Bug 624764 (CVE-2011-0071)

Directory Traversal in resource protocol




6 years ago
3 years ago


(Reporter: Soroush Dalili, Assigned: dwitte@gmail.com)


Windows XP
Bug Flags:
sec-bounty +

Firefox Tracking Flags

(blocking2.0 betaN+, blocking1.9.2 .17+, status1.9.2 .17-fixed, blocking1.9.1 .19+, status1.9.1 .19-fixed)


(Whiteboard: [sg:moderate?][hardblocker], URL)


(4 attachments)



6 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20101203 Firefox/3.6.13 ( .NET CLR 3.5.30729; .NET4.0E)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20101203 Firefox/3.6.13 ( .NET CLR 3.5.30729; .NET4.0E)

By using a semi-colon ";" character after the resource protocol, we can bypass the protections and use "\..\" in order to do directory traversal or use the colon ":" character.
It can be used for file/directory enumeration or including important javascript files in a script tag. For example for a windows box we can use:
<script src="resource:///;\..\..\..\directory\secret.js"></script>
<script src="resource:///;\..\..\..\directory\secret.js::$data"></script>
<script src="resource:///something.com;\..\..\..\directory::$index_allocation\secret.js"></script>

Linux box might be exploitable by: resource:///something.com;\\..\\..\\..\\ (as I haven't tried it in a Linux box yet)

Reproducible: Always

Steps to Reproduce:
1. In windows, Open the following URL by using Mozilla Firefox:
2. You can see the root directory
Actual Results:  
You can see the root directory

Expected Results:  
I should be limited and get "access denied" for example

I just find this bug in 15 minutes, and I am reporting this immediately to you after finding it. Therefore, excuse me if I have any mistake in writing the report.


6 years ago

Comment 1

6 years ago
I'm also not sure if we should be able to use "resource" protocol without doing
any directory traversal in a script tag as well! In this case, the javascript
files in the Mozilla Firefox directory can be loaded such as:
For example:
<script src="resource:///components/FeedConverter.js"></script>
Assignee: nobody → benjamin
Component: General → Networking
Product: Firefox → Core
QA Contact: general → networking
Whiteboard: [sg:high]

Comment 2

6 years ago
any comment? any sugegstion?  any feedback?
It's on my list. The symptom from comment 1 is intentional, not a bug.

Comment 4

6 years ago
I think we can refer to these links:

I think it is a major issue. However, if you think it's not a security bug (or it is a low risk), I will release it via by blog with some PoC. Therefore, this bug can come out to public (I have a smililar one in IE8 and I like to mix them together in a Poc ;) ). 
I'm waiting for your response.

Please let me know.
It is a security bug, currently rated [sg:high] (leak of local user files to websites). Please do not release details of this until we have had a change to fix this bug and push it out to users in a Firefox release. This bug is eligible for the security bug bounty, I think, if that's what you're asking. I don't know exactly how that process works, cc'ing some people who do.
Ever confirmed: true
Actually, I'm going to delegate.
Assignee: benjamin → dwitte

Comment 7

6 years ago
I hope we can get a result soon.
I'd argue that this should block 2.0, sg:high bug.
blocking2.0: --- → betaN+
blocking1.9.2: --- → ?
status1.9.2: --- → wanted
Whiteboard: [sg:high] → [sg:high][hardblocker]

Comment 10

6 years ago
Is it eligible for the security bug bounty?
I added the bug to the bounty request queue. We usually don't decide until we understand the fix.
blocking1.9.1: --- → .18+
blocking1.9.2: ? → .15+
status1.9.1: --- → wanted

Comment 12

6 years ago
(In reply to comment #3)
> It's on my list. The symptom from comment 1 is intentional, not a bug.


Comment 13

6 years ago
Reproducible on Windows. I can't reproduce this on Linux, likely because backslashes aren't interpreted as directory separators.

Comment 14

6 years ago
have you tried this one in linux as well: resource:///something.com;\\..\\..\\..\\
Is it important to work on the exploitation technique now? (if it is so, I will try to do it)

Comment 15

6 years ago
Yes. I can't get any of this to reproduce under Linux.

Also, I think this bug is only reproducible on branch: on trunk we have omnijar, so the outer URI is a jar one and it inherently disallows poking outside of the jar.

Comment 16

6 years ago
Could you please give me a direct link to the source code that you are looking at. 
Yes, you cannot do the same when you are calling a jar file by "jar:"(chrome). However, I would be thankful if you give me a link to the protection code of omnijar if you know about it as well.

Comment 17

6 years ago
It's a twisty maze of twistiness, but here's where it starts:

The input to that method is a resource:// URI. On branch, the result of that method is a file:// URI, which is resolved via http://mxr.mozilla.org/mozilla-central/source/netwerk/base/src/nsStandardURL.cpp#1720. On trunk, it's a jar:file:// URI. From there, we presumably go through several steps to get an nsILocalFile (on branch) and thus an output stream that we can serve up. (This may involve http://mxr.mozilla.org/mozilla-central/source/netwerk/base/src/nsURLHelperWin.cpp#86, which calls http://mxr.mozilla.org/mozilla-central/source/netwerk/base/src/nsURLHelper.cpp#181.) What I can't figure out yet is how this vulnerability comes about; in net_ParseFileURL, we deal with ';' ref portions just fine, and don't include them in the filepath which is used to construct the nsILocalFile.

There's an easy fix, of course, if we make nsResProtocolHandler::ResolveURI disallow this stuff. But it worries me that the ';' could sneak through (and be interpreted as part of the filepath!) given all the other parsing we do, and that may warrant a more generic fix. I'm going to have to step through this stuff when I get onto my Windows machine and see what codepaths we're hitting.

Comment 18

6 years ago
Sorry, I meant param not ref portions above.

Comment 19

6 years ago
From http://www.ietf.org/rfc/rfc2396.txt ยง3.3:

   The path may consist of a sequence of path segments separated by a
   single slash "/" character.  Within a path segment, the characters
   "/", ";", "=", and "?" are reserved.  Each path segment may include a
   sequence of parameters, indicated by the semicolon ";" character.
   The parameters are not significant to the parsing of relative

So apparently ';' is legal within *individual* path segments; and it's explicitly named in http://mxr.mozilla.org/mozilla-central/source/netwerk/base/public/nsIURL.idl#48 as a suffix which can appear after the directory/filename portion. I'm not sure of its intended meaning in either case, or of any real-world usage (other than as a delimiter inside a '?' string).

Regardless, I can't possibly see how it would be intentional that it be interpreted as part of a path or path segment when dealing with local files.

Comment 20

6 years ago
Thanks for the information.
Semi-colon character is used on some webservers that support CGIs/JSP/Servlet as a delimiter; and that's why I tried it.
According to: http://www.w3.org/TR/html401/appendix/notes.html#h-B.2.2
"We recommend that HTTP server implementors, and in particular, CGI implementors support the use of ";" in place of "&" to save authors the trouble of escaping "&" characters in this manner."
We can also have file/folder with semi-colon in its name.
Semi-colon has caused logical issues for other applications/systems before. For example: http://soroush.secproject.com/downloadable/iis-semicolon-report.pdf

Comment 21

6 years ago
OK. When parsing a path, we search forward for '?' and '#'; the first such occurrence is tagged as the query / ref portion respectively. We search for ';' backwards until we hit the first '/', which occurs *after* normalization of the paths' '\\' components to '/'. So we're explicit about treating ';' as a param portion only in the filename segment of the URL. Coupled with the fact that ';' is legal in pathnames, this all makes sense. (I think.)

The usual sequence of events for dealing with a "resource:///../"-like URL would be for the "/../" to be coalesced out before we even get to nsResProtocolHandler::ResolveURI. This would work fine if we normalized '\\' to '/' at that point, since then we'd treat ';\\..\\..\\' as ';/../../' which would coalesce to nothing. The alternative, I think, is to manually normalize and coalesce the path in nsResProtocolHandler::ResolveURI.
I think it makes more sense to say that a resource: URI with a semicolon anywhere in it is simply invalid. We don't have to support arbitrary complexity for our own URI schemes.

Comment 23

6 years ago
I was thinking of fixing this more generically by forcing unescaping and path normalization ('\' --> '/') before we resolve the resource:// URI. But doing so would require performing OS-dependent normalization which is currently only done in net_GetFileFromURLSpec, which would be a pain.

So I think you're right, we can fix this simply by unescaping and checking for '\' in the full path rather than the file path. There's no need to test for ';' at that point since it's harmless. I'm running that patch through try.

Comment 24

6 years ago
Created attachment 509230 [details] [diff] [review]
trunk patch
Attachment #509230 - Flags: review?(benjamin)

Comment 25

6 years ago
Created attachment 509231 [details] [diff] [review]
branch patch

This applies to 1.9.2 and 1.9.1.
Attachment #509231 - Flags: review?(benjamin)
Attachment #509230 - Flags: review?(benjamin) → review+
Attachment #509231 - Flags: review?(benjamin) → review+
Note: please do not check in the tests for this patch until after it has been included in a release.

Comment 27

6 years ago
Comment on attachment 509231 [details] [diff] [review]
branch patch

a=LegNeato for and
Attachment #509231 - Flags: approval1.9.2.15+
Attachment #509231 - Flags: approval1.9.1.18+

Comment 28

6 years ago

Holding off on landing tests.
Last Resolved: 6 years ago
status1.9.1: wanted → .18-fixed
status1.9.2: wanted → .15-fixed
Resolution: --- → FIXED
What is the exact STR here for branch and for trunk?

On trunk, as noted, I cannot get outside of omni.jar with the examples above.

Comment 30

6 years ago
On trunk, I don't think it's possible to repro. On branches on Windows, "resource:///;\..\..\" will do it. Mac/Linux are unaffected.

Comment 31

6 years ago
Glad that this bug has been solved. Now guys, I'm not sure about the bounty process, how can I realise if this one can get it or not? 

And for my information, do you suggest the security researchers to still report the security bugs that cannot be eligble for the bug bounty as well? if yes, why do you?
(In reply to comment #31)
> Glad that this bug has been solved. Now guys, I'm not sure about the bounty
> process, how can I realise if this one can get it or not? 

This bug was nominated for a bug bounty on Jan. 20th, but you'll need to wait until the bounty committee meets (around once a month) to find out if the nomination is accepted. If it is accepted, you'll be contacted via e-mail.

> And for my information, do you suggest the security researchers to still report
> the security bugs that cannot be eligble for the bug bounty as well? if yes,
> why do you?

Sure, even if something doesn't explicitly qualify for a bug bounty (as per the policy), the committee has been known to grant bounties for clever bug findings and other special circumstances. In some cases, the researcher might not be aware that his/her lower-severity bug could be modified slightly or used with some other bug to expand privileges, which would make the issue more critical than originally considered by the researcher. By submitting bugs, you're helping to improve the security of Firefox and other Mozilla projects and doing your part to protect millions of users. Plus, almost all security issues end up in a security advisory, which would include the submitter's name, in case credit means a lot to you (i.e., more security cred for finding a Firefox vulnerability or something). There are many reasons why you should still submit your findings, but in the end, it is your choice, though we hope you will notify us rather than keep the issues to yourself.

If you have any other questions about the bug bounty program, please contact security@mozilla.org. We generally try to keep the bounty process outside of the bugs themselves so as not to interfere with development of security fixes, but we're more than happy to answer any and all questions/concerns/comments you have about how this process works.


Comment 33

6 years ago
Created attachment 511514 [details] [diff] [review]
tests for trunk

Posting trunk tests for the record. (This needs to be landed after branch release.)

Comment 34

6 years ago
Created attachment 511515 [details] [diff] [review]
branch tests

Branch tests.

Comment 35

6 years ago
(In reply to comment #33)
> Created attachment 511514 [details] [diff] [review]
> tests for trunk
> Posting trunk tests for the record. (This needs to be landed after branch
> release.)

Thanks for the comment. I'm still waiting for the result of bug bounty on this bug.

(In reply to comment #4)
> I think we can refer to these links:
> http://www.mozilla.org/security/announce/2008/mfsa2008-05.html

The difference between this one and MFSA 2008-05 is on that one the traversal started in the profile directory which opened up juicy JS-formatted files that could be read (e.g. user's prefs, sessionrestore data). The resource: scheme starts in the install directory and profile data should be obscured by the directory name salting.

non-JS files will just give you syntax errors if you try to load them, but no stolen data. You could probably fingerprint someone by looking in common locations for what kinds of things they have installed, but that's a lower severity privacy attack.

Lowering the severity to moderate and recommending a reduced bounty, but it's possible I've completely missed some common trove of data you can capture using this technique. Here's your chance to appeal to restore the full sg:high rating.
Whiteboard: [sg:high][hardblocker] → [sg:moderate?][hardblocker]

Comment 37

6 years ago
I'm trying to see if there is a way to find the profile name and include the "sessionstore.js" by using this attack. I'll write my result here which was successful or failed for the final judge.
By default we add random characters to the profile name to defeat this type of attack. If you can find a way to determine the salted profile name that would be an interesting bug in its own right.

There may be standard OS files that can be read in JS format. If there are any those are more likely to be reachable in predictable locations.
The "3.6.15" we're releasing today does not fix this bug, the release containing this bug fix has been renamed to "3.6.16" and the bugzilla flags will be updated to reflect that soon. Today's release is a re-release of 3.6.14 plus a fix for a bug that prevented many Java applets from starting up.
Alias: CVE-2011-0071
Group: core-security
Did the tests ever land here?

Comment 41

6 years ago
I don't believe so. A volunteer would be appreciated, since I have no treewatching time at present. I can ask around!
I'll grab them next time I push.
Flags: sec-bounty+
You need to log in before you can comment on or make changes to this bug.