Arbitrary application execution with screen reader

RESOLVED FIXED in 2.2 S11 (1may)

Status

defect
RESOLVED FIXED
4 years ago
2 years ago

People

(Reporter: sdna.muneaki.nishimura, Assigned: eeejay)

Tracking

({sec-high, wsec-xss})

unspecified
2.2 S11 (1may)
Bug Flags:
sec-bounty +

Firefox Tracking Flags

(blocking-b2g:2.2+, b2g-v1.4 unaffected, b2g-v2.0 unaffected, b2g-v2.0M unaffected, b2g-v2.1 unaffected, b2g-v2.1S unaffected, b2g-v2.2 fixed, b2g-master fixed)

Details

(Whiteboard: [b2g-adv-main2.2-])

Attachments

(2 attachments)

Reporter

Description

4 years ago
User Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2376.0 Safari/537.36

Steps to reproduce:

The caption box for screen reader doesn't escape HTML tags contained in an input string (below).
https://github.com/mozilla-b2g/gaia/blob/master/apps/system/js/accessibility.js#L596
It can be a cause of arbitrary application execution vulnerability.

The detailed  attack scenario on Firefox OS 3.0 is below.

1. Open following URL by Browser app
https://www.google.co.jp/search?q=%3Ciframe%20mozbrowser%20remote%20mozapp=%22app://fm.gaiamobile.org/manifest.webapp%22%20src=%22app://fm.gaiamobile.org/index.html%22%3E
2. Activate "Screen Reader" function from accessibility menu in setting app and enable "Display speech" option
3. Open Browser app again and focus a cursor to the window opened in 1


Actual results:

FM radio app is executed on the caption box dialog like the attached picture.


Expected results:

HTML tags in the input string should be displayed as a plain text on the caption box.

Comment 1

4 years ago
Eitan, can you direct this to the right product/component + person etc.? :-)
Flags: needinfo?(eitan)
Assignee

Comment 2

4 years ago
Looks like we should be using textContent, and not innerHTML.
Flags: needinfo?(eitan)
Assignee

Comment 3

4 years ago
I could write a pull request for that. Should I just do a public one and attach it to this bug?
Assignee

Comment 4

4 years ago
I don't know what the protocol is for having this land. I didn't open a new GH pull request, because this is a confidential bug.
Assignee

Updated

4 years ago
Attachment #8596025 - Flags: review?(alive)
Flags: sec-bounty?
Rating this sec-high like bug 1101158, but I'm not sure what permissions the screen reader app has compared to the system app so it could be lower. Paul?

dammit guys, enough of the innerHTML already. That should be part of day 1 training for every new dev.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(ptheriault)
Keywords: sec-high, wsec-xss
(In reply to Daniel Veditz [:dveditz] from comment #5)
> Rating this sec-high like bug 1101158, but I'm not sure what permissions the
> screen reader app has compared to the system app so it could be lower. Paul?
> 
> dammit guys, enough of the innerHTML already. That should be part of day 1
> training for every new dev.

I just checked and this landed in 2.2 so it needs to block. There's a simple patch, it fixes a sec-high bug, so hopefully this is fine to land.
blocking-b2g: --- → 2.2?
Flags: needinfo?(ptheriault)
(PS 2.2. hasn't shipped yet, so this probably doesn't need to stay hidden, so long as the fix makes it in).

Comment 8

4 years ago
Blocking as sec-high bug
blocking-b2g: 2.2? → 2.2+
Comment on attachment 8596025 [details] [diff] [review]
Use textContent instead of innerHTML in screen reader speech caption.

Review of attachment 8596025 [details] [diff] [review]:
-----------------------------------------------------------------

r=me, thanks
Attachment #8596025 - Flags: review?(alive) → review+
Reporter

Comment 11

4 years ago
Is "tv_apps" an active project (and in scope of your bounty program)?

I'm not sure it is really exploitable since I don't have execution environment of tv_apps but following code may have same defect.
https://github.com/mozilla-b2g/gaia/blob/master/tv_apps/smart-system/js/modal_dialog.js#L379
I think the released products that use the tv_apps are using older branches. Let's find out…
Assignee

Comment 13

4 years ago
https://github.com/mozilla-b2g/gaia/commit/6a7d6427509886cc338c500994f77b113a8ce965
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Assignee

Updated

4 years ago
Assignee: nobody → eitan
Assignee

Comment 14

4 years ago
Comment on attachment 8596025 [details] [diff] [review]
Use textContent instead of innerHTML in screen reader speech caption.

[Approval Request Comment]
[Bug caused by] (feature/regressing bug #):
[User impact] if declined: Remotely exploit: Arbitrary HTML can be run in the system app.
[Testing completed]: Yes, manual.
[Risk to taking this patch] (and alternatives if risky): Low
[String changes made]: None
Attachment #8596025 - Flags: approval-gaia-v2.2?
Attachment #8596025 - Flags: approval-gaia-v2.2? → approval-gaia-v2.2+
Eitan, can you take a look at https://github.com/mozilla-b2g/gaia/blob/f34ce82a840ad3c0aed3bfff18517b3f6a0eb37f/tv_apps/smart-system/js/accessibility.js#L503 too?
Status: RESOLVED → REOPENED
Flags: needinfo?(eitan)
Resolution: FIXED → ---
Assignee

Comment 17

4 years ago
https://github.com/mozilla-b2g/gaia/commit/0636405f0844bf32451a375b2d61a2b16fe33348

Carried over alive's review.

Nominate that for whatever other branch this needs to land on for TV.
Status: REOPENED → RESOLVED
Last Resolved: 4 years ago4 years ago
Flags: needinfo?(eitan)
Resolution: --- → FIXED
Flags: sec-bounty? → sec-bounty+
Whiteboard: [b2g-adv-main2.2+]
Whiteboard: [b2g-adv-main2.2+] → [b2g-adv-main2.2-]

Updated

4 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.