Full Report
Mozilla's VPN client software has a live_reload command available over a websocket. This command reaches out to a server and writes the file to /tmp on the local machine. This code contains a classic directory traversal. The path for the remote server is the same as the one that is written to. By adding a ../, it's possible to overwrite DLLs on a Windows system. This would, in all likelihood, lead to RCE on Windows. The exploit required that staging servers be enabled, which seems to be a non-default setting. A classic vulnerability in 2025. Crazy!
Analysis Summary
# Vulnerability: Directory Traversal via Mozilla VPN Websocket live_reload
## CVE Details
- **CVE ID**: Not explicitly cited in the provided snippet (likely pending or internal H1 reference).
- **CVSS Score**: Estimated 8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (assuming user interaction to trigger websocket command).
- **CWE**: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').
## Affected Systems
- **Products**: Mozilla VPN Client.
- **Versions**: Most versions prior to the 2024/2025 patch cycle (Check vendor advisory for specific build numbers).
- **Configurations**: The exploit requires **staging servers to be enabled**, which is a non-default configuration typically used by developers or beta testers.
## Vulnerability Description
Mozilla VPN’s client software exposes a `live_reload` command over a local websocket interface. When this command is triggered, the client fetches a file from a remote server and writes it to the local `/tmp` (or Windows equivalent temporary) directory.
The flaw exists because the application uses the same path provided by the remote server for the local write operation without sanitization. An attacker can use directory traversal sequences (e.g., `..\..\`) in the file path. On Windows systems, this allows the client to overwrite arbitrary files outside of the temporary directory, such as critical System DLLs or application binaries.
## Exploitation
- **Status**: PoC described; vulnerability confirmed by researcher reports (HackerOne). No widespread exploitation in the wild reported.
- **Complexity**: Medium (Requires the non-default "staging" setting to be active).
- **Attack Vector**: Network (Websocket request).
## Impact
- **Confidentiality**: High (Can lead to full system access).
- **Integrity**: High (Arbitrary file overwrite/DLL hijacking).
- **Availability**: High (System or application instability following file corruption).
## Remediation
### Patches
- Users should update the Mozilla VPN client to the latest version immediately via the official Mozilla update channel.
- Ensure the client is at a version released after January 2025.
### Workarounds
- **Disable Staging Mode**: Ensure that the "staging servers" configuration is disabled in the application settings.
- **Restrict Websocket Access**: Use host-based firewalls to prevent unauthorized entities from interacting with local websocket ports.
## Detection
- **Indicators of Compromise**:
- Presence of unexpected `.dll` files in temporary directories or unusual modification timestamps on system DLLs.
- Log entries showing use of the `live_reload` command from unauthorized sources.
- **Detection Methods**:
- Monitor for processes writing to `C:\Windows\System32` or application folders originating from the Mozilla VPN process.
- Audit configuration files for the string `staging_servers: true` or similar flags.
## References
- **Vendor Advisories**: hxxps[://]www[.]mozilla[.]org/en-US/security/advisories/
- **Research Source**: hxxps[://]hackerone[.]com/reports/ [Report ID hidden]