Last Comment Bug 367428 - (CVE-2007-3072) resource:// directory traversal
(CVE-2007-3072)
: resource:// directory traversal
Status: RESOLVED FIXED
[sg:low]
: fixed1.8.0.12, privacy, verified1.8.1.4
Product: Core
Classification: Components
Component: Networking (show other bugs)
: Trunk
: x86 Windows XP
: P1 normal (vote)
: mozilla1.8.1
Assigned To: Benjamin Smedberg [:bsmedberg]
:
Mentors:
Depends on: CVE-2007-3073 382558
Blocks:
  Show dependency treegraph
 
Reported: 2007-01-18 15:44 PST by shutdown
Modified: 2009-03-10 10:16 PDT (History)
12 users (show)
benjamin: blocking1.9+
dveditz: blocking1.8.1.4+
dveditz: wanted1.8.1.x+
dveditz: blocking1.8.0.12+
dveditz: wanted1.8.0.x+
benjamin: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
testcase (948 bytes, text/html)
2007-01-18 15:44 PST, shutdown
no flags Details
Don't allow backslash, rev. 1 (1.82 KB, patch)
2007-01-29 13:51 PST, Benjamin Smedberg [:bsmedberg]
no flags Details | Diff | Review
Don't allow backslash, rev. 1.1 (1.82 KB, patch)
2007-01-30 06:37 PST, Benjamin Smedberg [:bsmedberg]
cbiesinger: review+
Details | Diff | Review
Handle escaped backslashes, rev. 1 (1.82 KB, patch)
2007-02-26 08:18 PST, Benjamin Smedberg [:bsmedberg]
cbiesinger: review+
Details | Diff | Review
Rollup patch for branches, rev. 1 (1.17 KB, patch)
2007-02-26 09:12 PST, Benjamin Smedberg [:bsmedberg]
dveditz: approval1.8.1.4+
dveditz: approval1.8.0.12+
Details | Diff | Review

Description shutdown 2007-01-18 15:44:07 PST
Created attachment 251981 [details]
testcase

resource://gre/../../../../boot.ini => Firefox can't find the file at /boot.ini.
resource://gre/..\..\..\..\boot.ini => File loads successfully.

This bug can be used to check existence of local files
since resource:// and file:// have different restrictions.

Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.1.2pre)
Gecko/20070117 BonEcho/2.0.0.2pre
Comment 1 Benjamin Smedberg [:bsmedberg] 2007-01-23 14:52:27 PST
Darin, biesi: this behavior is/was being prevented in the forward-slash case by net_CoalesceDirs (http://lxr.mozilla.org/mozilla/source/netwerk/base/src/nsURLHelper.cpp#208). Perhaps we can just fail if there are any backslashes at all in the resource URL?
Comment 2 Benjamin Smedberg [:bsmedberg] 2007-01-29 13:51:04 PST
Created attachment 253222 [details] [diff] [review]
Don't allow backslash, rev. 1
Comment 3 Darin Fisher 2007-01-29 22:35:49 PST
Comment on attachment 253222 [details] [diff] [review]
Don't allow backslash, rev. 1

you don't need double backslashes in JavaScript?
Comment 4 Benjamin Smedberg [:bsmedberg] 2007-01-30 06:37:32 PST
Created attachment 253328 [details] [diff] [review]
Don't allow backslash, rev. 1.1

Indeed I do
Comment 5 Benjamin Smedberg [:bsmedberg] 2007-02-26 07:06:37 PST
Comment on attachment 253328 [details] [diff] [review]
Don't allow backslash, rev. 1.1

Very low-risk security patch.
Comment 6 Benjamin Smedberg [:bsmedberg] 2007-02-26 07:09:59 PST
Fixed on trunk.
Comment 7 Benjamin Smedberg [:bsmedberg] 2007-02-26 07:50:39 PST
Comment on attachment 253328 [details] [diff] [review]
Don't allow backslash, rev. 1.1

This is incorrect, as it doesn't deal with %5C correctly.
Comment 8 Benjamin Smedberg [:bsmedberg] 2007-02-26 08:18:18 PST
Created attachment 256468 [details] [diff] [review]
Handle escaped backslashes, rev. 1
Comment 9 Benjamin Smedberg [:bsmedberg] 2007-02-26 09:12:43 PST
Created attachment 256470 [details] [diff] [review]
Rollup patch for branches, rev. 1
Comment 10 Benjamin Smedberg [:bsmedberg] 2007-02-26 09:13:06 PST
Fixed on trunk, and the testcase even passes ;-)
Comment 11 Daniel Veditz [:dveditz] 2007-03-21 15:30:14 PDT
Comment on attachment 256470 [details] [diff] [review]
Rollup patch for branches, rev. 1

approved for 1.8.0.12 and 1.8.1.4, a=dveditz for release-drivers
Comment 12 Benjamin Smedberg [:bsmedberg] 2007-04-03 07:29:36 PDT
Landed on MOZILLA_1_8_BRANCH and MOZILLA_1_8_0_BRANCH
Comment 13 Jay Patel [:jay] 2007-05-09 16:42:22 PDT
v.fixed on 1.8 branch with 2.0.0.4 rc2 build Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070509 Firefox/2.0.0.4
Comment 14 Boris Zbarsky [:bz] (Out June 25-July 6) 2007-05-17 00:51:39 PDT
Please see bug 380994 for a part of this problem that was missed...
Comment 15 Daniel Veditz [:dveditz] 2007-05-17 12:14:49 PDT
Given this has been discussed in public I'm opening this bug http://ha.ckers.org/blog/20070516/read-firefox-settings-poc/#comment-35888 
Comment 16 Sam Quigley 2007-05-23 01:25:40 PDT
Unless I'm missing something, the patches above only addresses this problem on Windows.  There's a very similar bug on Mac OS X (and, I'd assume, any *nix) with escaped forward slashes -- URLs of the form "resource:///..%2F..%2F..%2F..%2FUsers" can traverse the entire directory structure.  

I can successfully and consistently exploit this on Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3 -- it's pretty straightforward, but please email me if you'd like PoC code.

My apologies if the OS X bug has already been patched elsewhere, or if it is not related to this bug.  I searched bugzilla, but didn't turn up any other bugs that seem relevant.

-sq
Comment 17 Thor Larholm 2007-05-25 04:28:02 PDT
I vote to reopen this bug.

I can reproduce Sam's findings as well. This affects more than just Windows XP and the provided patch does not address the vulnerability on OS X and Linux.
Comment 18 Benjamin Smedberg [:bsmedberg] 2007-05-25 04:30:56 PDT
That is bug 380994
Comment 19 Thor Larholm 2007-05-25 04:36:14 PDT
Does bug 380994 address the vulnerability in 1.5.0.9 as well? I don't have access to verify.
Comment 20 Boris Zbarsky [:bz] (Out June 25-July 6) 2007-05-25 07:35:56 PDT
That bug covers all the branches.

Note You need to log in before you can comment on or make changes to this bug.