CVE CyberSecurity Database News

CVE-2023-29542 - Bypassing File Extension Security in Firefox & Thunderbird with Newlines in Filenames

Poster -

Security vulnerabilities come in all shapes and sizes—even something as simple as a “newline” (that’s \n) in a filename can slip through the cracks and introduce serious risk. That’s what happened with CVE-2023-29542, a bug found in Mozilla Firefox and Thunderbird on Windows. This flaw let attackers sneak around security filters that were supposed to block dangerous file types, possibly resulting in accidental running of malicious code.

In this article, we’ll break down how this bug worked, share technical details and code samples, and point you to the original references. If you use or support Firefox or Thunderbird, especially on Windows, you’ll want to read on.

The Basic Problem

Browsers and email clients know that some files—like .lnk, .bat, or .exe—can be dangerous, especially if users are tricked into running them. So, as a safety step, Mozilla’s products replace these extensions with a harmless one like .download when saving files. For instance:

A file called malware.lnk becomes malware.lnk.download.

Sounds robust, right? However, CVE-2023-29542 found a blind spot: what if the filename contains a newline character?

The Newline Trick

On Windows, certain characters are not allowed in filenames, but *newline characters* are usually accepted in the filename *before* it’s written to disk. Some programs and API layers don’t sanitize input thoroughly, potentially giving attackers a way to cause confusion.

`

2. Firefox or Thunderbird saves the file by appending .download to it, but Windows treats the newline as a separator. The resulting filename might be interpreted as:

`

3. Windows or third-party tools—especially those parsing files line-by-line—could see .lnk (the malicious shortcut) as a separate executable file, bypassing basic extension checks.

4. User accidentally runs malicious code by double-clicking the file, believing it is a safe download.

Proof-of-Concept (PoC) Code

Below is a simplified example showing how such a filename could be generated and what could slip through:

# Example: creating a file with newline in the name on Windows
malicious_filename = "coolphoto\n.lnk"
with open(malicious_filename, "w") as f:
    f.write("Malicious shortcut content")  # Could be binary data in real exploit

# Simulate browser or client renaming behavior
download_filename = malicious_filename + ".download"
import os
os.rename(malicious_filename, download_filename)

print(f"Created file: {download_filename}")

*Warning*: This is for educational purposes only. Do not run this code on your main system!

Real-World Impact

- If a user downloaded a file that looked benign, but secretly had a newline and a dangerous extension, security checks might not catch it.
- The user could double-click the file, thinking it’s safe, but it could actually execute malicious code.
- This specific problem only existed in Firefox and Thunderbird on Windows before the following versions:

Thunderbird before 102.10

Other OS versions (Linux, macOS) were not affected.

Patched: April 2023, in Firefox 112, Firefox ESR 102.10, and Thunderbird 102.10.

- Official Mozilla advisory: MFSA 2023-13
- CVE record: CVE-2023-29542 Details

The patch made sure all special characters, including newlines, are sanitized or removed from filenames before appending secure extensions.

Update Now: Make sure you’re running the latest versions of Firefox and Thunderbird.

2. Be Suspicious: Don’t double-click files with odd names or unexpected extensions—even if they look innocent.
3. Penetration Test: When building file-handling features, always test with odd/unexpected filenames, including those with newlines or other control characters.

Further Reading

- Mozilla Security Advisory for CVE-2023-29542
- NIST National Vulnerability Database reference
- Red Hat Security Data (RHSA-2023:2308)

Conclusion

CVE-2023-29542 is a great example of how even a tiny oversight like a newline character can have outsized security consequences. Real-world bugs don’t always look dramatic; sometimes, it’s the simplest tricks that can lead to the biggest risks. Stay patched, stay cautious, and always be ready for the unexpected.

If you handle file downloads in your own apps, don't trust the browser alone—sanitize all filenames and check for hidden surprises yourself.

Timeline

Published on: 06/19/2023 11:15:00 UTC
Last modified on: 06/27/2023 08:51:00 UTC