Closed Bug 464591 Opened 16 years ago Closed 8 years ago

Percent-encoded host name can bypass IDN Normalization.

Categories

(Core :: Networking, defect)

Product:
Core
Component:
Networking
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla47
Tracking Flags:
Tracking Status
firefox46 --- wontfix
firefox47 --- fixed

People

(Reporter: masa141421356, Assigned: valentin)

References

(
URL
)

Details

(Keywords: intl, sec-low, Whiteboard: [sg:low][necko-backlog][post-critsmash-triage][adv-main47+])

Attachments

(4 files, 2 obsolete files)

Bad percent-encoded URL testcase, in four different encodings
882 bytes, text/html
Details
Patch rev.1.0
4.16 KB, patch
Details | Diff | Splinter Review
new testcase
858 bytes, text/html
Details
Add test to make sure percent encoded host name can't bypass IDN normalization
3.57 KB, patch
mcmanus
: review+
Details | Diff | Splinter Review 
UTF-8 encoded characters can causes domain name spoofing on location bar and status bar.

testcase URL is looks like 
"http://www.example.com/www.mozilla.com/www.mozilla.org"
But, it contains three UTF-8 encoded non-ascii characters.
%E2%88%95 = U+2215 ('∕') : division slash
%D0%B0 = U+0430 ('а') : Cyrillic alphabet "a"
%E2%81%84 = U+2044 ('⁄') : fraction slash
reproduced at

Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b2pre) Gecko/20081111 Minefield/3.1b2pre

And, not reproduced on error message.
U+2215 and U+2044 are in the default value of the "network.IDN.blacklist_chars" preference:
http://hg.mozilla.org/mozilla-central/annotate/5ff478afc3f4/modules/libpref/src/init/all.js#l717
I would have hoped that would have prevented this from resolving.  But it seems like it's only intended to affect the display; however, that doesn't seem to be working.  Are we only blacklisting them if they're inside the TLD+1?

I'd sort of have hoped that the core IDN algorithms would either forbid these or normalize these to standard slashes (and then, in turn, forbid them because they're slashes).
When Non-Ascii characters are inserted as HTML character reference , this issue is not reproduced.
for example: <a href="http://www.example.com&#x2215;www.mozill&#x0430;.com&#x2044;www.mozilla.org/">example</a>
FYI: Other browsers test result:
Opera 9.62 for Windows: not reproduced. Opera reports it as illegal URL to user.
Safari: 3.1.2 for Windows reproduced at all displayed URL string.
   It may be needed to report this issue to Apple.

IE7: not reproduced (IE7 does not decode %-encoded string).
I don't know my way around this code :-| The list only seems to be used in this file:
http://mxr.mozilla.org/mozilla/source/netwerk/dns/src/nsIDNService.cpp
Neil used to be our guy, although I haven't heard from him in a while. CCing him :-)

Gerv
This HTML file encodes the same bad URL in three different encodings:
* percent-encoded, as in the reported test case
* UTF-8 encoded, in the native encoding of this HTML 4.01 document
* HTML numeric entity-encoded
Here are the results of checking the above in two different versions of Firefox:

In Firefox 2.0.0.18:
* percent-encoded version displays misleadingly in status bar, displays percent-encoded in URL bar
* UTF8-encoded version displays Punycoded in both status bar and URL bar
* entity-encoded version displays Punycoded in both status bar and URL bar

In Firefox 3.0.4:
* percent-encoded version displays misleadingly in both status bar and URL bar
* UTF8-encoded version displays Punycoded in both status bar and URL bar
* entity-encoded version displays Punycoded in both status bar and URL bar
Looking at the error page as well, gives the following set of combinations:

Firefox 2.0.0.18:

HTML source         status bar     URL bar        error page

%-encoded           SPOOF          %-encoded      %-encoded
UTF8-encoded        Punycode       Punycode       Punycode
entity-encoded      Punycode       Punycode       Punycode

Firefox 3.0.4:

HTML source         status bar     URL bar        error page

%-encoded           SPOOF          SPOOF          %-encoded
UTF8-encoded        Punycode       Punycode       Punycode
entity-encoded      Punycode       Punycode       Punycode
As the previous version, with a Punycoded version in addition to the other three encodings
Attachment #348349 - Attachment is obsolete: true
And, for the sake of completeness, adding a Puncoded version to the source gives the following set of combinations:

Firefox 2.0.0.18:

HTML source         status bar     URL bar        error page

%-encoded           SPOOF          %-encoded      %-encoded
UTF8-encoded        Punycode       Punycode       Punycode
entity-encoded      Punycode       Punycode       Punycode
Punycoded           Punycode       Punycode       Punycode

Firefox 3.0.4:

HTML source         status bar     URL bar        error page

%-encoded           SPOOF          SPOOF          %-encoded
UTF8-encoded        Punycode       Punycode       Punycode
entity-encoded      Punycode       Punycode       Punycode
Punycoded           Punycode       Punycode       Punycode
Summary: UTF-8 encoded non-ascii characters in URL causes DOMAIN name spoofing. → Percent-encoded non-ascii characters in URL causes domain name spoofing.
The relevant logic seems likely to have been introduced in fixing bug 309671: "Support %-escaped hostnames per RFC 3986 (3.2.2)"

It's really difficult to understand how this area of the codebase works, because of its history as an accretion of tweaks, patches and special-case optimizations as its functionality has changed over the years, and the way it is used both for encoding/decoding and for URL obfuscation for securitry reasons; it really needs a complete refactoring.
Confirmed that Firefox 3 actually performs DNS lookup of correctly Punycoded version of spoofed address, so this looks exploitable.
Changed platform to All/All: behaviour seems reproducible on MacOS_X/PPC and Debian/x86.
OS: Windows XP → All
Hardware: PC → All
Whiteboard: [sg:low]
According result of trace with debugger, 

nsStandardURL::NormalizeIDN() is called with percent-encoded hostname, and it calles nsIDNService::ConvertToDisplayIDN() without unescaping percent-encode.

And, its stacktrace is

nsStandardURL::NormalizeIDN() line 381
nsStandardURL::BuildNormalizedSpec() line 500
nsStandardURL::SetSpec() line 1079
nsStandardURL::Init() line 2542
NewURI()

I think , BuildNormalizedSpec() or NormalizedIDN() should un-escape percent-encodd.
(In reply to comment #14)
> 
> I think , BuildNormalizedSpec() or NormalizedIDN() should un-escape
> percent-encodd.

It may be better to decode hostname in ConvertToDisplayIDN.
Summary: Percent-encoded non-ascii characters in URL causes domain name spoofing. → Percent-encoded host name can bypass IDN Normalization.
Depends on Bug 309671 or DUP?
Attached patch Workaround for Trunk (obsolete) — Splinter Review 
This is almostly same as patch for nsStandardURL in bug 309671.
Attached patch Patch rev.1.0Splinter Review 
Added Unit test.
Attachment #367358 - Attachment is obsolete: true
Attachment #368044 - Flags: review?
Attachment #368044 - Flags: review? → review?(bzbarsky)
Attachment #368044 - Flags: review?(bzbarsky) → review?(cbiesinger)
Comment on attachment 368044 [details] [diff] [review]
Patch rev.1.0

I'm not really qualified to review this....
(In reply to comment #12)
> Confirmed that Firefox 3 actually performs DNS lookup of correctly Punycoded
> version of spoofed address, so this looks exploitable.

I don't see this happening with Firefox 3.0.7 on Linux. Wireshark does not show a DNS request when clicking on this bug's URL. How did you test this?
Attached file new testcase 
In this testcase, all links contains different hostname, to make easy to know which link causes to fire DNS query.
Component: General → Networking
QA Contact: general → networking
Comment on attachment 368044 [details] [diff] [review]
Patch rev.1.0

I assume this is no longer relevant. please re-request if you disagree.
Attachment #368044 - Flags: review?(cbiesinger)
Group: network-core-security
Group: network-core-security
Group: core-security → network-core-security
valentin - there is a patch here that biesi timed out.. should we be using it?
Flags: needinfo?(valentin.gosu)
Whiteboard: [sg:low] → [sg:low][necko-backlog]
We don't need the bit in nsStandardURL, but having the unit test in the tree would be useful.
Flags: needinfo?(valentin.gosu)
Also, we can probably clear the security flag, as this is no longer a problem.
Attachment #8716304 - Flags: review?(mcmanus)
Assignee: nobody → valentin.gosu
Status: NEW → ASSIGNED
Comment on attachment 8716304 [details] [diff] [review]
Add test to make sure percent encoded host name can't bypass IDN normalization

Review of attachment 8716304 [details] [diff] [review]:
-----------------------------------------------------------------

love tests
Attachment #8716304 - Flags: review?(mcmanus) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/54f494f0ecd43f89537f9440629fc7220ba4a3fe
Bug 464591 - Add test to make sure percent encoded host name can't bypass IDN normalization r=mcmanus
https://bugzilla.mozilla.org/show_bug.cgi?id=464591
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
status-firefox47: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla47
Group: network-core-security → core-security-release
Flags: qe-verify-
Whiteboard: [sg:low][necko-backlog] → [sg:low][necko-backlog][post-critsmash-triage]
status-firefox46: --- → wontfix
Whiteboard: [sg:low][necko-backlog][post-critsmash-triage] → [sg:low][necko-backlog][post-critsmash-triage][adv-main47+]
Alias: CVE-2016-2827
Alias: CVE-2016-2827
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: