Bug 273498 (SA13258)

[SA13258 no rating] "Save Link As" Download Dialog Spoofing Vulnerability

VERIFIED FIXED

Status

--
major
VERIFIED FIXED
14 years ago
2 years ago

People

(Reporter: dveditz, Assigned: bzbarsky)

Tracking

({fixed-aviary1.0, fixed-aviary1.0.1, fixed1.7.5})

Trunk
x86
Windows XP
fixed-aviary1.0, fixed-aviary1.0.1, fixed1.7.5
Dependency tree / graph
Bug Flags:
blocking-aviary1.0.1 +
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:fix], URL)

Attachments

(3 attachments)

(Reporter)

Description

14 years ago
Somewhat similar to bug 267122 and 267123 (SA12979). This one involves
presenting a windows "Save As" dialog that shows one filetype (JPEG, for
example) but actually tacks on a different extension when saved (for example,
.bat). Uses the Content-Disposition header to accomplish this.

Advisory URL is currently a blank placeholder but will help with dupes when the
vulnerability is announced.

- - - -From Secunia- - - - 
Andreas Sandblad, Secunia Research has discovered a vulnerability in Mozilla and
Mozilla Firefox, which can be exploited by malicious people to trick users into
downloading malicious files.

The problem is that Mozilla uses the URL to determine the file type association
in the "Save Link As" download dialog, but uses the filename from the
"Content-Disposition" HTTP header when saving the downloaded file. This can be
exploited by a malicious website to spoof file types in the "Save Link As"
download dialog.

Successful exploitation can lead to malware being saved to the download
directory (default is the desktop on Mozilla Firefox).

NOTE: Exploitation requires that the option "Hide extension for known file
types" is enabled in Windows (default setting).

PoC (Proof of Concept):
SA13258.zip/SA13258/poc.html
(Requires Apache 2 with PHP and "rewrite" module support. ".htaccess" file included)

The vulnerability has been confirmed in Mozilla 1.7.3 and Mozilla Firefox 1.0
for Windows. Other versions may also be affected.
(Reporter)

Comment 1

14 years ago
Created attachment 168115 [details]
proof of concept

Comment 2

14 years ago
I was able to confirm this problem using Firefox 1.0 on WinXP.
(Assignee)

Comment 3

14 years ago
> The problem is that Mozilla uses the URL to determine the file type association
> in the "Save Link As" download dialog

Note that this is not an issue on SeaMonkey trunk, since we no longer use the
Content-Disposition filename there.

Given that Firefox has forked all this code, this isn't really a core file
handling bug -- it's a bug in the UI code.

Comment 4

14 years ago
boris: it is still a bug in seamonkey 1.7.x, and so the fix might need to be
incorporated into a 1.7.6 release.
(Assignee)

Comment 5

14 years ago
The fix that landed on trunk is really not acceptable for branches... Lemme see
what I can do for branch.
(Assignee)

Comment 6

14 years ago
So I'm betting this is an issue with our interaction with the Windows system
filepicker.  That will automatically modify the filename the user selects, if I
recall correctly, by appending an extension it somehow comes up with (based on
filters or the default filename we gave it up front or something).

I don't recall the exact behavior, and I don't have a way to test it here. I do
recall that the MSDN documentation for the functionality was incorrect, per
testing some people did for me...

If someone can tell me the exact steps they take to reproduce and what the
actual HTTP headers and URI involved are, I may be able to sort out what's
happening by code inspection.
Is there a bug for tracking this issue in the Firefox code?
(Assignee)

Comment 8

14 years ago
I was wrong (largely because I misunderstood which problem was being reported).
 This isn't a filepicker issue per se, just a bug in our front-end code... 
Patches coming up.
(Assignee)

Comment 9

14 years ago
Created attachment 168164 [details] [diff] [review]
Firefox patch (trunk and branch both)
(Assignee)

Comment 10

14 years ago
Created attachment 168166 [details] [diff] [review]
Patch for 1.7 branch
(Assignee)

Comment 11

14 years ago
Comment on attachment 168166 [details] [diff] [review]
Patch for 1.7 branch

The basic idea is to use the defaultExtension, which is our
vetted-against-the-type-and such extension, which takes into account the
Content-Disposition header, when calling appendFiltersForContentType.  The old
code uses the URL extension there, which is wrong.
Attachment #168166 - Flags: superreview?(neil.parkwaycc.co.uk)
Attachment #168166 - Flags: review?(cbiesinger)
(Assignee)

Comment 12

14 years ago
Comment on attachment 168164 [details] [diff] [review]
Firefox patch (trunk and branch both) 

Ben, see comment 11 for the explanation of what this patch does.
Attachment #168164 - Flags: review?(bugs)
(Assignee)

Comment 13

14 years ago
Comment on attachment 168164 [details] [diff] [review]
Firefox patch (trunk and branch both) 

