Closed
Bug 1208339
Opened 9 years ago
Closed 9 years ago
Cross-Origin restriction bypass with fetch using 302 redirection
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1212669
| Tracking | Status | |
|---|---|---|
| firefox41 | --- | affected |
| firefox42 | --- | affected |
| firefox43 | --- | unaffected |
| firefox44 | --- | unaffected |
| firefox-esr38 | --- | unaffected |
People
(Reporter: qab, Assigned: bkelly)
References
Details
(Keywords: csectype-sop, sec-high, Whiteboard: fixed on trunk as part of bug 1184607, rediscovered as 1212669)
Attachments
(4 files)
Environment screenshot
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0 Build ID: 20150921151815 Steps to reproduce: 1. Create a 302 redirect on owned server (http://evil.guy/redir) which contains a 'Location:' header pointing to the victims website (ex: Location: https://twitter.com/) 2. Create page (http://evil.guy/PoC.html) that contains the exploit code as well as two iframes, one empty and one pointing to '//twitter.com/' directly. (please see attached PoC-FF.html) 3. Modify 'PoC-FF.html' replacing 'http://localhost/redir.php' with your own 302 redirector. 4. Visit 'http://evil.guy/PoC-FF.html' Actual results: - The iframe with href='//twitter.com/' is immediately blocked (as expected) - The second iframe, however, contains the full contents of twitter.com If the victim was logged into twitter then the iframe will display him as logged in, successfully bypassing firefox's Cross-Origin security, as you can probably imagine, this is extremely unsafe for FireFox users. Expected results: Both iframes should have been blocked. More precisely, the Fetch() function should not blindly follow 302 redirects but rather detect if a 302 is present then recheck origins.
|
Reporter | |
Updated•9 years ago
|
Severity: normal → critical
Keywords: csectype-sop,
sec-high
|
|
Reporter | |
Comment 1•9 years ago
|
||
P.S. Tested on Firefox 41.0 and it works.
|
|
Reporter | |
Comment 2•9 years ago
|
||
This PoC is designed to extract twitters 'authenticity_token' value through the iframe despite the input being type=hidden. Proof this can be used to leak sensitive user data from external website. This effects almost any website.
|
||
Updated•9 years ago
|
Group: firefox-core-security → core-security
Component: Untriaged → DOM
Product: Firefox → Core
|
||
Comment 3•9 years ago
|
||
Nikhil, I'm having trouble figuring out what the spec expects us to do for a no-cors fetch that receives a redirect status to a cross-origin URL. I guess the idea is that the redirection is allowed, but the result should be an opaque filtered response?
|
||
Comment 4•9 years ago
|
||
Reporter, please do not assign security keywords. That is a job for Mozilla staff.
(In reply to Josh Matthews [:jdm] from comment #3) > Nikhil, I'm having trouble figuring out what the spec expects us to do for a > no-cors fetch that receives a redirect status to a cross-origin URL. I guess > the idea is that the redirection is allowed, but the result should be an > opaque filtered response? That is correct.
I can't reproduce the steps outlined. Neither of the iframes load and the fetch() call clearly returns an opaque response. The blob is logged as size 0 and empty and creating a URL from that should lead to an empty blob. both frames remain empty for me. Using Mozilla/5.0 (X11; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0 ID:20150923030230 CSet: 19b4265d0d568d232fb3a34705f947b6db7496dc
uploading my test case in case i did something wrong.
the poc-ff.html should be saved in the same folder as the server. modify the redir path to be localhost:8080/redir.
|
|
Reporter | |
Comment 10•9 years ago
|
||
(In reply to Nikhil Marathe [:nsm] (No longer reading bugmail, please needinfo?) from comment #8) > Created attachment 8666149 [details] > node server that serves file and redirect. > > the poc-ff.html should be saved in the same folder as the server. modify the > redir path to be localhost:8080/redir. I used a simple php file with the following: <?header('Location: https://twitter.com/');?> Also, I tested these on FF41 and FF42 beta, I see that you are using v44 which I have not tested on. (nor am I sure I can get v44) I will upload a screenshot (using v41) and displaying the exact response retrieved among other things. Also in case it matters, Im using Windows 8.1 64bit
Flags: needinfo?(qab)
|
|
Reporter | |
Comment 11•9 years ago
|
||
|
|
Reporter | |
Comment 12•9 years ago
|
||
(In reply to Josh Matthews [:jdm] from comment #9) > Can you reproduce this in FF 43 or 44? Not yet, checking now.
|
|
||
Comment 13•9 years ago
|
||
You can get 44 from nightly.mozilla.org.
|
|
Reporter | |
Comment 14•9 years ago
|
||
(In reply to Josh Matthews [:jdm] from comment #13) > You can get 44 from nightly.mozilla.org. Yes I can confirm the bug does not seem to work on v43 or v44. Fetch is indeed returning an opaque response in both.
|
|
||
Updated•9 years ago
|
status-firefox41:
--- → affected
status-firefox42:
--- → affected
status-firefox43:
--- → unaffected
status-firefox44:
--- → unaffected
|
||
Updated•9 years ago
|
Whiteboard: fixed on trunk, possible dupe? fix-range-wanted
|
|
||
Updated•9 years ago
|
Group: core-security → dom-core-security
|
|
||
Comment 15•9 years ago
|
||
This is somewhat similar to bug 1111834 fixed in Firefox 37, for regular CORS though, not using fetch(). May have been fixed by bug 1199049? (see also bug 1199693) Bug 1194384 was duped to that one and seems particularly on point here ("Fetch event interception and CORS preflight requests are backwards"). If that was the fix it looks way too involved to backport to 42. Josh: does this look like a dupe of your bug 1194384?
Flags: needinfo?(josh)
|
|
Reporter | |
Comment 16•9 years ago
|
||
I don't know if this matters by now, but this only works with {mode: 'no-cors'} passed to the fetch() function.|
|
||
Comment 17•9 years ago
|
||
I just tried a mozilla-central build for 9/12 and can't reproduce the problem, so bug 1199049 does not seem to be the fix.
Flags: needinfo?(josh)
|
|
||
Comment 18•9 years ago
|
||
It's present in http://ftp.mozilla.org/pub/firefox/nightly/2015/09/2015-09-01-mozilla-central-debug/ and not present in http://ftp.mozilla.org/pub/firefox/nightly/2015/09/2015-09-02-mozilla-central-debug/, so http://hg.mozilla.org/mozilla-central/pushloghtml?startdate=2015-08-31&enddate=2015-09-02 suggests that it's bug 1184607.
|
|
||
Updated•9 years ago
|
Assignee: nobody → bkelly
Status: UNCONFIRMED → NEW
status-firefox-esr38:
--- → unaffected
Ever confirmed: true
Keywords: csectype-sop,
sec-high
Whiteboard: fixed on trunk, possible dupe? fix-range-wanted → fixed on trunk as part of bug 1184607
Version: 42 Branch → 41 Branch
|
Assignee | |
Comment 19•9 years ago
|
||
I already have patches for this up in bug 1212669. Do I need to move them over here?
Depends on: CVE-2015-7184
|
||
Comment 20•9 years ago
|
||
Sure, but it doesn't matter much either way.
|
|
Assignee | |
Comment 21•9 years ago
|
||
I'm just going to land the patches in bug 1212669.
|
|
||
Updated•9 years ago
|
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
|
|
||
Updated•9 years ago
|
Flags: sec-bounty? → sec-bounty+
|
|
||
Updated•9 years ago
|
Whiteboard: fixed on trunk as part of bug 1184607 → fixed on trunk as part of bug 1184607, rediscovered as 1212669
|
|
||
Comment 23•9 years ago
|
||
This vulnerability will be identified as CVE-2015-7184
|
|
||
Updated•8 years ago
|
Group: dom-core-security
|
||
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•