Last Comment Bug 417400 - Resource Directory Traversal Vulnerability - Mac OS X and Linux Example
: Resource Directory Traversal Vulnerability - Mac OS X and Linux Example
Status: RESOLVED FIXED
[sg:dupe 380994]
: verified1.8.1.17, verified1.9.0.2
Product: Core
Classification: Components
Component: Security (show other bugs)
: unspecified
: PowerPC Mac OS X
: -- normal (vote)
: ---
Assigned To: Daniel Veditz [:dveditz]
:
: David Keeler [:keeler] (use needinfo?)
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2008-02-13 19:33 PST by Gregory Fleischer
Modified: 2008-09-30 22:50 PDT (History)
5 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Example that shows reading from sessionstore.js if username and profile value are known (3.96 KB, text/html)
2008-02-13 19:36 PST, Gregory Fleischer
no flags Details

Description Gregory Fleischer 2008-02-13 19:33:38 PST
User-Agent:       Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12
Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12

On Mac OS X and Linux, the "resource:///" directory traversal described in bug 394075 can be used to reach any file on the file system.

Because there is a different error returned for JavaScript for non-existent files versus files that have syntax errors, a brute-force attack could be mounted to determine the OS user name by attempting to source script files from their home directory.

If the operating system user name can be brute-forced (or otherwise determined) and the profile value determined through an information leak, the "sessionstore.js" file can be read if it is stored in the default location.


Reproducible: Always

Steps to Reproduce:
1.
2.
3.
Comment 1 Gregory Fleischer 2008-02-13 19:36:52 PST
Created attachment 303195 [details]
Example that shows reading from sessionstore.js if username and profile value are known

If the OS user name and profile value can be determined, it is possible to read the sessionstore.js file.

Note also that different errors are returned for invalid (or unreachable) user name values compared to users that exist.
Comment 2 Daniel Veditz [:dveditz] 2008-02-14 00:11:32 PST
This is basically a dupe of bug 380994, customized with a juicy target from flat-chrome traversal bug. Very clever attempt to read the salted profile name. Another way to get that name is sometimes it can be read from uncaught exceptions thrown by addon components (not code in chrome URIs which isn't going to help much, but accompanying javascript XPCOM components which will have file: URIs in the error).
Comment 3 Daniel Veditz [:dveditz] 2008-08-27 00:50:52 PDT
Fix for bug 380994 checked into 1.8 and 1.9.0 branches
Comment 4 juan becerra [:juanb] 2008-08-29 14:43:29 PDT
Verified on latest Mac/Linux build candidates for 20017 and 3.0.2 using test case in comment #1. When running the test case on 20016 and 3.0.1 I could see the contents my sessionstore.js file, on 20017 and 3.0.2 nothing happens.

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.17) Gecko/2008082909 Firefox/2.0.0.17
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.17) Gecko/2008082909 Firefox/2.0.0.17

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-US; rv:1.9.0.2) Gecko/2008082909 Firefox/3.0.2
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.2) Gecko/2008082909 Firefox/3.0.2

Note You need to log in before you can comment on or make changes to this bug.