Bug 920515 (CVE-2013-5598)

pdf.js iframe injection allows sites to load local files or even chrome privileged pages into an iframe

VERIFIED FIXED in Firefox 25

Status

()

Firefox
PDF Viewer
VERIFIED FIXED
4 years ago
3 years ago

People

(Reporter: Cody Crews, Assigned: yury)

Tracking

({csectype-priv-escalation, regression, sec-high})

23 Branch
Firefox 27
x86_64
Windows 7
csectype-priv-escalation, regression, sec-high
Points:
---
Dependency tree / graph
Bug Flags:
sec-bounty +

Firefox Tracking Flags

(firefox24 wontfix, firefox25+ verified, firefox26+ verified, firefox27+ verified, firefox-esr17 unaffected, firefox-esr24+ verified, b2g18 unaffected)

Details

(Whiteboard: [reporter-external][adv-main25+][adv-esr24-1+] https://github.com/mozilla/pdf.js/pull/3735)

Attachments

(2 attachments)

(Reporter)

Description

4 years ago
Created attachment 809860 [details]
mapLocalFiles.html

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0 (Beta/Release)
Build ID: 20130814063812

Steps to reproduce:

I created and added an embed element to the document of a page initially setting the src attribute for the embed to 'data:application/pdf,'.  This triggers the pdfjs implementation and begins to load it to preview the plugin.  Immediately after I created an iframe element and appended it as a child of the embed element.  Normally when previewing a pdf as a plugin, an anonymous iframe is created as a child of the embed element, but apparently any iframe that is a child of the embed element will behave as if bound to it for previewing.  At this point all that is required is to change the src attribute of the embed element to whatever file(local or chrome privileged) that you want to load and then change the location of iframe.contentWindow like so:

iframe.contentWindow.location = 'data:application/x-moz-playpreview-pdfjs;,';

This triggers code in PdfRedirector.js that is part of the pdfjs implementation, which checks the src attribute of the embed element and loads it into the frame as if it were a pdf document.


Actual results:

A local file was loaded into the iframe.  Using this technique with canvas to get an image of the page or just trying to access iframe.contentWindow.location.href and catching the error from that, a person could either read the content of local files, or at least confirm their existence.

A few extra notes on this, I think this has been possible since its been possible to load the new pdfjs implementation as a plugin, its confirmed to work all the way up to the newest nightly and a few other dated installs as well.  I just discovered this yesterday, and I spent all the time I could spare trying to find ways to load up a chrome xul document and somehow achieve script injection into it.  I'm sure that it's possible, but I don't have as much time as I've had before to sink into this, and since this is serious enough to have me worried, I went this route this morning.  I really wanted that proper calc poc, and although this is nice its just not the same =/


Expected results:

Since PdfRedirector.js is running with full chrome privileges, it should have a check before loading any data to make sure that the data is expected, and of the right type.  If this is not the case it should cease loading and throw an exception.
(Reporter)

Updated

4 years ago
Attachment #809860 - Attachment mime type: text/plain → text/html

Updated

4 years ago
Component: Untriaged → PDF Viewer
Keywords: csec-priv-escalation, sec-high
Summary: Its possible to load local files or even chrome privileged pages into an iframe → pdf.js iframe injection allows sites to load local files or even chrome privileged pages into an iframe

Updated

4 years ago
status-firefox24: --- → affected
status-firefox25: --- → affected
status-firefox26: --- → affected
status-firefox27: --- → affected
tracking-firefox25: --- → ?
tracking-firefox26: --- → ?
tracking-firefox27: --- → ?
Whiteboard: [reporter-external]
(Assignee)

Comment 1

4 years ago
Looks like https://bugzilla.mozilla.org/show_bug.cgi?id=914667#c1 will solve this issue as well

Updated

4 years ago
tracking-firefox25: ? → +
tracking-firefox26: ? → +
tracking-firefox27: ? → +
(Assignee)

Comment 2

4 years ago
Dave, could you review changes to the pdf.js extension at https://github.com/mozilla/pdf.js/pull/3735? If they are sufficient to address this issue as well.
Flags: needinfo?(dtownsend+bugmail)
(In reply to Yury Delendik (:yury) from comment #2)
> Dave, could you review changes to the pdf.js extension at
> https://github.com/mozilla/pdf.js/pull/3735? If they are sufficient to
> address this issue as well.

r=me. Can we get a test for this case?
Flags: needinfo?(dtownsend+bugmail)
(Reporter)

Comment 4

4 years ago
Can we get this nominated for sec-bounty?  I assumed it already would be ;-)  thanks.

Updated

4 years ago
Flags: needinfo?(curtisk)
Flags: sec-bounty?
Status: UNCONFIRMED → NEW
Ever confirmed: true
:mccr8 made the nom
Flags: needinfo?(curtisk)
Also there are so many bugs and we can't always track who is a contributor (that might be ineligible for a bounty) and who is not, for this reason we have this ask in the FAQ for bounties:

> Bug reporting
> Once I have found a vulnerability, what next?
> Please file a bug describing the security bug. The security check-box should also be checked when filing > the bug. Further details on the security check-box can be found here.
> We also ask that you notify the Mozilla Security Group by email and include the bug number and a brief 
> summary.
(Reporter)

Comment 7

4 years ago
(In reply to Curtis Koenig [:curtisk] from comment #6)
> Also there are so many bugs and we can't always track who is a contributor
> (that might be ineligible for a bounty) and who is not, for this reason we
> have this ask in the FAQ for bounties:
> 
> > Bug reporting
> > Once I have found a vulnerability, what next?
> > Please file a bug describing the security bug. The security check-box should also be checked when filing > the bug. Further details on the security check-box can be found here.
> > We also ask that you notify the Mozilla Security Group by email and include the bug number and a brief 
> > summary.

I apologize for that, and I did know that is the the standard procedure.  Usually I CC bholley and from there the higher powers that be take over lol.  You guys had picked this one up and were already working on it by the time I could toggle the testcase type from text/plain to text/html so I didnt want to step on your toes, sorry all around.
codyc, no worries I just wanted to be informative and helpful, this is great work and we're happy to evaluate it for the program. Thanks for working with us.
Flags: sec-bounty? → sec-bounty+
(Reporter)

Comment 10

4 years ago
Thanks guys, this is bug is relates to bug 911864.  I found it while working on that, and there's still more to found in relation to that bug I think too, but maybe not quite like this.
(Reporter)

Comment 11

4 years ago
(In reply to codyc from comment #10)
> Thanks guys, this is bug is relates to bug 911864. 

should be this bug relates.
Can we get an assignee set on this bug? Unclear who's working on this at this point, and bug 914667 also lacks an assignee.
Flags: needinfo?(bdahl)
This should be fixed in nightly by bug 922693. I believe Yury is planning on adding a test and uplifting.
Assignee: nobody → ydelendik
Depends on: 922693
Flags: needinfo?(bdahl)
Whiteboard: [reporter-external] → [reporter-external]https://github.com/mozilla/pdf.js/pull/3735
(Assignee)

Comment 14

4 years ago
Created attachment 818789 [details] [diff] [review]
Fix for the beta, aurora, m-c (landing with bug 914667)

[Security approval request comment]
How easily could an exploit be constructed based on the patch?
Not trivial, the patch also addresses issue created by bug 738967

Do comments in the patch, the check-in comment, or tests included in the patch  paint a bulls-eye on the security problem?
Test for the security will be included later with this bug

Which older supported branches are affected by this flaw?
Since Firefox 22

If not all supported branches, which bug introduced the flaw?
bug 738967

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
Approvals for beta and aurora are pending for bug 914667

How likely is this patch to cause regressions; how much testing does it need?
Low risk and limited to the functionality introduced by bug 738967
Attachment #818789 - Flags: sec-approval?
status-firefox24: affected → wontfix
Comment on attachment 818789 [details] [diff] [review]
Fix for the beta, aurora, m-c (landing with bug 914667)

sec-approval for trunk. I'll approve it for Aurora. I'm not sure if we can take this on Beta at this point in the cycle.
Attachment #818789 - Flags: sec-approval? → sec-approval+
This affects ESR24 too and we'll need to get it there, at least by the time Firefox 26 ships with the fix.
status-firefox-esr17: --- → unaffected
status-firefox-esr24: --- → affected
tracking-firefox-esr24: --- → ?
I want Release Management input about taking this and bug 914667 on Beta or not (and ESR24).
Flags: needinfo?(release-mgmt)
Approved bug 914667 for beta since this seems like a good security win with low risk on landing, we'll need uplift nomination on the patch here for beta, aurora, and esr24
Flags: needinfo?(release-mgmt)

Updated

4 years ago
status-firefox25: affected → wontfix
Fixed by bug 914667, changing status flag to match
status-firefox25: wontfix → fixed
Setting ESR24 to fixed since bug 914667 fixed ESR24 as well.
status-firefox-esr24: affected → fixed
Whiteboard: [reporter-external]https://github.com/mozilla/pdf.js/pull/3735 → [reporter-external][adv-main25+][adv-esr24-1+] https://github.com/mozilla/pdf.js/pull/3735
Alias: CVE-2013-5598
Confirmed issue on FF27, 2013-09-25.
Verified fixed on 24esr, 25, 26, 27, 2013-10-21.

Let's get a test checked in for this. :)
Status: NEW → RESOLVED
Last Resolved: 4 years ago
status-firefox25: fixed → verified
status-firefox26: affected → verified
status-firefox27: affected → verified
status-firefox-esr24: fixed → verified
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED

Comment 22

4 years ago
Cleaning up list of security bugs for b2g18. This bug doesn't need to be backported either due to it affecting a later version of Fx or another reason.
status-b2g18: --- → unaffected
tracking-firefox-esr24: ? → +
Target Milestone: --- → Firefox 27
Blocks: 738967
Keywords: regression
I believe this issue is now publically discussed in http://www.mozilla.org/security/announce/2013/mfsa2013-99.html, right?
(In reply to Bill Walker [:bwalker] [@wfwalker] from comment #23)
> I believe this issue is now publically discussed in
> http://www.mozilla.org/security/announce/2013/mfsa2013-99.html, right?

Yes, that's why the link at the bottom of the document comes here. :-) We won't open the bug, itself, for a while though.
(Assignee)

Comment 25

4 years ago
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5598 lists extra configurations that not affected by bug 738967. So vulnerable Firefox versions are 22, 23, and 24.
(Assignee)

Updated

3 years ago
Depends on: 1015636
Group: core-security
You need to log in before you can comment on or make changes to this bug.