Bug 827193 (CVE-2013-0774)

disclosure of profile directory name in JavaScript variable visible to Workers

RESOLVED FIXED in Firefox 19

Status

()

Core
DOM: Workers
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: freddyb, Assigned: Gavin)

Tracking

({privacy, sec-moderate})

unspecified
mozilla21
privacy, sec-moderate
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox17 wontfix, firefox18- wontfix, firefox19+ fixed, firefox20+ fixed, firefox21 fixed, firefox-esr1719+ fixed, b2g1819+ fixed, b2g18-v1.0.0 wontfix)

Details

(Whiteboard: [adv-main19+][adv-esr1703+])

Attachments

(3 attachments)

(Reporter)

Description

4 years ago
Created attachment 698511 [details]
PoC html file

The variable "OS" in a Web Workers scope contains some peculiar information, among them:

OS['Constants']['Path']['profileDir'], which is the full path to the firefox profile directory, e.g. "/home/freddy/.mozilla/firefox/6efxvygfz.default". 

I know that the path name contains these random characters for security reasons. Although a quick search revealed no easy way to turn this path disclosure into a serious exploit I suppose it still poses a security risk.

If this is wrong, please uncheck the security-confidential flag.

I will attach a simple test case that explains the issue.
(Reporter)

Comment 1

4 years ago
Created attachment 698512 [details]
PoC JS file
(Reporter)

Comment 2

4 years ago
The PoC HTMl file references the JS file which as to be in the same directory. Hence, this PoC doesn't work on bugzilla but has to be downloaded.
This seems to have been introduced by http://hg.mozilla.org/mozilla-central/rev/1bbc0b65dffb#l39.1.

"fix build warnings"? o_O
Blocks: 743573
status-firefox17: --- → wontfix
status-firefox18: --- → wontfix
tracking-firefox19: --- → ?
tracking-firefox20: --- → ?
tracking-firefox-esr17: --- → ?
Keywords: privacy, sec-moderate
Sorry, I misread that. http://hg.mozilla.org/mozilla-central/diff/685e5580a1f4/dom/workers/WorkerScope.cpp just put the parenthesis at the wrong place.
Blocks: 739740
No longer blocks: 743573
Created attachment 698518 [details] [diff] [review]
patch
Assignee: nobody → gavin.sharp
Status: NEW → ASSIGNED
Attachment #698518 - Flags: review?(khuey)
status-firefox18: wontfix → affected
tracking-firefox18: --- → ?
Attachment #698518 - Flags: review?(khuey) → review+

Updated

4 years ago
status-firefox19: --- → affected
status-firefox20: --- → affected
tracking-firefox19: ? → +
tracking-firefox20: ? → +
https://hg.mozilla.org/integration/mozilla-inbound/rev/e370fc6fae8e
Target Milestone: --- → mozilla21
Comment on attachment 698518 [details] [diff] [review]
patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #): present since introduction of the feature in Firefox 15 (bug 739740)
User impact if declined: privacy leak, potential security risk if combined with other bugs
Testing completed (on m-c, etc.): none
Risk to taking this patch (and alternatives if risky): it's a simple change of logic to match what was originally intended, very low risk
String or UUID changes made by this patch: none
Attachment #698518 - Flags: approval-mozilla-beta?
Attachment #698518 - Flags: approval-mozilla-aurora?
Comment on attachment 698518 [details] [diff] [review]
patch

[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration: I think the privacy impact/risk ratio is high enough that this merits landing on ESR for the next release as well.

See comment 7 for the rest of the risk analysis.
Attachment #698518 - Flags: approval-mozilla-esr17?
Comment on attachment 698518 [details] [diff] [review]
patch

This impacts b2g as well, but I'm not confident about what the current b2g18 policy is.
Attachment #698518 - Flags: approval-mozilla-b2g18?

Updated

4 years ago
status-b2g18: --- → affected
status-firefox18: affected → wontfix
status-firefox-esr17: --- → affected
tracking-b2g18: --- → 19+
tracking-firefox18: ? → -
tracking-firefox-esr17: ? → 19+
Comment on attachment 698518 [details] [diff] [review]
patch

Let's wait until after 1/15 to land on B2G's branch.
Attachment #698518 - Flags: approval-mozilla-esr17?
Attachment #698518 - Flags: approval-mozilla-esr17+
Attachment #698518 - Flags: approval-mozilla-beta?
Attachment #698518 - Flags: approval-mozilla-beta+
Attachment #698518 - Flags: approval-mozilla-aurora?
Attachment #698518 - Flags: approval-mozilla-aurora+
https://hg.mozilla.org/releases/mozilla-esr17/rev/bc1851ce7691
https://hg.mozilla.org/releases/mozilla-beta/rev/9461ce8b252a
https://hg.mozilla.org/releases/mozilla-aurora/rev/1903a40f342d
status-firefox19: affected → fixed
status-firefox20: affected → fixed
status-firefox-esr17: affected → fixed
https://hg.mozilla.org/mozilla-central/rev/e370fc6fae8e
Status: ASSIGNED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Blocks: 827801
Still waiting to take patches for 1.0.1 as per https://wiki.mozilla.org/Release_Management/B2G_Landing we'll be opening mozilla-b2g18 up for landings after 1/25 so leaving the nomination.
Comment on attachment 698518 [details] [diff] [review]
patch

This can now be landed mozilla-b2g18, which is currently v1.0.1.
Attachment #698518 - Flags: approval-mozilla-b2g18? → approval-mozilla-b2g18+
https://hg.mozilla.org/releases/mozilla-b2g18/rev/e34522d63693
status-b2g18: affected → fixed
status-b2g18-v1.0.0: --- → wontfix
status-firefox21: --- → fixed
Flags: in-testsuite?
Flags: in-testsuite? → in-testsuite+
Whiteboard: [adv-main19+][adv-esr1703+]
Alias: CVE-2013-0774
Group: core-security
You need to log in before you can comment on or make changes to this bug.