Closed Bug 1196014 Opened 10 years ago Closed 10 years ago

HTML injection in WiFi remote debugger prompt

Categories

(Firefox OS Graveyard :: Gaia::System, defect)

Product:
Firefox OS Graveyard
Component:
Gaia::System
Platform:
ARM
Gonk (Firefox OS)
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: tedd, Unassigned)

References

Details

(Keywords: sec-moderate, Whiteboard: [b2g-adv-main2.5+])

Attachments

(2 files)

JS script to trigger injection
275 bytes, text/plain
Details
PoC screenshot
55.63 KB, image/png
Details
A HTML injection can be triggered when the device prompts[1] the user for accepting a remote debugging connection over WiFi. I file this bug as a precaution, because I only triggered the vulnerability using WebIDE and attaching onto the phone, I don't know if this can be triggered by setting the hostname of the debugging device to contain the injection. (I couldn't get the remote WiFi debugging working). But I could imagine that the device gets the hostname from the debugging device based on what the debugging device reports to the network. Whereas the |port| I don't think it is possible to embed an injection string there. I tested this on the latest flame-l build (20150818204622) Attached is the script used to trigger the injection. [1] https://github.com/mozilla-b2g/gaia/blob/ccc131052b5818287cb94db9211861aedbb9bfc9/apps/system/locales/system.en-US.properties#L473
Attached image PoC screenshot
I did some further investigation and I don't think an attacker can control |host|, I believe it is just the IP from the debugging device. I got a little lost in the code.
This is another instance of .innerHTML in localization, see bug 1027117. Wondering if this is perhaps connected to the sanitation bug 1190038. Perhaps :stas does know more?
Blocks: 1027117
Flags: needinfo?(stas)
See Also: → CVE-2015-8510
Group: core-security → b2g-core-security
We removed that particular use of .innerHTML in bug 1027117. This should now be correctly santized by the l10n.js lib. :tedd, can you test your PoC again with a more recent version of Gaia, please?
Flags: needinfo?(stas)
:stas, I tried it with a newer gaia version (commit 5bceb2f8de6a62bed39ff8a13e21a02f04e3d45d) and it is fixed. I think we can close the bug, what do you think?
Flags: needinfo?(stas)
Sounds like this was successfully fixed by bug 1027117. Marking as such.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(stas)
Resolution: --- → FIXED
Group: b2g-core-security → core-security-release
Whiteboard: [b2g-adv-main2.5+]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: