Closed
Bug 382558
Opened 17 years ago
Closed 8 years ago
Input validation flaw in nsResProtocolHandler.cpp
Categories
(Core :: Networking, defect, P5)
Core
Networking
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: thor, Assigned: dveditz)
References
()
Details
(Whiteboard: [sg:investigate])
Attachments
(1 file)
268 bytes,
text/plain
|
Details |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4 Build Identifier: The patch from bug 367428 - ressource:// directory traversal - opens up a related input validation flaw in the resource protocol. Before the patch the input to nsResProtocolHandler::ResolveURI was already checked to prevent any : characters from sneaking in, which can allow absolute URI references such as "res:C:boot.ini". This check is still in place in lines 334 to 336. // Don't misinterpret the filepath as an absolute URI. if (filepath.FindChar(':') != -1) return NS_ERROR_MALFORMED_URI; Since the previous directory traversal vulnerability depended on URL-escaped characters such as %5C to work the patch added the currently present lines 338 to 340. NS_UnescapeURL(filepath); if (filepath.FindChar('\\') != -1) return NS_ERROR_MALFORMED_URI; Since the filepath is now unescaped after the check for a : character has occurred, it is possible to inject : characters with the URL-escaped version %3A. A non-malicious example request that can be used for verification is the following link include, which passes on unfiltered : characters to the host file system. <link rel="stylesheet" href="resource://gre/browserconfig%3A.properties" /> It is also possible to pass on @ characters to the host file system, which at least on the Windows platform can be used to Basic Authentication style URI's. Reproducible: Always
Updated•17 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Reporter | ||
Comment 1•17 years ago
|
||
The first line comes from <link rel="stylesheet" href="resource://gre/browserconfig%3A.properties" />, the second line comes from <link rel="stylesheet" href="resource://gre/browserconfig%40.properties" />
Comment 2•17 years ago
|
||
As far as I can tell, the check for a colon was added in bug 337744 to prevent URIs like "resource:///http://www.google.com/" from being interpreted as "http://www.google.com/", not to avoid passing ":" to the file system. In other words, the fact that ":" or "@" are being sent to the file system was not the problem, the problem was that those characters could potentially cause our URI parsing code to output absolute URIs when resolving the latter part of the resource: URI. Is there any evidence that this is an exploitable flaw?
Reporter | ||
Comment 3•17 years ago
|
||
You would have to re-run some modified versions of the unit tests from bug 337744 to validate whether this is an immediately exploitable flaw. Since this does circumvent the input validation checks in nsResProtocolHandler::ResolveURI I am sure that there will be some exploitable condition for this, provided that someone is up for the task of single stepping through the resolver logic.
Updated•17 years ago
|
Blocks: CVE-2007-3072
Assignee | ||
Comment 4•17 years ago
|
||
Gavin is correct in comment 2 about why the colon check is there, it's not intended to prevent colons in file paths. Some might argue, in fact, that doing so is a bug, except we wouldn't really care because ':' doesn't work in Windows file names so we'd never use them in Firefox resources, and resource: is intended for internal use. It's _probably_ OK since escaped colon can't validly delimit a scheme, but given code that apparently could read a second scheme out of a URL in the first place I'm not sure I want to bank on that. We might as well open this up given the blog post at http://larholm.com/2007/06/04/unpatched-input-validation-flaw-in-firefox-2004/
No longer blocks: CVE-2007-3072
Group: security
Flags: wanted1.8.1.x?
Flags: wanted1.8.0.x?
Flags: blocking1.9?
Flags: blocking1.8.1.5?
Flags: blocking1.8.0.13?
Whiteboard: [sg:investigate]
Assignee | ||
Updated•17 years ago
|
Blocks: CVE-2007-3072
Comment 5•17 years ago
|
||
I think using a check for ':' to tell whether something is an absolute URI is a little odd to start with. Ideally we'd either use the same code as Resolve() or just go ahead and use nsIIOService::extractScheme on the exact string we plan to pass to Resolve(), and bail out if it finds something, right?
Comment 6•17 years ago
|
||
Thor's blog post says: There are some odd URI resolver logic in nsIStandard::Resolve that I will still have to look into. Under some circumstances on Windows, I can get / characters translated into \ characters and have triple dots translated into double dots, which will once again allow the full directory traversal vulnerability. However, the output is flaky at best and I will have to do some tedious single stepping through the URI resolver logic code to determine at what point the input is unescaped twice :) So does this allow full directory traverse or not?
Updated•17 years ago
|
Assignee: nobody → dveditz
Comment 7•17 years ago
|
||
The full-traversal is covered by bug 380994. I'm unclear on whether the colons or slashes issue is a problem: I can't see how passing either to the filesystem is a problem, but I may not be inventive enough.
Comment 8•17 years ago
|
||
This blocks if it's valid... need more data somehow.
Flags: blocking1.9? → blocking1.9+
Assignee | ||
Updated•17 years ago
|
Flags: wanted1.8.1.x?
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x?
Flags: wanted1.8.0.x+
Flags: blocking1.8.1.5?
Flags: blocking1.8.1.5+
Flags: blocking1.8.0.13?
Flags: blocking1.8.0.13+
Assignee | ||
Comment 9•17 years ago
|
||
haven't found an immediate problem, and the colon check is not intended to keep ':' out of filenames but just to keep deeper layers of nsStandardURL from doing it's "is this a relative or absolute URI" check twice.
Flags: blocking1.8.1.5+ → blocking1.8.1.6?
Assignee | ||
Updated•17 years ago
|
Flags: blocking1.8.0.13+ → blocking1.8.0.14?
Assignee | ||
Updated•17 years ago
|
Flags: blocking1.8.1.7?
Flags: blocking1.8.0.14?
Updated•17 years ago
|
Priority: -- → P1
Comment 10•17 years ago
|
||
This was filed in June. How do we make sure this gets addressed promptly?
Comment 11•17 years ago
|
||
OK, nothing confirmed here I guess. Pushing down priority.
Priority: P1 → P5
Updated•16 years ago
|
Flags: tracking1.9+ → wanted1.9.0.x+
Updated•8 years ago
|
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → INCOMPLETE
You need to log in
before you can comment on or make changes to this bug.
Description
•