[dev] security issue running surf from home folder

From: Ben Woolley <tautolog_AT_gmail.com>
Date: Wed, 7 Jan 2015 10:56:07 -0800

Hi all,

Firstly, I would like to thank everyone for the surf browser. Its
simplicity is a thing of beauty, and working with it has been a pleasure. I
have added features easily, and its code is easy to audit, which means
security issues can be found and fixed easily, even by a random user like
me.

The config.def.h file has a define for DOWNLOAD that just opens up curl,
and surf.c calls DOWNLOAD without any prompting.

The situation is simple. If you launch surf from the home folder, a very
common and expected thing to do, then any website can either:
1. use an img src=".bashrc" to install a .bashrc file.
2. use javascript window.location.assign, possibly after a delay to exploit
it when you are away, installing a .bashrc file. (disabling javascript
fixes that case, but an HTTP redirect will do the same thing)

Basically, in several cases, surf will happily install a .bashrc file in
your home folder. And since the shell sucks in this way, and will execute
it on login even with the default umask that doesn't set the execute bit,
the next time you login with bash, the code will be executed.

A proof of concept is here:
http://benwoolley.org/exploit.html

Just run the following to install the .bashrc file
cd; surf http://benwoolley.org/exploit.html

To run it, just execute `bash` and you will see the following message
echo'd:
Exploit succeeded!

A simple workaround is to simply launch surf outside of the home folder,
like, say, a download folder. For example, launch it with:
#!/bin/sh
mkdir -p ~/Downloads && cd ~/Downloads && surf "$_AT_"

You can also change the DOWNLOAD define to cd into a particular download
folder before launching curl.

My first attachment is a patch that adds support for a download folder.

My second attachment is a patch that only initiates a DOWNLOAD call from
navigations from the top-most frame. That fixes the problem where random ad
network files will download automatically. I noticed that problem while
testing slashdot.org. I am not sure if that code actually fixes the img src
case, but it has fixed the one case I ran into.

I grouped these patches together because they all relate to issues with the
download mechanism. Other, unrelated patches are coming.

Thank you,

Ben

Received on Wed Jan 07 2015 - 19:56:07 CET

This archive was generated by hypermail 2.3.0 : Wed Jan 07 2015 - 20:00:09 CET