/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fragile security of qvm-open-in-{vm,dvm}: accidentaly sandboxed XSS #1462

Closed
v6ak opened this Issue Nov 28, 2015 · 14 comments

Comments

Assignees
No one assigned
Labels
Projects
None yet
Milestone
  Release 3.0 updates
3 participants
@v6ak @marmarek @adrelanos
@v6ak

v6ak commented Nov 28, 2015

I've found a XSS that has probably no impact (i.e. many prerequisities and nothing gained today), but I feel it is not a good practice.

When I try to open an URL, it is wrapped to a HTML page using /usr/lib/qubes/wrap-in-html-if-url.sh . When an application passes a bad URL to it, it may cause a XSS in the HTML page. The page is opened in a file:// context, which implies different cross-origin-policies for different browser:

  • Chrome: seems to disallow reading any arbitrary file. (Determined by experiments, not from the documentation.)
  • Firefox: seems to disallow reading a file outside of the page's directory. (Determined by experiments, not from the documentation.)

Fortunately, the file is located in /tmp/<vm name>/, so the attacker should not be able to read DVM's files. However, you will probably agree that this is somehow fragile.

Attack variants:
a. HTML injection: URL might look like https://www.google.com/?q="><script>alert(location)</script>. This starts innocently and is likely to pass through many filters.
b. JS scheme like javascript://%0d%0aalert(location) . This does not look so innocent (and apps should arguably not allow that), but still IMHO worth of preventing.

Preventions:

a. Reject any invalid characters from the URL. (One still should escape the & at least…)
b. Escape it. (I also suggest adding content-type meta tag to the document and sanitizing the utf-8 in such case.)

@v6ak v6ak referenced this issue Dec 4, 2015

Closed

qvm-open-in-vm opens URLs in non-default browser #1487

@marmarek marmarek added bug C: core P: major labels Jan 6, 2016

@marmarek marmarek added this to the Release 3.0 updates milestone Jan 6, 2016

@marmarek marmarek closed this in marmarek/old-qubes-core-agent-linux@ff2678d May 18, 2016

marmarek added a commit to marmarek/old-qubes-core-agent-linux that referenced this issue May 18, 2016

@marmarek
Implement qubes.OpenURL service instead of wrapping URLs in HTML 
This have many advantages:
 - prevent XSS (QubesOS/qubes-issues#1462)
 - use default browser instead of default HTML viewer
 - better qrexec policy control
 - easier to control where are opened files vs URLs

For now allow only http(s):// and ftp:// addresses (especially prevent
file://). But this list can be easily extended.

QubesOS/qubes-issues#1462
Fixes QubesOS/qubes-issues#1487
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
1992127

marmarek added a commit to QubesOS/qubes-core-agent-linux that referenced this issue Jun 25, 2016

@marmarek
qvm-open-in-vm: escape URL when wrapping it in HTML 
Thanks @v6ak for the report and solution.

Fixes QubesOS/qubes-issues#1462

(cherry picked from commit ff2678d)
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
8b89bff
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jun 25, 2016

Member

Automated announcement from builder-github

The package python2-dnf-plugins-qubes-hooks-3.1.17-1.fc21 has been pushed to the r3.1 testing repository for the Fedora fc21 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r3.1-current-testing

Changes included in this update
Member

marmarek commented Jun 25, 2016

Automated announcement from builder-github

The package python2-dnf-plugins-qubes-hooks-3.1.17-1.fc21 has been pushed to the r3.1 testing repository for the Fedora fc21 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r3.1-current-testing

Changes included in this update

@marmarek marmarek added the r3.1-fc21-cur-test label Jun 25, 2016

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jun 25, 2016

Member

Automated announcement from builder-github

The package python2-dnf-plugins-qubes-hooks-3.1.17-1.fc22 has been pushed to the r3.1 testing repository for the Fedora fc22 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r3.1-current-testing

Changes included in this update
Member

marmarek commented Jun 25, 2016

Automated announcement from builder-github

The package python2-dnf-plugins-qubes-hooks-3.1.17-1.fc22 has been pushed to the r3.1 testing repository for the Fedora fc22 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r3.1-current-testing

Changes included in this update

@marmarek marmarek added the r3.1-fc22-cur-test label Jun 25, 2016

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jun 25, 2016

Member

Automated announcement from builder-github

The package python2-dnf-plugins-qubes-hooks-3.1.17-1.fc23 has been pushed to the r3.1 testing repository for the Fedora fc23 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r3.1-current-testing

