bugs). Which is part of why we have CheckLoadURI...
Boris, what bugs should I see to learn why people demand helper app files with well-known names? 1 and 3 seem like problems, 1 of course. 2 is questionable. We don't allow non-file: pages to load file: scripts, IIRC (MozillaClassic disallowed this, in any event), but we've always allowed local pages to load local scripts via script src=file:... or a relative URL. How is XBL different from a security standpoint from HTML with inline scripts? /be
Bug 60203 and its ten or so duplicates.
Predictable filenames caused a lot of problems to internet exploder in the past at least. To keep users happy I suggest the following. 1. Place the opened file under the "salty" directory and 2. Add some salt to it, so blondeporno.mpg becomes blondeporno{RANDOMSALT}.mpg Users can always remove the obfuscated part if they wish.
A small rant: Bug 60203 does not justify leaving known filenames IMHO. If users want known filename, they should chose Save As. Users may want whatever features, but it is mozilla's developers responsibility to ship a secure browser.
Flags: blocking1.4b?
IMHO a quick fix will be to remove the predictable filenames - this will fix also unknown attacks. The XBL problem should alse be taken care of.
An even quicker fix is to disable helper applications entirely. Which doesn't mean we should do that. Fixing the core XBL problem should not be very hard -- just make a call to the security manager checking whether loading XBL from the target URL is allowed by the security policies. That said, if someone provides a patch to do salting per comment 13, I'm willing to review (but I have no time to work on one).
Boris, Fixing the XBL problem with stop *this* exploit. But if someone manages to find a way to render local files via XUL/XML/XBL/etc, this gives him instant access to reading local files via the same method. I have the impression that helper files used to be salty, so probably it won't be hard to implement comment 13 for example.
Why do the permissions of scripts in XBL depend on the location of the XBL rather than the location of the page they're included in?
*** Bug 195317 has been marked as a duplicate of this bug. ***
Flags: blocking1.4b? → blocking1.4b+
I think this will do the trick - need a good testcase.
Comment on attachment 121742 [details] [diff] [review] Patch - add CheckLoadURI call to XBL loader OK, the patch seems to work, and no regressions I can find.
Attachment #121742 - Flags: superreview?(heikki)
Attachment #121742 - Flags: review?(bryner)
Comment on attachment 121742 [details] [diff] [review] Patch - add CheckLoadURI call to XBL loader Have you checked perf numbers? If there is a noticeable hit you may need to cache creation of secMan, and possibly reusing bindingURI object to avoid some allocations. Nit: I would suggest moving creation of secMan forward to where it is actually used. Provided there is no noticeable perf hit then sr=heikki
Attachment #121742 - Flags: superreview?(heikki) → superreview+
Comment on attachment 121742 [details] [diff] [review] Patch - add CheckLoadURI call to XBL loader Could we move this check down so that it's just above the call to GetBinding() ? (below the call to nsBindingManager::GetBinding and the block of code after it). That shoud save us from doing the security check if the binding has already been installed on the element.
Attachment #121742 - Flags: review?(bryner) → review-
The other patch increased Txul by 9% - added a check for chrome URIs and there's no detectable perf hit. I also moved the check at bryner's request.
Attachment #121742 - Attachment is obsolete: true
Attachment #122158 - Flags: superreview?(heikki)
Attachment #122158 - Flags: review?(bryner)
Attachment #122158 - Flags: superreview?(heikki) → superreview+
Comment on attachment 122158 [details] [diff] [review] Better patch - no perf hit, moved check at bryner's request r=bryner
Attachment #122158 - Flags: review?(bryner) → review+
Comment on attachment 122158 [details] [diff] [review] Better patch - no perf hit, moved check at bryner's request Requesting approval for 1.4b. This patch prevents remote XUL files from using XBL files from file:// URLs (chrome: is still allowed). Since chrome XUL files are excluded from the check, this only affects remote XUL files, so the risk is low.
Attachment #122158 - Flags: approval1.4b?
Comment on attachment 122158 [details] [diff] [review] Better patch - no perf hit, moved check at bryner's request a=asa (on behalf of drivers) for checkin to 1.4b.
Attachment #122158 - Flags: approval1.4b? → approval1.4b+
Fix checked in.
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Removing security-sensitive flag for bugs on the known-vulnerabilities list
Group: security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: