Bug 367428 (CVE-2007-3072)

resource:// directory traversal

RESOLVED FIXED in mozilla1.8.1

Status

()

Core
Networking
P1
normal
RESOLVED FIXED
11 years ago
8 years ago

People

(Reporter: shutdown, Assigned: bsmedberg)

Tracking

({fixed1.8.0.12, privacy, verified1.8.1.4})

Trunk
mozilla1.8.1
x86
Windows XP
fixed1.8.0.12, privacy, verified1.8.1.4
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.9 +
blocking1.8.1.4 +
wanted1.8.1.x +
blocking1.8.0.12 +
wanted1.8.0.x +
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:low])

Attachments

(4 attachments, 1 obsolete attachment)

(Reporter)

Description

11 years ago
Created attachment 251981 [details]
testcase

resource://gre/../../../../boot.ini => Firefox can't find the file at /boot.ini.
resource://gre/..\..\..\..\boot.ini => File loads successfully.

This bug can be used to check existence of local files
since resource:// and file:// have different restrictions.

Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.1.2pre)
Gecko/20070117 BonEcho/2.0.0.2pre
Flags: wanted1.8.1.x?
Flags: wanted1.8.0.x?
Flags: blocking1.9?
(Assignee)

Comment 1

11 years ago
Darin, biesi: this behavior is/was being prevented in the forward-slash case by net_CoalesceDirs (http://lxr.mozilla.org/mozilla/source/netwerk/base/src/nsURLHelper.cpp#208). Perhaps we can just fail if there are any backslashes at all in the resource URL?
Assignee: nobody → benjamin
(Assignee)

Updated

11 years ago
Status: NEW → ASSIGNED
Flags: blocking1.9? → blocking1.9+
(Assignee)

Comment 2

11 years ago
Created attachment 253222 [details] [diff] [review]
Don't allow backslash, rev. 1
Attachment #253222 - Flags: review?
(Assignee)

Updated

11 years ago
Attachment #253222 - Flags: review? → review?(darin.moz)

Comment 3

11 years ago
Comment on attachment 253222 [details] [diff] [review]
Don't allow backslash, rev. 1

you don't need double backslashes in JavaScript?
(Assignee)

Comment 4

11 years ago
Created attachment 253328 [details] [diff] [review]
Don't allow backslash, rev. 1.1

Indeed I do
Attachment #253222 - Attachment is obsolete: true
Attachment #253328 - Flags: review?(darin.moz)
Attachment #253222 - Flags: review?(darin.moz)
(Assignee)

Updated

11 years ago
Attachment #253328 - Flags: review?(darin.moz) → review?(cbiesinger)
(Assignee)

Updated

11 years ago
Priority: -- → P1
Target Milestone: --- → mozilla1.8.1
Attachment #253328 - Flags: review?(cbiesinger) → review+
(Assignee)

Comment 5

11 years ago
Comment on attachment 253328 [details] [diff] [review]
Don't allow backslash, rev. 1.1

Very low-risk security patch.
Attachment #253328 - Flags: approval1.8.1.3?
Attachment #253328 - Flags: approval1.8.0.11?
(Assignee)

Comment 6

11 years ago
Fixed on trunk.
Status: ASSIGNED → RESOLVED
Last Resolved: 11 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
(Assignee)

Comment 7

11 years ago
Comment on attachment 253328 [details] [diff] [review]
Don't allow backslash, rev. 1.1

This is incorrect, as it doesn't deal with %5C correctly.
Attachment #253328 - Flags: approval1.8.1.3?
Attachment #253328 - Flags: approval1.8.0.11?
(Assignee)

Updated

11 years ago
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
(Assignee)

Comment 8

11 years ago
Created attachment 256468 [details] [diff] [review]
Handle escaped backslashes, rev. 1
Attachment #256468 - Flags: review?(cbiesinger)
Attachment #256468 - Flags: review?(cbiesinger) → review+
(Assignee)

Comment 9

11 years ago
Created attachment 256470 [details] [diff] [review]
Rollup patch for branches, rev. 1
Attachment #256470 - Flags: approval1.8.1.3?
Attachment #256470 - Flags: approval1.8.0.11?
(Assignee)

Comment 10

11 years ago
Fixed on trunk, and the testcase even passes ;-)
Status: REOPENED → RESOLVED
Last Resolved: 11 years ago11 years ago
Resolution: --- → FIXED
Whiteboard: [sg:low]
Flags: wanted1.8.1.x?
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x?
Flags: wanted1.8.0.x+
Flags: blocking1.8.1.4?
Flags: blocking1.8.0.12?
Flags: blocking1.8.1.4?
Flags: blocking1.8.1.4+
Flags: blocking1.8.0.12?
Flags: blocking1.8.0.12+
Comment on attachment 256470 [details] [diff] [review]
Rollup patch for branches, rev. 1

approved for 1.8.0.12 and 1.8.1.4, a=dveditz for release-drivers
Attachment #256470 - Flags: approval1.8.1.4?
Attachment #256470 - Flags: approval1.8.1.4+
Attachment #256470 - Flags: approval1.8.0.12?
Attachment #256470 - Flags: approval1.8.0.12+
(Assignee)

Comment 12

10 years ago
Landed on MOZILLA_1_8_BRANCH and MOZILLA_1_8_0_BRANCH
Keywords: fixed1.8.0.12, fixed1.8.1.4

Comment 13

10 years ago
v.fixed on 1.8 branch with 2.0.0.4 rc2 build Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070509 Firefox/2.0.0.4
Keywords: fixed1.8.1.4 → verified1.8.1.4
Please see bug 380994 for a part of this problem that was missed...
Given this has been discussed in public I'm opening this bug http://ha.ckers.org/blog/20070516/read-firefox-settings-poc/#comment-35888 
Group: security

Comment 16

10 years ago
Unless I'm missing something, the patches above only addresses this problem on Windows.  There's a very similar bug on Mac OS X (and, I'd assume, any *nix) with escaped forward slashes -- URLs of the form "resource:///..%2F..%2F..%2F..%2FUsers" can traverse the entire directory structure.  

I can successfully and consistently exploit this on Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3 -- it's pretty straightforward, but please email me if you'd like PoC code.

My apologies if the OS X bug has already been patched elsewhere, or if it is not related to this bug.  I searched bugzilla, but didn't turn up any other bugs that seem relevant.

-sq

Comment 17

10 years ago
I vote to reopen this bug.

I can reproduce Sam's findings as well. This affects more than just Windows XP and the provided patch does not address the vulnerability on OS X and Linux.
(Assignee)

Comment 18

10 years ago
That is bug 380994
Depends on: 380994

Comment 19

10 years ago
Does bug 380994 address the vulnerability in 1.5.0.9 as well? I don't have access to verify.
That bug covers all the branches.

Updated

10 years ago
Depends on: 382558
No longer depends on: 382558
Depends on: 382558
Alias: CVE-2007-3072
You need to log in before you can comment on or make changes to this bug.