Opened 21 months ago

Last modified 3 weeks ago

#18101 needs_revision defect

IP leak from Windows UI dialog with URI

Reported by: uileak Owned by: arthuredelstein
Priority: Very High Milestone:
Component: Applications/Tor Browser Version:
Severity: Major Keywords: tbb-disk-leak, tbb-proxy-bypass, TorBrowserTeam201710
Cc: gk, mcs, brade Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

It is possible for the client IP to leak from the browser and onto the network via the Windows API when prompted with Windows dialog box to select files.

Not entirely sure if this is a bug, but should at least be documented.

Steps to reproduce:

  1. Visit a website that provides an upload box.
  2. Instead of selecting a file, paste a URI as a file name.
  3. The IP is leaked.

This may potentially work with Ctrl+O (Open File) and Ctrl+S (Save Page As).

Tested on Windows 7 and verified with Wireshark.

Child Tickets

Change History (60)

comment:1 Changed 21 months ago by uileak

Priority: MediumHigh

comment:2 Changed 21 months ago by cypherpunks

Keywords: ip-leak added; IP leak removed
Version: Tor: unspecified

comment:3 Changed 21 months ago by cypherpunks

Keywords: tbb-proxy-bypass added

comment:4 Changed 21 months ago by cypherpunks

Seems like it is undocumented (?) but well known feature for Windows Vista+

Possible workarounds (need to check if they actually works and useful):

  1. To use file picker's code for old Windows See comment:8
  2. To remove "File name" edit box by IFileDialogCustomize::RemoveControlItem
  3. To filter user input on by OnFileOk (nsFilePicker::OnFileOk)
Last edited 21 months ago by cypherpunks (previous) (diff)

comment:5 Changed 21 months ago by gk

Cc: gk added
Keywords: TorBrowserTeam201601 added
Severity: NormalMajor

comment:6 Changed 21 months ago by cypherpunks

More info about another OS/managers:

Gnome Open File dialog used in Ubuntu doesn't support this feature, however, the File Open dialog used in KDE is able to open HTTP URLs. I'm not sure what is the situation with support in other other desktop environments that run on Ubuntu.
Just tested this in KDE - indeed, it works in KDE just fine. Nice, I didn't know about this feature.

comment:7 Changed 21 months ago by cypherpunks

Gtk disallows URLs by default.

comment:8 Changed 21 months ago by cypherpunks

To use ​file picker's code for old Windows

Tested those deprecated API, it works but useless. It launches download anyway.

comment:9 Changed 21 months ago by teor

OS X used to allow URLs in some contexts, but now (10.11) appears to disallow URLs in open dialogs.

comment:10 Changed 21 months ago by cypherpunks

feature for Windows Vista+

Since Windows XP

comment:11 Changed 21 months ago by cypherpunks

In Soviet Mozilla file uploads you.

comment:12 Changed 21 months ago by cypherpunks

Reverting this should be about fix this bug?

comment:13 Changed 21 months ago by cypherpunks

Thus API involved leaks could be fixed in general by setting proxy per process at start. (by InternetSetOption from urlmon.dll with INTERNET_OPTION_PROXY option with defined INTERNET_PROXY_INFO structure, to /dev/null)

comment:14 Changed 21 months ago by cypherpunks

Thus API involved leaks could be fixed in general by setting proxy per process at start.

This approach if alone still leaves disk traces (it writes some information to IE's cache). Fix shouldn't leave any leaks. Proxy option could be helpful still for some unknown yet API-involved leaks, as proactive protection (tbb-disk-leak < tbb-proxy-bypass)

comment:15 Changed 21 months ago by gk

Keywords: TorBrowserTeam201602 added; TorBrowserTeam201601 removed

Putting stuff on the radar for February.