Changes included in this update
Member

marmarek commented Jun 25, 2016

Automated announcement from builder-github

The package python2-dnf-plugins-qubes-hooks-3.1.17-1.fc23 has been pushed to the r3.1 testing repository for the Fedora fc23 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r3.1-current-testing

Changes included in this update

@marmarek marmarek added the r3.1-fc23-cur-test label Jun 25, 2016

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jun 25, 2016

Member

Automated announcement from builder-github

The package qubes-core-agent_3.1.17-1+deb8u1 has been pushed to the r3.1 testing repository for the Debian jessie template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing jessie-testing, then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update
Member

marmarek commented Jun 25, 2016

Automated announcement from builder-github

The package qubes-core-agent_3.1.17-1+deb8u1 has been pushed to the r3.1 testing repository for the Debian jessie template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing jessie-testing, then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

@marmarek marmarek added the r3.1-jessie-cur-test label Jun 25, 2016

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jun 25, 2016

Member

Automated announcement from builder-github

The package qubes-core-agent_3.1.17-1+deb9u1 has been pushed to the r3.1 testing repository for the Debian stretch template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing stretch-testing, then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update
Member

marmarek commented Jun 25, 2016

Automated announcement from builder-github

The package qubes-core-agent_3.1.17-1+deb9u1 has been pushed to the r3.1 testing repository for the Debian stretch template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing stretch-testing, then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

@marmarek marmarek added the r3.1-stretch-cur-test label Jun 25, 2016

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jun 25, 2016

Member

Automated announcement from builder-github

The package qubes-core-agent_3.1.17-1+deb7u1 has been pushed to the r3.1 testing repository for the Debian wheezy template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing wheezy-testing, then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update
Member

marmarek commented Jun 25, 2016

Automated announcement from builder-github

The package qubes-core-agent_3.1.17-1+deb7u1 has been pushed to the r3.1 testing repository for the Debian wheezy template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing wheezy-testing, then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

@marmarek marmarek added the r3.1-wheezy-cur-test label Jun 25, 2016

@adrelanos

This comment has been minimized.

Show comment
Hide comment
@adrelanos

adrelanos Jul 8, 2016

Member 
cat /etc/apt/sources.list.d/qubes-r3.list

# Main qubes updates repository
deb [arch=amd64] http://deb.qubes-os.org/r3.1/vm jessie main
#deb-src http://deb.qubes-os.org/r3.1/vm jessie main

# Qubes updates candidates repository
deb [arch=amd64] http://deb.qubes-os.org/r3.1/vm jessie-testing main
#deb-src http://deb.qubes-os.org/r3.1/vm jessie-testing main

# Qubes security updates testing repository
deb [arch=amd64] http://deb.qubes-os.org/r3.1/vm jessie-securitytesting main
#deb-src http://deb.qubes-os.org/r3.1/vm jessie-securitytesting main

# Qubes experimental/unstable repository
#deb [arch=amd64] http://deb.qubes-os.org/r3.1/vm jessie-unstable main
#deb-src http://deb.qubes-os.org/r3.1/vm jessie-unstable main

dpkg -l | grep qubes-core-agent

ii  qubes-core-agent                      3.1.17-1+deb8u1                      amd64        Qubes core agent

But I do not have qubes.OpenURL.

The package qubes-core-agent_3.1.17-1+deb8u1 has been pushed to the r3.1 testing repository for the Debian jessie template.

So did I mess something up or was some mistake or there is some bug in Automated announcement from builder-github?
Member

adrelanos commented Jul 8, 2016 

cat /etc/apt/sources.list.d/qubes-r3.list

# Main qubes updates repository
deb [arch=amd64] http://deb.qubes-os.org/r3.1/vm jessie main
#deb-src http://deb.qubes-os.org/r3.1/vm jessie main

# Qubes updates candidates repository
deb [arch=amd64] http://deb.qubes-os.org/r3.1/vm jessie-testing main
#deb-src http://deb.qubes-os.org/r3.1/vm jessie-testing main

# Qubes security updates testing repository
deb [arch=amd64] http://deb.qubes-os.org/r3.1/vm jessie-securitytesting main
#deb-src http://deb.qubes-os.org/r3.1/vm jessie-securitytesting main

# Qubes experimental/unstable repository
#deb [arch=amd64] http://deb.qubes-os.org/r3.1/vm jessie-unstable main
#deb-src http://deb.qubes-os.org/r3.1/vm jessie-unstable main

dpkg -l | grep qubes-core-agent

ii  qubes-core-agent                      3.1.17-1+deb8u1                      amd64        Qubes core agent

But I do not have qubes.OpenURL.

The package qubes-core-agent_3.1.17-1+deb8u1 has been pushed to the r3.1 testing repository for the Debian jessie template.

So did I mess something up or was some mistake or there is some bug in Automated announcement from builder-github?
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jul 8, 2016

Member

This ticket isn't about qubes.OpenURL service. It's about XSS in opening URLs by qubes.OpenInVM. Which is also fixed by implementing separate service for that, but that's only done in R3.2.
Ticket for qubes.OpenURL is here: #1487
And packages are already uploaded (builder-github wasn't enabled for R3.2 before rc1 release).
Member

marmarek commented Jul 8, 2016

This ticket isn't about qubes.OpenURL service. It's about XSS in opening URLs by qubes.OpenInVM. Which is also fixed by implementing separate service for that, but that's only done in R3.2.
Ticket for qubes.OpenURL is here: #1487
And packages are already uploaded (builder-github wasn't enabled for R3.2 before rc1 release).
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jul 25, 2016

Member

Automated announcement from builder-github

The package qubes-upgrade-vm-3.1-1.fc21 has been pushed to the r3.1 stable repository for the Fedora fc21 template.
To install this update, please use the standard update command:

sudo yum update

Changes included in this update
Member

marmarek commented Jul 25, 2016

Automated announcement from builder-github

The package qubes-upgrade-vm-3.1-1.fc21 has been pushed to the r3.1 stable repository for the Fedora fc21 template.
To install this update, please use the standard update command:

sudo yum update

Changes included in this update

@marmarek marmarek added r3.1-fc21-stable and removed r3.1-fc21-cur-test labels Jul 25, 2016

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jul 25, 2016

Member

Automated announcement from builder-github

The package qubes-upgrade-vm-3.1-1.fc22 has been pushed to the r3.1 stable repository for the Fedora fc22 template.
To install this update, please use the standard update command:

sudo yum update

Changes included in this update
Member

marmarek commented Jul 25, 2016

Automated announcement from builder-github

The package qubes-upgrade-vm-3.1-1.fc22 has been pushed to the r3.1 stable repository for the Fedora fc22 template.
To install this update, please use the standard update command:

sudo yum update

Changes included in this update

@marmarek marmarek added r3.1-fc22-stable and removed r3.1-fc22-cur-test labels Jul 25, 2016

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jul 25, 2016

Member

Automated announcement from builder-github

The package qubes-upgrade-vm-3.1-1.fc23 has been pushed to the r3.1 stable repository for the Fedora fc23 template.
To install this update, please use the standard update command:

sudo yum update

Changes included in this update
Member

marmarek commented Jul 25, 2016

Automated announcement from builder-github

The package qubes-upgrade-vm-3.1-1.fc23 has been pushed to the r3.1 stable repository for the Fedora fc23 template.
To install this update, please use the standard update command:

sudo yum update

Changes included in this update

@marmarek marmarek added r3.1-fc23-stable and removed r3.1-fc23-cur-test labels Jul 25, 2016

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jul 25, 2016

Member

Automated announcement from builder-github

The package qubes-core-agent_3.1.17-1+deb8u1 has been pushed to the r3.1 stable repository for the Debian jessie template.
To install this update, please use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update
Member

marmarek commented Jul 25, 2016

Automated announcement from builder-github

The package qubes-core-agent_3.1.17-1+deb8u1 has been pushed to the r3.1 stable repository for the Debian jessie template.
To install this update, please use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

@marmarek marmarek added r3.1-jessie-stable and removed r3.1-jessie-cur-test labels Jul 25, 2016

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jul 25, 2016

Member

Automated announcement from builder-github

The package qubes-core-agent_3.1.17-1+deb9u1 has been pushed to the r3.1 stable repository for the Debian stretch template.
To install this update, please use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update
Member

marmarek commented Jul 25, 2016

Automated announcement from builder-github

The package qubes-core-agent_3.1.17-1+deb9u1 has been pushed to the r3.1 stable repository for the Debian stretch template.
To install this update, please use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

@marmarek marmarek added r3.1-stretch-stable and removed r3.1-stretch-cur-test labels Jul 25, 2016

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jul 25, 2016

Member

Automated announcement from builder-github

The package qubes-core-agent_3.1.17-1+deb7u1 has been pushed to the r3.1 stable repository for the Debian wheezy template.
To install this update, please use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update
Member

marmarek commented Jul 25, 2016

Automated announcement from builder-github

The package qubes-core-agent_3.1.17-1+deb7u1 has been pushed to the r3.1 stable repository for the Debian wheezy template.
To install this update, please use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

@marmarek marmarek added r3.1-wheezy-stable and removed r3.1-wheezy-cur-test labels Jul 25, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment