983857 - Risky .lnk file download/upload handling.

Status: RESOLVED DUPLICATE of bug 1773894

(Firefox :: File Handling, defect)

Description

[Jаmes Kettle]

Attachment: calc.lnk

If a user downloads a .lnk file (a windows shortcut), and then attempts to upload the same file, whatever the shortcut points to will be uploaded instead. Given a suitably cooperative user, this could be exploited to read a file from their computer. I've attached a poc, which will steal calc.exe if you're kind enough to download and upload it.

I think this is a fairly plausible attack, although I'd give it low/medium risk due to the heavy user interaction required. I don't think most users would expect there to be any security risks associated with uploading a file they've downloaded. I'd appreciate feedback on whether you view this as a security issue.

Chrome avoids the problem by converting the .lnk extension to .download

Comment 1

[Curtis Koenig [:curtisk-use curtis.koenig+bzATgmail.com]]]

I would rate this as a low for two reasons"
1) Other than well known file names on systems the attacker would have to know the full name and file path to a particular file
2) (your reason) The attacker would have to convince the user to download the file then re-upload the same file.

It's likely that any user who would fall for this would upload just about any file you asked.

Comment 2

[Jаmes Kettle]

Can you make this report public? Thanks.

Comment 3

[:Gijs (he/him)]

Neil, I think this got fixed in bug 1773894, right?

Comment 4

[Neil Deakin]

Looks to be the same.