"click" MouseEvent can be used to set focus on file input and selectively capture keystrokes, which can be used to upload arbitrary files

RESOLVED DUPLICATE of bug 405299

Status

()

Firefox
Security
--
major
RESOLVED DUPLICATE of bug 405299
11 years ago
10 years ago

People

(Reporter: Gregory Fleischer, Unassigned)

Tracking

({verified1.8.1.12})

unspecified
PowerPC
Mac OS X
verified1.8.1.12
Points:
---
Bug Flags:
blocking1.8.1.12 +
wanted1.8.1.x +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:dupe 405299])

Attachments

(1 attachment)

(Reporter)

Description

11 years ago
User-Agent:       Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11

By creating a "MouseEvent" and using dispatchEvent to send a "click" to a file input element or a label associated with the file, the focus can be set on the text portion of the file input.  This can be used to selectively capture keystrokes and construct a path that can be used to upload arbitrary files from a user's computer.

By sending the click as an event, the focus restrictions in bug #370092 can be bypassed.

An alternate approach is to use the observation in bug #404391 and send click to an additional input element nested inside of the label.  


Reproducible: Always




User agents tested:
  - Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
  - Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
 - Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.12pre) Gecko/20071211 BonEcho/2.0.0.12pre
 - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
 - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12pre) Gecko/20071211 BonEcho/2.0.0.12pre
(Reporter)

Comment 1

11 years ago
Created attachment 292732 [details]
Test case and file stealing demo

Attached test-case and file stealing demo.
(Reporter)

Comment 2

11 years ago
The attachment contains a test case (simple-click.html) and file stealing demo
(plausible.html + upload.cgi).

The simple-click.html file demonstrates how any of the elements in the grey box
(label, file input and text input) can be sent a "click" mouse event.  Any
keystrokes entered in the textarea will be transfered to the file input text
field.  No attempt is made to filter key strokes.

The plausible.html file demonstrates how an actual attack could be constructed.
The layout presented is similar to many blog comment sections.  All of the
fields are hooked so any keystroke that is entered can be used.  Once the
desired file is matched, the form would be automatically submitted.

The two files in the demo are "/etc/hosts" on Linux and Mac OS X and
"c:\boot.ini" on Windows.  Using a special set of captchas, any well known file
could be targeted.  For instance, an attack under Windows could include the
'c', ':', and '\' characters.  Multiple failures could be generated to capture
the necessary keystrokes by refreshing the image via XMLHttpRequest.  Some
potential  well known targets on Linux or Mac OS X would be "/etc/passwd" or
"~/.gnupg/secring.gpg".

The demo is standalone by default, but the 'upload.cgi' Perl CGI script can be used to actually submit the file.
Gregory, thanks for the bug report, but this turns out to be already reported, bug 405299.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 405299
making this "block" 1.8.1.12 so this bug stays in our queries for verification that it really is the same thing.
Flags: blocking1.8.1.12+
Whiteboard: [sg:dupe 405299]
Flags: wanted1.8.1.x+
Keywords: fixed1.8.1.12
I've checked this in Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.12) Gecko/2008012822 Firefox/2.0.0.12. It no longer shows the matching (in green highlighting) for '/etc/hosts'. Based on the other demos from this same series of issues, I believe that means that the problem is fixed. Can you confirm that this is a correct assumption, Gregory (or Dan)?
(Reporter)

Comment 6

10 years ago
Yes, that is a mostly correct assumption.

This bug had a different root cause (ability to programmatically send click events to set focus) which was fixed in bug 405299.

The mechanism by which this bug was exploited (selectively canceling keystrokes) was fixed in bug 413135.

In either case, this bug has been fixed.  I tested this with Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.12pre) Gecko/20080130 BonEcho/2.0.0.12pre.
Ok, thanks Gregory!
Marking  verified1.8.1.12 then.
Keywords: fixed1.8.1.12 → verified1.8.1.12
Group: security
You need to log in before you can comment on or make changes to this bug.