Mike, if you get to this before Ben does, is your r= enough to land this on
branch?
Attachment #168164 - Flags: superreview?(bugs)
Attachment #168164 - Flags: review?(mconnor)
Attachment #168164 - Flags: review?(bugs)
Comment on attachment 168166 [details] [diff] [review]
Patch for 1.7 branch

hmm... trunk needs nothing like this? this would explain some bugs about wrong
extensions though, I think.
Attachment #168166 - Flags: review?(cbiesinger) → review+

Updated

14 years ago
Attachment #168166 - Flags: superreview?(neil.parkwaycc.co.uk) → superreview+
(Assignee)

Comment 15

14 years ago
Comment on attachment 168166 [details] [diff] [review]
Patch for 1.7 branch

Requesting branch approval for this security fix.  Note that this is not core
code, so it's fine for 1.7.5.
Attachment #168166 - Flags: approval1.7.5?
Comment on attachment 168164 [details] [diff] [review]
Firefox patch (trunk and branch both) 

r=me for trunk and branch.
Attachment #168164 - Flags: superreview?(bugs)
Attachment #168164 - Flags: review?(mconnor)
Attachment #168164 - Flags: review+
(Assignee)

Comment 17

14 years ago
Comment on attachment 168164 [details] [diff] [review]
Firefox patch (trunk and branch both) 

Requesting aviary approval for this security fix...
Attachment #168164 - Flags: approval-aviary?
(Assignee)

Updated

14 years ago
Assignee: file-handling → bzbarsky
(Assignee)

Comment 18

14 years ago
Comment on attachment 168164 [details] [diff] [review]
Firefox patch (trunk and branch both) 

Checked in on trunk
(Reporter)

Updated

14 years ago
Alias: SA13258
Flags: blocking1.7.5?
Whiteboard: [sg:fix]

Comment 19

14 years ago
Comment on attachment 168166 [details] [diff] [review]
Patch for 1.7 branch

a=mkaply for 1.7.5
Attachment #168166 - Flags: approval1.7.5? → approval1.7.5+
(Assignee)

Updated

14 years ago
Keywords: fixed1.7.5
(Assignee)

Comment 20

14 years ago
Marking fixed, in fact, since this is now fixed on trunk.
Status: NEW → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → FIXED
Comment on attachment 168164 [details] [diff] [review]
Firefox patch (trunk and branch both) 

a=ben@mozilla.org
Attachment #168164 - Flags: approval-aviary? → approval-aviary+
(Assignee)

Comment 22

14 years ago
fixed-aviary1.0, though it's not fixed in 1.0, of course....
Keywords: fixed-aviary1.0

Comment 23

14 years ago
1.7.5 has shipped. Moving request to 1.7.6.
Flags: blocking1.7.5? → blocking1.7.6?
its _in_ 1.7.5 based on keywords, so removing blocking flag.
Flags: blocking1.7.6?

Updated

14 years ago
Blocks: 248511
(Reporter)

Updated

14 years ago
Blocks: 278184

Comment 25

14 years ago
need to make sure this gets on the right branch
Flags: blocking-aviary1.0.1+
(Reporter)

Comment 26

14 years ago
landed on aviary1.0.1 branch
Keywords: fixed-aviary1.0.1

Comment 27

14 years ago
Verified Fixed.  The php test case shows the proper .bat file in the open file
dialog and saves it with the correct extension.

Aviary 1.0.1 branch: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5)
Gecko/20050217 Firefox/1.0

Mozilla 1.7.6 branch: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6)
Gecko/20050217
Status: RESOLVED → VERIFIED

Updated

14 years ago
Summary: [SA13258] "Save Link As" Download Dialog Spoofing Vulnerability → [SA13258 no rating] "Save Link As" Download Dialog Spoofing Vulnerability
(Reporter)

Updated

14 years ago
Group: security

Comment 28

14 years ago
Does anyone have a page up with the test case ?

Comment 29

14 years ago
this is not fixed on Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4)
Gecko/20050715 Firefox/1.0+, it still tries to save poc.jpg. It is fixed on
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716
Firefox/1.0.6 where it tries to save my picture.bat.
(Assignee)

Comment 30

14 years ago
> it still tries to save poc.jpg.

Doesn't it also save "poc.jpg"?  The problem with this bug was that we offered
to save "poc.jpg" but saved "picture.bat"...  Now we're consistent.

Comment 31

14 years ago
(In reply to comment #30)
> > it still tries to save poc.jpg.
> 
> Doesn't it also save "poc.jpg"?  The problem with this bug was that we offered
> to save "poc.jpg" but saved "picture.bat"...  Now we're consistent.

trunk saves "poc.jpg" while 1.0.6 saves "my picture.bat" both containing the
text "call winmine.exe"
(Assignee)

Comment 32

14 years ago
Right.  That would be expected behavior -- on branch we use the
Content-Disposition header for both filenames, while on trunk we use it for neither.

Updated

13 years ago
Flags: testcase+

Updated

12 years ago
Flags: in-testsuite+ → in-testsuite?
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.