Browser autopwn vulnerability

RESOLVED INVALID

Status

()

Firefox for Android
General
--
major
RESOLVED INVALID
3 years ago
3 years ago

People

(Reporter: Alexander97, Unassigned)

Tracking

41 Branch
All
Android
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

(Reporter)

Description

3 years ago
User Agent: Mozilla/5.0 (Linux; Android 4.4.4; Y635-L21 Build/HuaweiY635-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.76 Mobile Safari/537.36
Firefox for Android

Steps to reproduce:

I have installed firefox on my android device for a test. Then using the browser autopwn exploit i have created a link using my ip address with the port 8080 opened. I have opened the link on firefox .


Actual results:

Goodmorning, I am a vulnerability tester. I have found a vulnerability in firefox for android , that's because java is activated by default in firefox. In fact an attacker, using the browser autopwn exploit , can create a link using his ip address and send it to the victim. When this link is opened with firefox the attacker, due to java vulnerability, can take the complete control of the android device.


Expected results:

Firefox should have blocked the remote connection
(Reporter)

Updated

3 years ago
Group: firefox-core-security
Component: Untriaged → General
Product: Firefox → Firefox for Android
Version: 41 Branch → Firefox 42
(Reporter)

Updated

3 years ago
Severity: normal → major
(Reporter)

Updated

3 years ago
OS: Unspecified → Android
Hardware: Unspecified → All
(Reporter)

Updated

3 years ago
Summary: Vulnerability in firefox for android → Browser autopwn vulnerability

Comment 1

3 years ago
What are the contents of the vulnerability, ie can you provide a public testcase?
Group: firefox-core-security
Flags: needinfo?(alessandroschino)
(Reporter)

Comment 2

3 years ago
(In reply to :Gijs Kruitbosch from comment #1)
> What are the contents of the vulnerability, ie can you provide a public
> testcase?

Yes i've done a test. The vulnerability is that by activating java by default with this kind of exploit ( browser autopwn) an attacker can take the control of the android device. For example in chrome java isn't activated by default and this problem doesn't exist in chrome
Flags: needinfo?(alessandroschino)

Comment 3

3 years ago
(In reply to Alexander97 from comment #2)
> (In reply to :Gijs Kruitbosch from comment #1)
> > What are the contents of the vulnerability, ie can you provide a public
> > testcase?
> 
> Yes i've done a test. The vulnerability is that by activating java by
> default with this kind of exploit ( browser autopwn) an attacker can take
> the control of the android device. For example in chrome java isn't
> activated by default and this problem doesn't exist in chrome

My copy of Firefox for Android doesn't seem to have "java activated by default". Can you provide (attach to the bug or link to) a testcase/proof of the vulnerability? Otherwise there is no way for us to verify or fix that there is an issue.
Flags: needinfo?(alessandroschino)
(Reporter)

Comment 4

3 years ago
(In reply to :Gijs Kruitbosch from comment #3)
> (In reply to Alexander97 from comment #2)
> > (In reply to :Gijs Kruitbosch from comment #1)
> > > What are the contents of the vulnerability, ie can you provide a public
> > > testcase?
> > 
> > Yes i've done a test. The vulnerability is that by activating java by
> > default with this kind of exploit ( browser autopwn) an attacker can take
> > the control of the android device. For example in chrome java isn't
> > activated by default and this problem doesn't exist in chrome
> 
> My copy of Firefox for Android doesn't seem to have "java activated by
> default". Can you provide (attach to the bug or link to) a testcase/proof of
> the vulnerability? Otherwise there is no way for us to verify or fix that
> there is an issue.

It depends on the version of firefox . Mine is 42 . How can i send you a testcase?
Flags: needinfo?(alessandroschino)

Comment 5

3 years ago
(In reply to Alexander97 from comment #4)
> (In reply to :Gijs Kruitbosch from comment #3)
> > (In reply to Alexander97 from comment #2)
> > > (In reply to :Gijs Kruitbosch from comment #1)
> > > > What are the contents of the vulnerability, ie can you provide a public
> > > > testcase?
> > > 
> > > Yes i've done a test. The vulnerability is that by activating java by
> > > default with this kind of exploit ( browser autopwn) an attacker can take
> > > the control of the android device. For example in chrome java isn't
> > > activated by default and this problem doesn't exist in chrome
> > 
> > My copy of Firefox for Android doesn't seem to have "java activated by
> > default". Can you provide (attach to the bug or link to) a testcase/proof of
> > the vulnerability? Otherwise there is no way for us to verify or fix that
> > there is an issue.
> 
> It depends on the version of firefox . Mine is 42 .