comment:16 Changed 21 months ago by gk

Keywords: GeorgKoppen201602 added

comment:17 Changed 20 months ago by gk

Keywords: GeorgKoppen201603 added; GeorgKoppen201602 removed

comment:18 Changed 20 months ago by gk

Keywords: TorBrowserTeam201603 added; TorBrowserTeam201602 removed

comment:19 Changed 19 months ago by gk

Keywords: GeorgKoppen201604 added; GeorgKoppen201603 removed

comment:20 Changed 19 months ago by gk

Keywords: TorBrowserTeam201604 added; TorBrowserTeam201603 removed

comment:21 Changed 18 months ago by gk

Keywords: TorBrowserTeam201605 added; TorBrowserTeam201604 removed

Moving tickets

comment:22 Changed 18 months ago by gk

Keywords: GeorgKoppen201605 added; GeorgKoppen201604 removed

Moving things for me to May.

comment:23 Changed 17 months ago by gk

Keywords: GeorgKoppen201606 added; GeorgKoppen201605 removed

comment:24 Changed 17 months ago by gk

Keywords: TorBrowserTeam201606 added; TorBrowserTeam201605 removed

comment:25 Changed 17 months ago by gk

Owner: changed from tbb-team to gk
Status: newassigned

comment:26 Changed 16 months ago by gk

Keywords: GeorgKoppen201607 added; GeorgKoppen201606 removed

Moving my tickets

comment:27 Changed 16 months ago by gk

Keywords: TorBrowserTeam201607 added; TorBrowserTeam201606 removed

comment:28 Changed 15 months ago by gk

Keywords: TorBrowserTeam201608 added; TorBrowserTeam201607 removed

Moving items to August 2016.

comment:29 Changed 15 months ago by gk

Keywords: GeorgKoppen201608 added; GeorgKoppen201607 removed

Moving my tickets as well.

comment:30 Changed 14 months ago by gk

Keywords: GeorgKoppen201609 added; GeorgKoppen201608 removed

Moving my tickets

comment:31 Changed 14 months ago by gk

Keywords: TorBrowserTeam201609 added; TorBrowserTeam201608 removed

Tickets for September.

comment:32 Changed 13 months ago by gk

Keywords: GeorgKoppen201610 added; GeorgKoppen201609 removed

Moving my tickets

comment:33 Changed 13 months ago by gk

Keywords: TorBrowserTeam201610 added; TorBrowserTeam201609 removed

Moving tickets to October.

comment:34 Changed 12 months ago by gk

Keywords: GeorgKoppen201611 added; GeorgKoppen201610 removed

Moving my tickets to November.

comment:35 Changed 12 months ago by gk

Keywords: TorBrowserTeam201611 added; TorBrowserTeam201610 removed

Moving tickets over to November.

comment:36 Changed 11 months ago by gk

Keywords: GeorgKoppen201612 added; GeorgKoppen201611 removed

Moving my tickets

comment:37 Changed 10 months ago by gk

Keywords: GeorgKoppen201701 added; GeorgKoppen201612 removed

comment:38 Changed 10 months ago by gk

Keywords: TorBrowserTeam201701 added; TorBrowserTeam201611 removed

comment:39 Changed 9 months ago by gk

Keywords: TorBrowserTeam201702 added; TorBrowserTeam201701 removed

Moving our tickets to Feb 2017.

comment:40 Changed 9 months ago by gk

Keywords: GeorgKoppen201702 added; GeorgKoppen201701 removed

Moving my tickets as well

comment:41 Changed 8 months ago by elisebenine

could it be something related to browser's File API? noticed the same on http://internetvergelijken.nl/ today.

comment:42 Changed 3 months ago by gk

Keywords: TorBrowserTeam201708 GeorgKoppen201708 added; TorBrowserTeam201702 GeorgKoppen201702 removed
Priority: HighVery High

comment:43 Changed 2 months ago by arthuredelstein

Keywords: GeorgKoppen201708 removed
Owner: changed from gk to arthuredelstein

comment:45 Changed 2 months ago by arthuredelstein

Here's a patch that blocks the use of remote URLs in the open file dialog on Windows:

https://github.com/arthuredelstein/tor-browser/commit/18101

(It essentially reverses the change in https://bugzilla.mozilla.org/show_bug.cgi?id=711654.)

comment:46 Changed 2 months ago by arthuredelstein

Keywords: TorBrowserTeam201708R added; TorBrowserTeam201708 removed
Status: assignedneeds_review

comment:47 Changed 2 months ago by arthuredelstein

I should mention, in the patch in comment:46, I use perfmon /res to confirm that no network requests were made. Without the patch, in unpatched Tor Browser, I see a network request corresponding to the remote URL entered in the open dialog box.

comment:48 Changed 2 months ago by gk

Status: needs_reviewneeds_information

Arthur: What do we want to do for XP (see comment:10)? And could you verify that other Tor Browser platforms are unaffected? comment:7 seems to point this out for Linux. See comment:9 for macOS.

comment:49 in reply to:  48 ; Changed 8 weeks ago by arthuredelstein

Status: needs_informationneeds_review

Replying to gk:

Answering questions in reverse order:

And could you verify that other Tor Browser platforms are unaffected? comment:7 seems to point this out for Linux. See comment:9 for macOS.

Here's a patch that covers all platforms:
https://github.com/arthuredelstein/tor-browser/commit/18101+2

Unfortunately, I haven't yet been able to test these on old Linux and macOS platforms. The current platforms on desktops I tested (XFCE, KDE, macOS) do not show a text box in the Open Dialog. Once I have builds ready, I will post them on this ticket so that people can test on old Mac/Linux platforms if they have them.

Arthur: What do we want to do for XP (see comment:10)?

I am inclined to treat this problem as wontfix, because XP is deprecated by Microsoft and is expected to be deprecated in September by Mozilla as well. I did spend a little time looking into the problem but I don't see a quick solution.

comment:50 in reply to:  49 Changed 8 weeks ago by teor

Replying to arthuredelstein:

Unfortunately, I haven't yet been able to test these on old Linux and macOS platforms. The current platforms on desktops I tested (XFCE, KDE, macOS) do not show a text box in the Open Dialog

I can find 3 text boxes in the macOS 10.12 Open Dialog:

  • command-shift-G shows the "Go to the folder" dialog, but doesn't seem to allow URLs
  • the share button (square with upward arrow) allows loading arbitrary share extensions, which can access the network, but they require user action
  • the search field queries the local spotlight database, and stores anything typed into it in the find pasteboard and shares it with other apps (#14139)

comment:51 Changed 8 weeks ago by cypherpunks

Keywords: tbb-disk-leak added; ip-leak removed

Why is so much attention being paid for this NOTABUG? Feature was requested and discussed in https://bugzilla.mozilla.org/show_bug.cgi?id=711654. Pros and cons are well known for years.
Is this ticket about protection for noobs who can't distinguish between shell and browser? If so, shouldn't we make this feature obey TBB's design requirements? Something like "Firefox should handle URLs (instead of system shell)".
What is needed to pass URLs to Firefox, FOS_ALLNONSTORAGEITEMS and
FOS_SUPPORTSTREAMABLEITEMS (with FOS_FORCEFILESYSTEM removed), from https://msdn.microsoft.com/en-us/library/windows/desktop/dn457282(v=vs.85).aspx?
There is no IP leak or proxy bypass. But there is tbb-disk-leak.

Last edited 6 weeks ago by cypherpunks (previous) (diff)

comment:52 Changed 7 weeks ago by gk

Keywords: TorBrowserTeam201709R added; TorBrowserTeam201708R removed

Moving reviews to September.

comment:53 in reply to:  51 Changed 6 weeks ago by gk

Replying to cypherpunks:

Is this ticket about protection for noobs who can't distinguish between shell and browser? If so, shouldn't we make this feature obey TBB's design requirements? Something like "Firefox should handle URLs (instead of system shell)".

I am fine opening a follow-up ticket for that idea - after we plugged that hole in this ticket.

comment:54 in reply to:  49 Changed 6 weeks ago by gk

Cc: mcs brade added
Status: needs_reviewneeds_revision

Replying to arthuredelstein:

Replying to gk:

Answering questions in reverse order:

And could you verify that other Tor Browser platforms are unaffected? comment:7 seems to point this out for Linux. See comment:9 for macOS.

Here's a patch that covers all platforms:
https://github.com/arthuredelstein/tor-browser/commit/18101+2

Unfortunately, I haven't yet been able to test these on old Linux and macOS platforms. The current platforms on desktops I tested (XFCE, KDE, macOS) do not show a text box in the Open Dialog. Once I have builds ready, I will post them on this ticket so that people can test on old Mac/Linux platforms if they have them.

I built own bundles and this was a PITA to test. I can confirm that the patch for Linux fixes the problem and it looks good to me. After trying to reproduce the problem for quite a while I wrote custom extension code using the example on https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsIFilePicker but with modSave (this is important, I could not find a way to reproduce the issue and test the fix with modOpen) and, obviously, nsIFilePicker.filterAllowURLs added to the filters.

Arthur/Mark/Kathy: that might be a way to test the fix on a Mac as well (which I don't have atm).

With the patch for Windows I still see DNS leaks. Here is what I did:

1) Open the patched Tor Browser
2) Go to https://bugs.torproject.org/18101
3) Copy the URL of the Tor logo
4) Open https://bug711654.bmoattachments.org/attachment.cgi?id=582460 in a new tab
5) Start Wireshark
6) Click on the "Browse" button and paste the URL for the Tor log and click on "Open"
7) Wait a while and a DNS query for trac.torproject.org will be in the Wireshark log.

Marking this as needs_revision for this problem. Arthur, let me know whether you can reproduce that. This happens on a Windows 7 machine (in case that matters).

Arthur: What do we want to do for XP (see comment:10)?

I am inclined to treat this problem as wontfix, because XP is deprecated by Microsoft and is expected to be deprecated in September by Mozilla as well. I did spend a little time looking into the problem but I don't see a quick solution.

Well, we certainly would take a patch if someone came up with one. So, let's open a follow-up ticket for that case and set ff59-esr-will-have as keyword once we are done here.

comment:55 Changed 6 weeks ago by gk

Keywords: TorBrowserTeam201709 added; TorBrowserTeam201709R removed

comment:56 Changed 5 weeks ago by arthuredelstein

Keywords: TorBrowserTeam201709R added; TorBrowserTeam201709 removed
Status: needs_revisionneeds_review

Thanks for the review, gk. Here's a patch for the Linux fix only, in case we want to put that into the alpha. I'll be testing Mac next by Georg's method and then go back to Windows.

https://github.com/arthuredelstein/tor-browser/commit/18101_linux

Last edited 5 weeks ago by arthuredelstein (previous) (diff)

comment:57 Changed 5 weeks ago by gk

Looks still good to me. mcs/brade: Could you have a second look? I'd like to get that one included into the upcoming alphas.

comment:58 in reply to:  57 ; Changed 5 weeks ago by mcs

Replying to gk:

Looks still good to me. mcs/brade: Could you have a second look? I'd like to get that one included into the upcoming alphas.

r=brade,r=mcs
The patch from comment:56 looks good to us.

comment:59 in reply to:  58 Changed 5 weeks ago by gk

Keywords: TorBrowserTeam201709 added; TorBrowserTeam201709R removed
Status: needs_reviewneeds_revision

Replying to mcs:

Replying to gk:

Looks still good to me. mcs/brade: Could you have a second look? I'd like to get that one included into the upcoming alphas.

r=brade,r=mcs
The patch from comment:56 looks good to us.

Thanks. Pushed this as commit eb7cb8fe69de4ca08b8aa2ece0faeb7ea6217004 and setting the status back to needs_revision.

comment:60 Changed 3 weeks ago by gk

Keywords: TorBrowserTeam201710 added; TorBrowserTeam201709 removed

Items for October 2017

Note: See TracTickets for help on using tickets.