User.js: Recently disclosed NTFS MFT issue [Bug 1368682]

It should already be mitigated by FF's handling of file:// - i.e load a website that asks for a local file, the local file is already blocked

According to the following article, they have confirmed this to be an issue with Firefox (and IE):

• https://www.bleepingcomputer.com/news/microsoft/filesystem-bug-hangs-or-crashes-windows-7-and-windows-8-1/

This can happen when the user tries to open the file directly — via a Run command or other means — or the path is secretly loaded in the background of a web page, as an image's source URL

It would have to be hidden in an direct link, or you'd have to open the local file, or you'd have to enter it yourself into the url bar. They don't say how they did their test, but the sub-title says "Bug can be exploited via Firefox and IE, but not Chrome". Sure, type file:///C:\$MFT\foo and enjoy - but try getting a website to cause FF to try and access a local file without user intervention (I'm almost sure it can't, but I could be wrong)

You can always just completely shutdown file-scheme in uMatrix (bit overkill) - not sure what syntax that is - earthlng?

Otherwise, does it affect privacy, nope. Does it affect fingerprinting, nope. Does it affect security, nope (as in no penetration). Is it annoying, hell yeah. Does it cause site breakage, heh, yup!

@Gitoffthelawn - did you ask at uBo re that filter?

EDIT: now i'm reading "A website with an image directory that uses $MFT in its name is enough". That doesn't make sense to me, sounds like bad reporting. It's the local system accessing your $MFT.

The reporting definitely makes it sound like all a site has to do is include an image with $MFT as part of the source.... and then blammo. I haven't tested it yet. I have read in a few other places that it's possible, to exploit in Firefox, but not quite that trivial.

I didn't ask over at uBo because questions and discussions are closed right away with a link to CONTRIBUTING.md. That's understandable given the context.

Thinking about the uBo filter, I'm wondering if we would also need something to handle backslashes. I thought \$MFT\ or \\$MFT\\ would work, but it doesn't. I also thought $MFT or *$MFT* would work, but those would be fairly slow for uBo to process, and do not work anyways. (I have to re-learn the nuances of uBo filters.... any constructive feedback is welcome.)

More like a PoC.

@Gitoffthelawn thanks for reporting this.

I tested local file inclusion in a local webserver and Firefox prevents the loading of file:/// resources on http(s) pages and reports it in the console:
Security Error: Content at http://myserver/test.html may not load or link to file:///C:/cat.jpg.

I have not tested local links yet (<a href=...>) and according to this it shouldn't work BUT according to this it should be possible.

There are probably countless other ways that would need to be tested, fe using a local file url in css, data: URI, javascript, SVGs, via redirects etc etc

From the article:

This can happen when the user tries to open the file directly — via a Run command or other means — or the path is secretly loaded in the background of a web page, as an image's source URL.

Nonetheless, Bleeping Computer confirmed that the $MFT bug causes a Windows 7 installation to hang via Internet Explorer and Firefox.

Unfortunately they don't say how they managed to make FF hang but it seems unlikely that it was because

the path is secretly loaded in the background of a web page, as an image's source URL

In my testing uMatrix did not see the 3rd party image request to file:///c:/..., probably because FF already intervened and stopped it. But I also only tested with my main hardened FF.

@earthlng You're welcome. Thanks for the thanks. :)

Thank you for the initial testing. All the info you provided is very helpful.

BTW, the Bleeping Computer article speaks of causing Windows 7 to hang (via Firefox), not just Firefox itself.

Do you feel comfortable contacting the Bleeping Computer author and see if he will provide you with more details on how he tested things?

BTW, the Bleeping Computer article speaks of causing Windows 7 to hang (via Firefox), not just Firefox itself.

yes that's what I meant, my bad.

Do you feel comfortable contacting the Bleeping Computer author and see if he will provide you with more details on how he tested things?

You need to login in order to post a comment

so no, I can't be bothered to signup there, sorry. They listed 2 ways that could trigger it ("open the file directly" + " "secretly loaded in the background") and I don't doubt that it does indeed hang the computer by opening a file directly.
But as I said there could be "countless other ways that would need to be tested" for the "secretly loaded in the background" part and I don't have time to test it all atm, nor could I probably think of all the possible ways tbh

FYI: 1368682 NTFS MFT Bug Reported Causes Hang

EDIT: Will leave this ticket open until it is resolved. You can certainly MAKE Firefox crash your windows system (I suspect the articles are sensationalizing a little?), but It is uncertain if this is actually a real life threat

I'll just throw this in here: file:// URLs can leak IP on macOS and Linux

Tor 7.0.9 was released: https://blog.torproject.org/tor-browser-709-released - specifically to push a fix for this bug - https://bugzilla.mozilla.org/show_bug.cgi?id=1412081 (which is ACCESS DENIED)

The tor ticket is: https://trac.torproject.org/projects/tor/ticket/24052 and you can see the patches linked there (I do not know if this already contains some patches from Mozilla as mentioned in the TBB release blog)

Update:

• It's been dubbed TorMoil by it's discovers
• ArsTechnica article

May 28

@Gitoffthelawn - did you ask at uBo re that filter?

Well, I asked for you. I shall await gorhill's reply :)

OK gorhill replied, but he does not have windows

Suggestion: look in the logger, which is a problem, because manually entering C:\$MFT\foo will crash the OS. I'm no longer the whizz I once was (1918 and diana prince was such a long time ago) .. how do we set up an alias to use eg C:\$TEST\test.jpg and see if we can block it by getting the rules right

Wow, the least recently updated open issue .. 9 months...

from https://github.com/gorhill/uMatrix/issues/589#issuecomment-421764930

The new NoScript succeeds in blocking JS from file: URL. I looked into it and it does so by injecting the CSP directive through a <meta http-equiv...> in the DOM at document_start time -- clever.

I will bring this technique to uMatrix. Note that this would still not solve the case for Chromium, this is possible in Firefox because it supports registering content scripts dynamically.

and subsequent commit

edit: soz: OT, that was about blocking JS in file:/// . Got confused because that was the issue I asked gorhill for some answers

So... what is the rule to block eg C:\$TEST\* ? Anyone?

I'm closing this. No-one seems to know if this is an actual issue (besides manually directly loading it)

From my second comment

Otherwise, does it affect privacy, nope. Does it affect fingerprinting, nope. Does it affect security, nope (as in no penetration)

1368682 has been idle for 11 months at P3. No need for us to track it any longer. It's not even in our wheelhouse