Closed Bug 916726 (CVE-2014-1480) Opened 11 years ago Closed 11 years ago

Download "open file" dialog delay is too quick, doesn't prevent clickjacking

Categories

(Core :: General, defect)

Product:
Core
Component:
General
Version:
23 Branch
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla28
Tracking Flags:
Tracking Status
firefox26 --- wontfix
firefox27 --- fixed
firefox28 --- fixed
firefox-esr24 --- wontfix
b2g18 --- unaffected
b2g-v1.1hd --- unaffected
b2g-v1.2 --- unaffected

People

(Reporter: jordi.chancel, Assigned: Felipe)

Details

(Keywords: csectype-clickjacking, reporter-external, sec-moderate, Whiteboard: [reporter-external][adv-main27+])

Attachments

(2 files, 8 obsolete files)

change delay to 1sec
2.83 KB, patch
Gavin
: review+
lsblakk
: approval-mozilla-beta+
Details | Diff | Splinter Review
new video.mov
6.93 MB, video/quicktime
Details 
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:23.0) Gecko/20100101 Firefox/23.0 (Beta/Release)
Build ID: 20130814063812

Steps to reproduce:

the window of download/execute files can be clickjacked because there is no secure time before click on the "ok" button (for download/execute).


Actual results:

the file is executed!


Expected results:

button "ok" is directly pressed!

    
    

    
  

      
      
      
      

        Attached file
          
        POC.html (obsolete)
        — 
      

    


  

    
  

        Attachment #805249 -
        Attachment mime type: text/plain → text/html

    
    

    
  
On my mac, I am prompted to download the file from the PoC when I mouseover the button. I can cancel the dialog and nothing is downloaded.

    
    

    
  
i can use onmousedown until onmousemove and when you doubleclick on the button they download and execute the file

    
    

    
  

      
      
      
      

        Attached file
          
        POC2.html (obsolete)
        — 
      

    


  
DOWNLOAD OPERA.DMG , COPY IT ON YOUR LOCALHOST AND USE POC2.HTML

    
  

        Attachment #805327 -
        Attachment mime type: text/plain → text/HTML

    
    

    
  

      
      
      
      

        Attached file
          
        POC2(part2).php (obsolete)
        — 
      

    


  
POC2(part2).php

    
  

        Attachment #805329 -
        Attachment description: test.php → POC2(part2).php

    
    

    
  

      
      
      
      

        Attached file
          
        FILE EXEC WITH DOUBLECLICK.mov (obsolete)
        — 
      

    


  

    
  

        Attachment #805236 -
        Attachment is obsolete: true

    
  

        Attachment #805249 -
        Attachment is obsolete: true

    
  

        Attachment #805329 -
        Attachment is obsolete: true

    
    

    
  

      
      
      
      

        Attached file
          
        POC2(part2).php (obsolete)
        — 
      

    


  

    
  

        Attachment #805327 -
        Attachment is obsolete: true

    
    

    
  

      
      
      
      

        Attached file
          
        POC2.html (obsolete)
        — 
      

    


  
you should download opera.dmg and copy it on your localhost and run poc2.html for doubleclick on the button.

    
  

        Attachment #805338 -
        Attachment mime type: text/plain → text/HTML

    
    

    
  
Why would I double-click on a web button?

    
    

    
  
look the video please

    
    

    
  
I did watch the video. Please answer my question. Why would anyone double-click on a web button on a web page? Sounds like a social engineering attack along with anything else, which will lower security severity.

    
    

    
  
yes it's like social Engineering attack

    
    

    
  
but it's not a low issue , double click that allow execute file is not low!
Flags: sec-bounty?
Whiteboard: [reporter-external]

    
    

    
  
Gavin: I thought these dialogs all had the security delay protection (500ms or whatever it was) to prevent just this kind of bug 162020 attack. (Not a new problem, that was filed in 2002).
Flags: needinfo?(gavin.sharp)

    
    

    
  
Why are we opening an executable file automatically? The worst this attack should be able to do for an "executable" file is click the "save" button. For some helper apps you can set things to "open" automatically, but that's not the default.

    
    

    
  
Felipe, can you investigate why the delay seems to not be working, and dveditz's question in comment 16?
Assignee: nobody → felipc

    
    

    
  
On a preliminary inspection, this doesn't appear to be running any unknown code automatically. What's happening is that it is triggering the default action for a .dmg, "open", with the DiskImageMounter app. And this .dmg has an embedded license, so it pops up the Accept License dialog before opening the file (this is the dialog seen on the video).  Or am I missing something?

I'll investigate why the delay is not working

    
  
Summary: Download/execute file clickjacking → Mac OS X Download/execute executable file clickjacking

    
    

    
  
this vulnerability can be used for UI Spoofing attack.

    
    

    
  
How when it requires a double click within a browser window? Sure, it opens the files but, as said in comment 19, it doesn't run code.

    
    

    
  
On Firefox 27 nightly build it's fixed the download dialog lead directly to save the file but not execute it.

    
    

    
  
I don't think we changed anything there... did you create a new profile, and maybe in your old one you had checked the "do this every time" box when you opened one?

    
    

    
  
There's still a problem here, though, because lots of users will change the default action to "open" on a variety of potentially dangerous/vulnerable file formats. Either the security dialog delay is missing or 250ms doesn't cut it, and we should fix it.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: csec-spoof, 
          
            sec-low

    
    

    
  
I just verified that the delay does work, it's just too fast. It's even harder to notice it because the POC doesn't really do anything with the click, it uses the onmousemove event of the button to redirect the page and start the download.

onmousemove="document.location='http...

With that in mind, should the action here be to increase the interval of the button being disabled? I think 250ms is enough to prevent accidental double clicks that normal people do, but not to prevent a spoof situation like this where the attacker might instruct the user to click repeatedly or to start the download before the first click even happens..

    
    

    
  
(In reply to :Felipe Gomes from comment #25)
> With that in mind, should the action here be to increase the interval of the
> button being disabled?

Yeah, we should just make this obey security.dialog_enable_delay. Though that might require adjusting that value, since 2s seems like too long. For add-on install we effectively use security.dialog_enable_delay/2, IIRC?

    
    

    
  

      
      
      
      

        Attached patch
          
          
        increase delay to 1sec (obsolete)
        — Splinter Review
      

    


  
There are two prefs that we could use

security.dialog_enable_delay = 2000
security.notification_enable_delay = 500

One seems to slow, and the other too quick.. So I'm using the security.dialog_enable_delay / 2 as suggested. Also it's the same pref used by CommonDialog.jsm the add-ons install, but in both places it does run for the full 2sec instead of half of it as you had thought

        Attachment #816183 -
        Flags: review?(gavin.sharp)

        Attachment #816183 -
        Attachment description: 916726 → increase delay to 1sec

    
    

    
  
(In reply to :Felipe Gomes from comment #27)
> security.dialog_enable_delay = 2000
> security.notification_enable_delay = 500
> 
> One seems to slow, and the other too quick.. So I'm using the
> security.dialog_enable_delay / 2 as suggested. Also it's the same pref used
> by CommonDialog.jsm the add-ons install, but in both places it does run for
> the full 2sec instead of half of it as you had thought

If 2s is too slow for this, isn't it too slow for CommonDialog.jsm too? I guess it doesn't matter much in practice, since BUTTON_DELAY_ENABLE isn't used anywhere except in tests. Feels like we should just lower it to 1000 and then use it directly here.

Also, let's use Services.prefs here instead of the old way.

        Attachment #816183 -
        Flags: review?(gavin.sharp) → review-

    
    

    
  


  
Lowered the delay to 1000ms. The original delay of 2s has been at that value from the beginning (https://bugzilla.mozilla.org/show_bug.cgi?id=162020#c38), i.e. there was not some consideration in the past that caused us to raise it to 2000ms. So I think lowering it to 1000ms is fine.

        Attachment #816183 -
        Attachment is obsolete: true

        Attachment #822069 -
        Flags: review?(gavin.sharp)

    
    

    
  
Comment on attachment 822069 [details] [diff] [review]
change delay to 1sec

Asking dveditz to sign off on the pref change, in case there are other concerns we haven't covered.

        Attachment #822069 -
        Flags: review?(gavin.sharp)

        Attachment #822069 -
        Flags: review+

        Attachment #822069 -
        Flags: feedback?(dveditz)

    
    

    
  
I'm much happier using the defined pref value and making it consistent than having some dialogs magically halve it. AFAIK the 2000 value is used for the XPinstall dialog, and I'm fine lowering that to a second.

Is this the same problem as bug 724353, or is that a separate implementation?

    
    

    
  
The dialog from bug 724353 (handling/dialog.xul) has a separate implementation which doesn't use this pref (it doesn't use any delays in fact), so this patch won't help bug 724353.

    
    

    
  
https://hg.mozilla.org/integration/fx-team/rev/70141743e2fa
Summary: Mac OS X Download/execute executable file clickjacking → Mac OS X Download "open file" clickjacking

    
    

    
  
are you sure that this vuln is low ? with the dmg file i can open a fake firefox window and with a double click i can execute an executable file (.pkg)
(look new video)

    
    

    
  

      
      
      
      

        Attached video
          
        new video.mov
      

    


  

        Attachment #805330 -
        Attachment is obsolete: true

    
    

    
  
landed on central -> https://hg.mozilla.org/mozilla-central/rev/70141743e2fa

          status-firefox28:
          --- → fixed
Flags: in-testsuite?
Target Milestone: --- → mozilla28

    
    

    
  
Updating the title as this dialog is not OSX specific.
Status: NEW → RESOLVED
Closed: 11 years ago
OS: Mac OS X → All
Resolution: --- → FIXED
Summary: Mac OS X Download "open file" clickjacking → Download "open file" dialog delay is too quick, doesn't prevent clickjacking

    
    

    
  
Comment on attachment 822069 [details] [diff] [review]
change delay to 1sec

This landed in 28, but it probably should be uplifted to 27 for good measure

[Approval Request Comment]
Bug caused by (feature/regressing bug #): not a regression
User impact if declined: it's easier to trick users into opening a download file
Testing completed (on m-c, etc.): landed on m-c
Risk to taking this patch (and alternatives if risky): the delay in the pref security.dialog_enable_delay (which add-on install uses) was reduced from 2000ms to 1000ms, because 2s was considered too long.  (And the fix for the bug increased the delay for the Save File dialog from 250ms to 1000ms)
String or IDL/UUID changes made by this patch: none

        Attachment #822069 -
        Flags: approval-mozilla-beta?

    
    

    
  
Comment on attachment 822069 [details] [diff] [review]
change delay to 1sec

it's early in beta so let's take this and get user testing.

        Attachment #822069 -
        Flags: approval-mozilla-beta? → approval-mozilla-beta+

    
    

    
  
where can i download the beta version of firefox which fixed this vuln?

    
    

    
  
i have found it , yes it's fixed , it's great !
Flags: sec-bounty? → sec-bounty+
Keywords: sec-lowsec-moderate

        Attachment #822069 -
        Flags: feedback?(dveditz)

    
    

    
  
- Else If the clickjacking method is fixed i have found a new vulnerability with the download/execute file box.

- Mozilla Firefox can execute a DMG file on Mac OS X and it's a bad way for the security because it's possible to show a fake firefox popup and with a doubleclick on this fake popup it's possible to execute a executable file (.pkg). 

- Can I Report a new bug for this?

    
    

    
  
Yes It's a bad way to the security, dmg file should be defined like dangerous file (like .pkg / .exe / .jar / etc ).

I go Report a new bug for this.
Whiteboard: [reporter-external] → [reporter-external][adv-main27+]
Alias: CVE-2014-1480
Group: core-security

    
  

        Attachment #805334 -
        Attachment is obsolete: true

    
  

        Attachment #805338 -
        Attachment is obsolete: true

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: