Closed
Bug 464591
Opened 16 years ago
Closed 8 years ago
Percent-encoded host name can bypass IDN Normalization.
Categories
(Core :: Networking, defect)
Core
Networking
Tracking
()
RESOLVED
FIXED
mozilla47
People
(Reporter: masa141421356, Assigned: valentin)
References
()
Details
(Keywords: intl, sec-low, Whiteboard: [sg:low][necko-backlog][post-critsmash-triage][adv-main47+])
Attachments
(4 files, 2 obsolete files)
882 bytes,
text/html
|
Details | |
4.16 KB,
patch
|
Details | Diff | Splinter Review | |
858 bytes,
text/html
|
Details | |
3.57 KB,
patch
|
mcmanus
:
review+
|
Details | Diff | Splinter Review |
UTF-8 encoded characters can causes domain name spoofing on location bar and status bar. testcase URL is looks like "http://www.example.com/www.mozilla.com/www.mozilla.org" But, it contains three UTF-8 encoded non-ascii characters. %E2%88%95 = U+2215 ('∕') : division slash %D0%B0 = U+0430 ('а') : Cyrillic alphabet "a" %E2%81%84 = U+2044 ('⁄') : fraction slash
Reporter | ||
Comment 1•16 years ago
|
||
reproduced at Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b2pre) Gecko/20081111 Minefield/3.1b2pre And, not reproduced on error message.
U+2215 and U+2044 are in the default value of the "network.IDN.blacklist_chars" preference: http://hg.mozilla.org/mozilla-central/annotate/5ff478afc3f4/modules/libpref/src/init/all.js#l717 I would have hoped that would have prevented this from resolving. But it seems like it's only intended to affect the display; however, that doesn't seem to be working. Are we only blacklisting them if they're inside the TLD+1? I'd sort of have hoped that the core IDN algorithms would either forbid these or normalize these to standard slashes (and then, in turn, forbid them because they're slashes).
Reporter | ||
Comment 3•16 years ago
|
||
When Non-Ascii characters are inserted as HTML character reference , this issue is not reproduced. for example: <a href="http://www.example.com∕www.mozillа.com⁄www.mozilla.org/">example</a>
Reporter | ||
Comment 4•16 years ago
|
||
FYI: Other browsers test result: Opera 9.62 for Windows: not reproduced. Opera reports it as illegal URL to user. Safari: 3.1.2 for Windows reproduced at all displayed URL string. It may be needed to report this issue to Apple. IE7: not reproduced (IE7 does not decode %-encoded string).
Comment 5•16 years ago
|
||
I don't know my way around this code :-| The list only seems to be used in this file: http://mxr.mozilla.org/mozilla/source/netwerk/dns/src/nsIDNService.cpp Neil used to be our guy, although I haven't heard from him in a while. CCing him :-) Gerv
Comment 6•16 years ago
|
||
This HTML file encodes the same bad URL in three different encodings: * percent-encoded, as in the reported test case * UTF-8 encoded, in the native encoding of this HTML 4.01 document * HTML numeric entity-encoded
Comment 7•16 years ago
|
||
Here are the results of checking the above in two different versions of Firefox: In Firefox 2.0.0.18: * percent-encoded version displays misleadingly in status bar, displays percent-encoded in URL bar * UTF8-encoded version displays Punycoded in both status bar and URL bar * entity-encoded version displays Punycoded in both status bar and URL bar In Firefox 3.0.4: * percent-encoded version displays misleadingly in both status bar and URL bar * UTF8-encoded version displays Punycoded in both status bar and URL bar * entity-encoded version displays Punycoded in both status bar and URL bar
Comment 8•16 years ago
|
||
Looking at the error page as well, gives the following set of combinations: Firefox 2.0.0.18: HTML source status bar URL bar error page %-encoded SPOOF %-encoded %-encoded UTF8-encoded Punycode Punycode Punycode entity-encoded Punycode Punycode Punycode Firefox 3.0.4: HTML source status bar URL bar error page %-encoded SPOOF SPOOF %-encoded UTF8-encoded Punycode Punycode Punycode entity-encoded Punycode Punycode Punycode
Comment 9•16 years ago
|
||
As the previous version, with a Punycoded version in addition to the other three encodings
Attachment #348349 -
Attachment is obsolete: true
Comment 10•16 years ago
|
||
And, for the sake of completeness, adding a Puncoded version to the source gives the following set of combinations: Firefox 2.0.0.18: HTML source status bar URL bar error page %-encoded SPOOF %-encoded %-encoded UTF8-encoded Punycode Punycode Punycode entity-encoded Punycode Punycode Punycode Punycoded Punycode Punycode Punycode Firefox 3.0.4: HTML source status bar URL bar error page %-encoded SPOOF SPOOF %-encoded UTF8-encoded Punycode Punycode Punycode entity-encoded Punycode Punycode Punycode Punycoded Punycode Punycode Punycode
Reporter | ||
Updated•16 years ago
|
Summary: UTF-8 encoded non-ascii characters in URL causes DOMAIN name spoofing. → Percent-encoded non-ascii characters in URL causes domain name spoofing.
Comment 11•16 years ago
|
||
The relevant logic seems likely to have been introduced in fixing bug 309671: "Support %-escaped hostnames per RFC 3986 (3.2.2)" It's really difficult to understand how this area of the codebase works, because of its history as an accretion of tweaks, patches and special-case optimizations as its functionality has changed over the years, and the way it is used both for encoding/decoding and for URL obfuscation for securitry reasons; it really needs a complete refactoring.