What versions does/doesn't it work on? 42 is current Firefox beta, which is what I'm testing with. Just going to https://www.java.com/en/download/installed.jsp and clicking the button claims java is not running.

> How can i send you a
> testcase?

You can either attach a testcase on this bug ( https://bugzilla.mozilla.org/attachment.cgi?bugid=1215922&action=enter ) or provide a link to a testcase that is on the web (potentially secured via htaccess, the username and password of which you can put in a comment on this bug).
Flags: needinfo?(alessandroschino)
(Reporter)

Comment 6

3 years ago
Created attachment 8675419 [details]
IMG_20151018_171707.jpg
Flags: needinfo?(alessandroschino)
(Reporter)

Comment 7

3 years ago
Created attachment 8675421 [details]
IMG_20151018_171413.jpg
(Reporter)

Comment 8

3 years ago
(In reply to :Gijs Kruitbosch from comment #5)
> (In reply to Alexander97 from comment #4)
> > (In reply to :Gijs Kruitbosch from comment #3)
> > > (In reply to Alexander97 from comment #2)
> > > > (In reply to :Gijs Kruitbosch from comment #1)
> > > > > What are the contents of the vulnerability, ie can you provide a public
> > > > > testcase?
> > > > 
> > > > Yes i've done a test. The vulnerability is that by activating java by
> > > > default with this kind of exploit ( browser autopwn) an attacker can take
> > > > the control of the android device. For example in chrome java isn't
> > > > activated by default and this problem doesn't exist in chrome
> > > 
> > > My copy of Firefox for Android doesn't seem to have "java activated by
> > > default". Can you provide (attach to the bug or link to) a testcase/proof of
> > > the vulnerability? Otherwise there is no way for us to verify or fix that
> > > there is an issue.
> > 
> > It depends on the version of firefox . Mine is 42 .
> 
> What versions does/doesn't it work on? 42 is current Firefox beta, which is
> what I'm testing with. Just going to
> https://www.java.com/en/download/installed.jsp and clicking the button
> claims java is not running.
> 
> > How can i send you a
> > testcase?
> 
> You can either attach a testcase on this bug (
> https://bugzilla.mozilla.org/attachment.cgi?bugid=1215922&action=enter ) or
> provide a link to a testcase that is on the web (potentially secured via
> htaccess, the username and password of which you can put in a comment on
> this bug).

I'm sorry myversion is 41 not 42 my fault i have send attachments as a testcase
(Reporter)

Updated

3 years ago
Version: Firefox 42 → Firefox 41

Comment 9

3 years ago
... those are pictures of you running metasploit, but they don't actually show a working exploit.


In any case, what I meant by "testcase" is an archive with the java/html/whatever required to show the security problem.

If you are unable to provide that, which of the exploits suggested by metasploit do you claim works, and did it come with metasploit or are you using the framework to create your own exploit (in which case, can you add that code as an attachment) ?
Flags: needinfo?(alessandroschino)
(Reporter)

Comment 10

3 years ago
(In reply to :Gijs Kruitbosch from comment #9)
> ... those are pictures of you running metasploit, but they don't actually
> show a working exploit.
> 
> 
> In any case, what I meant by "testcase" is an archive with the
> java/html/whatever required to show the security problem.
> 
> If you are unable to provide that, which of the exploits suggested by
> metasploit do you claim works, and did it come with metasploit or are you
> using the framework to create your own exploit (in which case, can you add
> that code as an attachment) ?

No i've said that the working exploit is browser autopwn and this exploit already exist in fact ib metasploit exists
Flags: needinfo?(alessandroschino)

Comment 11

3 years ago
autopwn is a tool that works with metasploit, and not a specific indication of a vulnerability. See https://community.rapid7.com/community/metasploit/blog/2015/07/15/the-new-metasploit-browser-autopwn-strikes-faster-and-smarter--part-1 .

At this point you still haven't given any concrete indication of what vulnerability you're using, nor have you provided a testcase, nor have you shown in those pictures that you have "complete control of the android device" and so it's hard to take this bugreport seriously. I'm going to mark it invalid, and it will likely be marked as not-security-sensitive in the near future unless evidence is provided that there is a concrete problem to address in Firefox for Android.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → INVALID
Group: firefox-core-security
You need to log in before you can comment on or make changes to this bug.