Bug 1273129 (CVE-2016-2822)

Firefox Navigation from a page with an active <select> dropdown menu can be used for URL/SSL spoofing and ClickJacking

VERIFIED FIXED in Firefox 47

Status

()

Core
General
VERIFIED FIXED
a year ago
2 months ago

People

(Reporter: Jordi Chancel, Assigned: mats)

Tracking

({csectype-spoof, regression, sec-moderate})

41 Branch
mozilla49
csectype-spoof, regression, sec-moderate
Points:
---
Dependency tree / graph
Bug Flags:
sec-bounty +
in-testsuite ?
qe-verify +

Firefox Tracking Flags

(firefox47 verified, firefox48 verified, firefox49 verified, firefox-esr4547+ verified)

Details

(Whiteboard: [adv-main47+][adv-esr45.2+])

Attachments

(4 attachments, 2 obsolete attachments)

(Reporter)

Description

a year ago
Created attachment 8752819 [details]
TESTCASE V1 and TESTCASE V2.zip

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:46.0) Gecko/20100101 Firefox/46.0
Build ID: 20160502172042

Steps to reproduce:

This new vulnerability is very similar to a vulnérability previously reported by me: MFSA-2013-94 ( https://bugzilla.mozilla.org/show_bug.cgi?id=868327 ).

I discovered again a malicious method to put arbitrary HTML content within <select> elements and place it in arbitrary locations. 

This can be used to spoof the displayed addressbar (Location Bar URL & SSL Spooofing), leading also to multiple clickjacking attacks (eg: WebCam ClickJacking using the WebRTC dialog) and other spoofing attacks.

I have two Proof of Concept, the first use a <select> dropdown menu no persistent, and the 2nd Proof of Concept use a <select> dropdown menu persistent.

(Two demonstration videos will be uploaded to show you the severity and the impact of these PoCs and of this vulnerability).



Actual results:

This can be used to spoof the displayed addressbar (or others spoofing attacks) and leading also to multiple clickjacking attacks.



Expected results:

In a normal case, a <select> element shouldn't cover the location bar and this <select> menu shouldn't persist during browsing.
(Reporter)

Comment 1

a year ago
Created attachment 8752879 [details]
TestCase V1 and TestCase V2 (UPDATED).zip

The previous testcases uploaded had an error. This is an update of these testcases.

(Tested only on Mac OS X YOSEMITE and Mac OS X El Capitan).
Attachment #8752819 - Attachment is obsolete: true
Summary: Firefox Navigation from a page with an active <select> dropdown menu can be used for URL/SSL spoofing and ClickJacking Attacks (the <select> dropdown menu can be persistent) → Firefox Navigation from a page with an active <select> dropdown menu can be used for URL/SSL spoofing
(Reporter)

Updated

a year ago
Summary: Firefox Navigation from a page with an active <select> dropdown menu can be used for URL/SSL spoofing → Firefox Navigation from a page with an active <select> dropdown menu can be used for URL/SSL spoofing and ClickJacking
(Reporter)

Comment 2

a year ago
Created attachment 8753186 [details]
Video Example PoC v1.html
(Reporter)

Comment 3

a year ago
Created attachment 8753187 [details]
Video Example PoC v2.html
(Reporter)

Comment 4

a year ago
Created attachment 8753230 [details]
TestCase v1 and TestCase v2 (2nd UPDATE).zip

I updated again the testcases by adding some CSS atributes : 
"overflow-x:hidden;" and "overflow-y:hidden;" for a more convincing result.
Attachment #8752879 - Attachment is obsolete: true
Flags: sec-bounty?
Mats, you worked on bug 868327, can you take a look at this?
Flags: needinfo?(mats)
(Assignee)

Comment 6

a year ago
Hi Jordi, can you please test this build and see if it fixes the problem?  Thanks!
http://archive.mozilla.org/pub/firefox/try-builds/mpalmgren@mozilla.com-7ebe5ea6222943ee7df0857c56b177208c44b06d/try-macosx64/
Flags: needinfo?(mats) → needinfo?(jordi.chancel)
(Reporter)

Comment 7

a year ago
These testcases works on Firefox 46.0.X but don't work on Nightly 47.0b7.

I will try to code a valid testcase for Nightly.
Flags: needinfo?(jordi.chancel)
(Assignee)

Comment 8

a year ago
Sorry, I didn't realize the test was specific to the v46 branch.
I've scheduled a new build for v46 (estimated time to complete: 61 minutes):
https://archive.mozilla.org/pub/firefox/try-builds/mpalmgren@mozilla.com-840d48bf1cf6f898c8f4147107dcf0dd6c7a9512/
Please test that instead when it's ready.
Flags: needinfo?(jordi.chancel)
(Reporter)

Comment 9

a year ago
This vulnerability is perfectly fixed on 46.0.2.

All actual testcases works perfectly on Firefox 46.0.1 (actual release) but don't work on Firefox 46.0.2 (next release). 

(RESOLVED/FIXED on 46.0.2).
Flags: needinfo?(jordi.chancel)
(Assignee)

Comment 10

a year ago
OK, great.  Thanks for testing.
(Assignee)

Comment 11

a year ago
Created attachment 8753874 [details] [diff] [review]
fix

This is a regression in v41 from this change in bug 1113206:
https://hg.mozilla.org/mozilla-central/diff/c838abaf38a4/layout/forms/nsComboboxControlFrame.cpp#l1.171

Both .YMost and .y got translated to .BEnd, oops...
Assignee: nobody → mats
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attachment #8753874 - Flags: review?(jfkthame)
(Assignee)

Updated

a year ago
Blocks: 1113206
Keywords: regression
(Assignee)

Comment 12

a year ago
The code that regressed is the same as in bug 868327, so using the same classification here.
Keywords: csectype-spoof, sec-moderate
OS: Unspecified → All
Hardware: Unspecified → All
Comment on attachment 8753874 [details] [diff] [review]
fix

Review of attachment 8753874 [details] [diff] [review]:
-----------------------------------------------------------------

Oops indeed! :(
Attachment #8753874 - Flags: review?(jfkthame) → review+
(Assignee)

Comment 14

a year ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/47ced506c7a32e8ca807978071a536f64c8332c8
https://hg.mozilla.org/mozilla-central/rev/47ced506c7a3
Status: ASSIGNED → RESOLVED
Last Resolved: a year ago
status-firefox49: --- → fixed
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla49
(Assignee)

Comment 16

a year ago
Comment on attachment 8753874 [details] [diff] [review]
fix

[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration:
User impact if declined: sec-moderate, but seems unlikely to be exploited
Fix Landed on Version: 49
Risk to taking this patch (and alternatives if risky): zero risk, it's just fixing a trivial typo that returns us to previous tested behaviour
String or UUID changes made by this patch: none

See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.

Approval Request Comment
[Feature/regressing bug #]: bug 1113206 
[User impact if declined]: sec-moderate, but seems unlikely to be exploited
[Describe test coverage new/current, TreeHerder]: no test coverage
[Risks and why]: zero risk, it's just fixing a trivial typo that returns us to previous tested behaviour
[String/UUID change made/needed]: none

Although it's just sec-moderate, I think it's worth uplifting since it's
a zero risk typo fix.
Attachment #8753874 - Flags: approval-mozilla-esr45?
Attachment #8753874 - Flags: approval-mozilla-beta?
Attachment #8753874 - Flags: approval-mozilla-b2g48?
Attachment #8753874 - Flags: approval-mozilla-aurora?
Comment on attachment 8753874 [details] [diff] [review]
fix

Fixes a typo and a sec-mod issue, Aurora48+, Beta47+, ESR45+
Attachment #8753874 - Flags: approval-mozilla-esr45?
Attachment #8753874 - Flags: approval-mozilla-esr45+
Attachment #8753874 - Flags: approval-mozilla-beta?
Attachment #8753874 - Flags: approval-mozilla-beta+
Attachment #8753874 - Flags: approval-mozilla-aurora?
Attachment #8753874 - Flags: approval-mozilla-aurora+

Updated

a year ago
status-firefox47: --- → affected
status-firefox48: --- → affected
status-firefox-esr45: --- → affected
tracking-firefox-esr45: --- → 47+
https://hg.mozilla.org/releases/mozilla-aurora/rev/782b4767770b
https://hg.mozilla.org/releases/mozilla-beta/rev/bcc547cc6eec
https://hg.mozilla.org/releases/mozilla-esr45/rev/064d2636b91b
status-firefox47: affected → fixed
status-firefox48: affected → fixed
status-firefox-esr45: affected → fixed
Group: core-security → core-security-release
Flags: sec-bounty? → sec-bounty+
Comment hidden (off-topic)
Comment hidden (off-topic)
Flags: qe-verify+
Whiteboard: [adv-main47+][adv-esr45.2+]
I get different results in 49.0a1 (2016-05-30) compared to 47b9. So, I'm not sure if this is not fixed in beta, or the testcases just don't work on nightly.
http://i.imgur.com/69vXNUC.png
Flags: needinfo?(mats)
For testing, note that dropdowns behave quite differently on e10s vs non-e10s. I think the testcases for this issue may have been specific to non-e10s(?).
Thanks, Jonathan.
I got the same behavior on Nightly with e10s OFF.
Anyway, I still reproduced the persistent menu behavior using the second testcase, when opening a new browser window. Is that expected?
Flags: needinfo?(mats)
Flags: needinfo?(mats)
(Assignee)

Updated

a year ago
Depends on: 1276976
(Assignee)

Comment 24

a year ago
The persistent menu problem sounds like a separate bug, can you file a new bug about it?
I think it can be public - I don't see a security issue with it.

Let's keep this bug about URL bar spoofing on non-e10s only.
I retested Nightly with e10s and it seems we have the same URL bar spoofing issue
there.  (Perhaps we've never had any protection on e10s?)

For tracking purposes I filed a separate bug 1276976 to fix this on e10s.
Flags: needinfo?(mats)
(Assignee)

Comment 25

a year ago
> I think it can be public - I don't see a security issue with it.

Although we need to keep any testcases that reveal *this* bug non-public of course.
So we probably need a new testcase for that bug where we make sure the dropdown menu
opens *downwards*.  Then I think it's OK to make it public.
Alias: CVE-2016-2822
(In reply to Mats Palmgren (:mats) from comment #25)
> > I think it can be public - I don't see a security issue with it.
> 
> Although we need to keep any testcases that reveal *this* bug non-public of
> course.
> So we probably need a new testcase for that bug where we make sure the
> dropdown menu
> opens *downwards*.  Then I think it's OK to make it public.
done - bug 1277271
(Reporter)

Comment 27

a year ago
The persistent menu problem is used in others reported vulnerabilities which affects Firefox ( like Bug952951 or Bug941482 [...] ) and had already been used in previous fixed vulnerability like MFSA-2012-75 ( https://www.mozilla.org/en-US/security/advisories/mfsa2012-75/ ) , please don't allow Bug1277271 to be public.
Flags: needinfo?(paul.silaghi)
Flags: needinfo?(mats)
(Assignee)

Comment 28

a year ago
I've hidden it for now.
Flags: needinfo?(paul.silaghi)
Flags: needinfo?(mats)
I'm marking this bug as verified fixed on FX 47, 48.0a2 (2016-06-01), 49.0a1 (2016-06-01), 45.1.1esrpre (2016-05-29) considering the follow-up bug 1276976 and bug 1277271.
Status: RESOLVED → VERIFIED
status-firefox47: fixed → verified
status-firefox48: fixed → verified
status-firefox49: fixed → verified
status-firefox-esr45: fixed → verified

Updated

11 months ago
See Also: → bug 1281075
Group: core-security-release
(Assignee)

Comment 30

8 months ago
Comment on attachment 8753874 [details] [diff] [review]
fix

(I guess this request isn't relevant anymore)
Attachment #8753874 - Flags: approval-mozilla-b2g48?
Version: 46 Branch → 41 Branch
You need to log in before you can comment on or make changes to this bug.