267123 - [SA12979-2] File ext != Content-Type left intact when downloading

Status: NEW

(Toolkit :: Downloads API, defect)

Description

[Ben Bucksch (:BenB)]

From tk@ Secuina:

The "Content-Type" header is used for associating a file to a file type in the
file download dialog, but the file extension is left intact when saving the file
to disk with "Save to Disk". This can be exploited to spoof file types in the
file download dialog.

Successful exploitation can lead to malware being saved to the download
directory which by default is the desktop.

NOTE: If the downloaded malware is a shortcut or some executable file, then the
icon can be spoofed in the download manager and on the desktop.

-- Example/PoC Windows Platform --
NOTE: Requires PHP support.

SA12979.zip/2a/poc.php
Choose "Save to Disk" and press "OK". A .bat file is written to the desktop.

SA12979.zip/2b/poc.php
Choose "Save to Disk" and press "OK". The attached shortcut (.lnk) file with a
spoofed icon is written to the desktop and is also available via the download
manager.
NOTE: The PoC requires that the content-type "movie/avi" is not set to
automaticly open.

Comment 1

[Ben Bucksch (:BenB)]

Proof of Concept is in the ZIP file
<https://bugzilla.mozilla.org/attachment.cgi?id=164157&action=view>

Comment 2

[Ben Bucksch (:BenB)]

Ops, forgot to check the security flag, sorry. Please keep the previous confidental.

Comment 3

[Ben Bucksch (:BenB)]

Andreas Sandblad (as@ Secunia) is the bug finder.

Comment 4

[Asa Dotzler [:asa]]

This was fixed with the patch at bug 267122. Noting the fixed-aviary status for
this bug.

Comment 5

[Daniel Veditz [:dveditz]]

Should this regress it should block aviary

Comment 6

[Andreas Sandblad]

I still see this behaviour on Firefox 1.0 if space+dot+space is added to the
Content-Disposition header (inside the filename argument). Windows will trim all
appending spaces and dots before saving a file.

Attaching new PoC (same instructions) for Firefox 1.0 (Windows).

Comment 7

[Andreas Sandblad]

Attachment: Updated PoC for Firefox 1.0

Changes: Appended space+dot+space to work for Firefox 1.0.

Comment 8

[Daniel Veditz [:dveditz]]

Need the new variant (comment 7) fixed for 1.0.1, only partially fixed in 1.0

Comment 9

[Jay Patel [:jay]]

For internal folk, the test case is available at http://pine/sa. Still looks
broken with Aviary 1.0.1 build Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.7.6) Gecko/20050221 Firefox/1.0.1

I'm not sure bug 267122 is completely fixed and both test cases here still allow
me to save the .bat and .lnk files to my machine.  Shouldn't they be saved as
".gif" and  ".avi" files? If anyone else can confirm my observations, that will
be great.  Thanks.

Looks like this missed the 1.0.1 train, but we need to take a look at all these
variants to see how to fix them (and test them).  Removing fixed-aviary1.0.1
keyword.

Comment 10

[Daniel Veditz [:dveditz]]

This bug is fixed on the Aviary branch and trunk--for executable types. The
"partial fix" referenced in the whiteboard is because the extension re-writing
only happens for files detected as executables; non-executables can still show
as one type in the dialog and be opened with a completely different application.

That means everytime a new exploit is announced for a default helper app our
users are vulnerable to being fooled ("see the Paris Hilton video!!!") until
they upgrade that app. Why don't we just rewrite the extension for registered
MIME types all the time on windows?