Comment 12•16 years ago
|
||
Confirmed that Firefox 3 actually performs DNS lookup of correctly Punycoded version of spoofed address, so this looks exploitable.
Comment 13•16 years ago
|
||
Changed platform to All/All: behaviour seems reproducible on MacOS_X/PPC and Debian/x86.
OS: Windows XP → All
Hardware: PC → All
Updated•16 years ago
|
Whiteboard: [sg:low]
Reporter | ||
Comment 14•15 years ago
|
||
According result of trace with debugger, nsStandardURL::NormalizeIDN() is called with percent-encoded hostname, and it calles nsIDNService::ConvertToDisplayIDN() without unescaping percent-encode. And, its stacktrace is nsStandardURL::NormalizeIDN() line 381 nsStandardURL::BuildNormalizedSpec() line 500 nsStandardURL::SetSpec() line 1079 nsStandardURL::Init() line 2542 NewURI() I think , BuildNormalizedSpec() or NormalizedIDN() should un-escape percent-encodd.
Reporter | ||
Comment 15•15 years ago
|
||
(In reply to comment #14) > > I think , BuildNormalizedSpec() or NormalizedIDN() should un-escape > percent-encodd. It may be better to decode hostname in ConvertToDisplayIDN.
Summary: Percent-encoded non-ascii characters in URL causes domain name spoofing. → Percent-encoded host name can bypass IDN Normalization.
Reporter | ||
Comment 16•15 years ago
|
||
Depends on Bug 309671 or DUP?
Reporter | ||
Comment 17•15 years ago
|
||
This is almostly same as patch for nsStandardURL in bug 309671.
Reporter | ||
Comment 18•15 years ago
|
||
Added Unit test.
Attachment #367358 -
Attachment is obsolete: true
Attachment #368044 -
Flags: review?
Reporter | ||
Updated•15 years ago
|
Attachment #368044 -
Flags: review? → review?(bzbarsky)
Updated•15 years ago
|
Attachment #368044 -
Flags: review?(bzbarsky) → review?(cbiesinger)
Comment 19•15 years ago
|
||
Comment on attachment 368044 [details] [diff] [review] Patch rev.1.0 I'm not really qualified to review this....
Comment 20•15 years ago
|
||
(In reply to comment #12) > Confirmed that Firefox 3 actually performs DNS lookup of correctly Punycoded > version of spoofed address, so this looks exploitable. I don't see this happening with Firefox 3.0.7 on Linux. Wireshark does not show a DNS request when clicking on this bug's URL. How did you test this?
Reporter | ||
Comment 21•15 years ago
|
||
In this testcase, all links contains different hostname, to make easy to know which link causes to fire DNS query.
Component: General → Networking
QA Contact: general → networking
Comment 22•13 years ago
|
||
Comment on attachment 368044 [details] [diff] [review] Patch rev.1.0 I assume this is no longer relevant. please re-request if you disagree.
Attachment #368044 -
Flags: review?(cbiesinger)
Updated•10 years ago
|
Group: network-core-security
Updated•10 years ago
|
Group: network-core-security
Updated•9 years ago
|
Group: core-security → network-core-security
Comment 23•8 years ago
|
||
valentin - there is a patch here that biesi timed out.. should we be using it?
Flags: needinfo?(valentin.gosu)
Whiteboard: [sg:low] → [sg:low][necko-backlog]
Assignee | ||
Comment 24•8 years ago
|
||
We don't need the bit in nsStandardURL, but having the unit test in the tree would be useful.
Flags: needinfo?(valentin.gosu)
Assignee | ||
Comment 25•8 years ago
|
||
Also, we can probably clear the security flag, as this is no longer a problem.
Attachment #8716304 -
Flags: review?(mcmanus)
Assignee | ||
Updated•8 years ago
|
Assignee: nobody → valentin.gosu
Status: NEW → ASSIGNED
Comment 26•8 years ago
|
||
Comment on attachment 8716304 [details] [diff] [review] Add test to make sure percent encoded host name can't bypass IDN normalization Review of attachment 8716304 [details] [diff] [review]: ----------------------------------------------------------------- love tests
Attachment #8716304 -
Flags: review?(mcmanus) → review+
Assignee | ||
Comment 27•8 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/54f494f0ecd43f89537f9440629fc7220ba4a3fe Bug 464591 - Add test to make sure percent encoded host name can't bypass IDN normalization r=mcmanus
Comment 28•8 years ago
|
||
https://bugzilla.mozilla.org/show_bug.cgi?id=464591
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
status-firefox47:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla47
Updated•8 years ago
|
Group: network-core-security → core-security-release
Updated•8 years ago
|
Flags: qe-verify-
Whiteboard: [sg:low][necko-backlog] → [sg:low][necko-backlog][post-critsmash-triage]
Updated•8 years ago
|
status-firefox46:
--- → wontfix
Whiteboard: [sg:low][necko-backlog][post-critsmash-triage] → [sg:low][necko-backlog][post-critsmash-triage][adv-main47+]
Updated•8 years ago
|
Alias: CVE-2016-2827
Updated•8 years ago
|
Alias: CVE-2016-2827
Updated•7 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•