Closed Bug 845880 (CVE-2022-34482) Opened 11 years ago Closed 2 years ago

Drag-and-Drop and File Extension Bugs Enable Dropping of Malicious File

Categories

(Core :: DOM: Copy & Paste and Drag & Drop, defect)

Product:
Core
Component:
DOM: Copy & Paste and Drag & Drop
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
102 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- wontfix
firefox100 --- wontfix
firefox101 --- wontfix
firefox102 --- fixed

People

(Reporter: curtisk, Assigned: enndeakin)

References

Details

(Keywords: csectype-other, sec-moderate, Whiteboard: Disclosure planned by EOY 2013, Chrome bug public now [adv-main102+])

Attachments

(2 files, 1 obsolete file)

Drag and Drop and Execute - PoC
2.25 KB, application/java-archive
Details
advisory.txt
431 bytes, text/plain
Details 
Date: Wed, 27 Feb 2013 09:13:37 -0800 (PST)
From: Attila SUSZTER <asuszter@yahoo.com>
Subject: Re: [BTS] Drag-and-Drop and File Extension Bugs Enable Opera to Drop
	Malicious File
To: "DSK-383008@bugs.opera.com" <DSK-383008@bugs.opera.com>
-----//-----

Hi,

[CC-ed Mozilla and Google security teams]

Thanks for the additional information, and for the quick response.

Google tracks this issue at https://code.google.com/p/chromium/issues/detail?id=177980 Even though the impact their side seems to be lower probably would be good to coordinate with them, too.

Attila

    From: "DSK-383008@bugs.opera.com" <DSK-383008@bugs.opera.com>
    To: asuszter@yahoo.com
    Sent: Wednesday, 27 February 2013, 14:12
    Subject: [BTS] Drag-and-Drop and File Extension Bugs Enable Opera to Drop Malicious File


    Hi,

    Thanks for your bug report; Drag-and-Drop and File Extension Bugs Enable Opera to Drop Malicious File

    We can reproduce the issue, and will look into how to get it fixed in a public release as soon as possible. In order to protect users from abuse, we ask that you refrain from publicising the issue until we have had a chance to fix it.

    The fault lies in Opera trusting the filename supplied by the page, instead of applying the appropriate filename for the file's mimetype. Note, however, that the dnd API allows a page to supply any data and any mimetype, while also allowing a custom drag image to be displayed. This would allow actual executables to be added as the drag data, and these could then be dragged to the system from any browser that supports the HTML5 dnd API, while making the user think they were dragging an image.

    Other browsers do try to protect against this by removing the harmful extensions, but while investigating your bug report, we discovered that this protection could be bypassed in Firefox (image.jpg.exe.exe will become image.jpg.exe). We will inform Mozilla of this issue, and coordinate our announcement with them. We would ask that you also refrain from announcing until both we and Mozilla have had a chance to fix this issue.

    For more information regarding Opera's security policies, you may look at the following links:
    http://www.opera.com/security/policy/
    http://www.opera.com/security/rating/
    http://my.opera.com/securitygroup/blog/2010/02/18/what-is-a-browser-security-issue-anyway

    Thanks again for your report.

    Tarquin Wilton-Jones
    Security Group
    Opera Software ASA

    Reply to this e-mail to respond to the query.
Can you post the original bug report as well? The comment above only includes the response.
I created another PoC based on Tarquin's idea. Open index.html via http and follow the instruction.

It should work on Opera and Firefox, but doesn't work on Chrome.
Attachment #719150 - Attachment mime type: application/octet-stream → application/java-archive
Component: Security → Drag and Drop
Whiteboard: Disclosure planned by EOY 2013, Chrome bug public now
Group: core-security → dom-core-security

Any remaining issues should have been fixed by 1746052.

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Assignee: nobody → enndeakin
Group: dom-core-security → core-security-release
status-firefox100: --- → wontfix
status-firefox101: --- → wontfix
status-firefox102: --- → fixed
status-firefox-esr91: --- → wontfix
Depends on: 1746052
Target Milestone: --- → 102 Branch
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify+
Whiteboard: Disclosure planned by EOY 2013, Chrome bug public now → Disclosure planned by EOY 2013, Chrome bug public now [adv-main102+]

Not sure if the info from comment 2 is still relevant being 9 years old. Drag and drop action on the file in question is blocked in the fixed version (tested with Fx 102, on Windows 10). Is this the expected behavior? If not, can you provide some applicable steps to be able to confirm the fix. Thank you!

Flags: needinfo?(enndeakin)
Alias: CVE-2022-34482
Comment on attachment 9282672 [details]
advisory.txt

>Drag and drop of malicious image could have lead to malicious executable and potential code execution
>Attila Suszter
>
>An attacker who could have convinced a user to drag and drop an image to a filesystem could have manipulated the resulting filename to contain an executable extension, and by extension potentially tricked the user into executing malicious code.  While very similar, a separate issue from CVE-2022-XXXX.
Attachment #9282672 - Attachment is obsolete: true

I'm not sure that the testcase is relevant anymore. I assume at some point in the past, one could drag invalid images. The tests in the linked chrome bug also work fine.

Flags: needinfo?(enndeakin)

(In reply to Neil Deakin from comment #8)

I'm not sure that the testcase is relevant anymore. I assume at some point in the past, one could drag invalid images. The tests in the linked chrome bug also work fine.

Thank you for your response. I will remove the qe+ from the bug in this case.

Flags: qe-verify+
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: