Bug 1306696 (CVE-2016-9065)

Location bar spoofing Entering Fullscreen and lock exit fullscreen mode

VERIFIED FIXED in Firefox 50

Status

()

defect
VERIFIED FIXED
3 years ago
4 months ago

People

(Reporter: Laraweron, Assigned: xidorn)

Tracking

(Depends on 1 bug, {csectype-spoof, regression, sec-high})

49 Branch
mozilla52
All
Android
Points:
---
Dependency tree / graph
Bug Flags:
sec-bounty +
in-testsuite +

Firefox Tracking Flags

(firefox49 wontfix, firefox-esr45 wontfix, fennec50+, firefox50+ fixed, firefox51+ fixed, firefox52+ fixed, firefox64 verified, firefox65 verified, firefox66 verified)

Details

(Whiteboard: [post-critsmash-triage][adv-main50+] Important for Fennec, )

Attachments

(8 attachments, 1 obsolete attachment)

Posted image 4.png
User Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36

Steps to reproduce:

User Agent: Mozilla 49
OS/ Android 4.4 kitkat

Steps to reproduce:

When you enable full screen mode, the user has the browser address bar disappears when the user goes to another site the option to return to the normal display mode does not work to exit full-screen mode, the user is forced to restart the browser.


Actual results:

Steps
1.Go to the testcase uploaded http://unix.testvt.testforhost.com/poc1.html
2. Touch the web page "click here" ( the fullscreen mode is activated )
3 Try to go out of the fullscreen mode by pressing the back button on your Android device
4 Try to go up in the web page for try to view the location bar

Actual results:

Each time that you touch the web page , the fullscreen mode is activated and leads to an URL and SSL spoofing vulnerability with a fake location bar.
An attacker could also depict you the address bar  the browser.




Expected results:

Expected results:

The fullscreen mode should be activated with the possibility to forbid this action on the webpage concerned.

----------
Sorry but I have a bad English
Posted file poc1.html
tracking-fennec: --- → ?
This seems familiar, we may already have a bug on this. Maybe one of Jordi's bugs? The behavior changed in bug 1180295 though the old behavior was not much better. Seems similar to bug 928023. 

I am not sure that this is a security bug, at best it is a DOS. It leaves the browser in an unusable broken state. Workaround is to swipe close Firefox and let Firefox session restore recover the browser state.
Yes I agree with you that this problem was ranih versions of Firefox, but as you can see, there is now an error. I believe that this is the vulnerability of small, but with a different use of possible spoofing address bar or as you said Dos in the form of advertising (Popunder & clickunder)
(In reply to Kartikaya Gupta (email:kats@mozilla.com) from comment #4)
> Possible dupe of bug 1173831?

Yes you are right
[Tracking Requested - why for this release]:
bug 1173831 leaves the browser in a usable state. This cannot be a dupe of 1173831.
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Unspecified → Android
Hardware: Unspecified → All
Flags: needinfo?(xidorn+moz)
I can get into this state by browsing around Vimeo.
This bug is somehow reproducible on desktop as well. It messes up the DOM Fullscreen and Fullscreen mode on Firefox desktop.

I'd say this is a bug in Core rather than Firefox.
Group: firefox-core-security → core-security
Component: General → DOM
Product: Firefox for Android → Core
And this bug affects non-e10s only (so Android included).
Assignee: nobody → xidorn+moz
Flags: needinfo?(xidorn+moz)
Part 1 and part 2 are separate bugs I found when I was debugging. Part 3 is the fix of this bug. The test in part 3 depends on the behavior fix in part 2.
Comment on attachment 8797897 [details] [diff] [review]
part 1 - Not show fullscreen warning when already exit fullscreen. r?dao

>       case "DOMFullscreen:NewOrigin": {
>-        PointerlockFsWarning.showFullScreen(aMessage.data.originNoSuffix);
>+        // Don't show the warning if we've already exit fullscreen.

grammar nit: "exited"
Attachment #8797897 - Flags: review?(dao+bmo) → review+
Attachment #8797899 - Flags: review?(bugs) → review+
Attachment #8797900 - Flags: review?(bugs) → review+
This bug can lead to spoofing of full URL bar for Firefox Android, and it requires no more than normal browsing actions (clicking anything would be enough). Based on the rating rules, I suppose it should be sec-high. But note that it isn't a security issue for desktop Firefox.
Keywords: sec-high
Comment on attachment 8797900 [details] [diff] [review]
part 3 - Exit fullscreen in non-e10s when no fullscreen request is proceeded. r?smaug

[Security approval request comment]
How easily could an exploit be constructed based on the patch?
An exploit is easy to contruct given the test includes an example. If the test is not included, this probably isn't very easy to construct the exploit from this patch.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
May or may not. This is a security issue for Firefox Android, not for desktop Firefox, while the comment doesn't mention Firefox Android at all, so people may not relate this with the exploit on Android.

Which older supported branches are affected by this flaw?
All current support branches. The related code landed in Firefox 41 in bug 1161802. But given it is an Android-only exploit, I guess we don't need to care about ESR at least.

If not all supported branches, which bug introduced the flaw?
All supported branches.

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
This single patch should be very easy to uplift to all affected branches, and I don't think it is risky. It uses the behavior we've been using in e10s mode. And it only affects edge cases where users shouldn't reach normally.

How likely is this patch to cause regressions; how much testing does it need?
Unlikely. Fullscreen API should be good in terms of test coverage, and this patch also adds a test for this bug.
Attachment #8797900 - Flags: sec-approval?
Good job Xidorn 3 of the patch for a short time.To spoof the address bar, you can use a GIF or a flash animation that will create a more realistic effect. I guess to use the flash address bar ,as if the site will have to scroll the flash animation of the address bar will simulate the effect of sliding
Xidorn, if possible, can you uplift this to 50?
tracking-fennec: ? → 50+
Flags: needinfo?(xidorn+moz)
Yes. I think the patches are safe to uplift.
Flags: needinfo?(xidorn+moz)
Comment on attachment 8797900 [details] [diff] [review]
part 3 - Exit fullscreen in non-e10s when no fullscreen request is proceeded. r?smaug

sec-approval+ for trunk without test. The test shouldn't go in until after we ship the fix publicly. 

We should backport this to 51 and 50 if we get nominated patches for those branches.
Attachment #8797900 - Flags: sec-approval? → sec-approval+
Attachment #8798241 - Flags: review+
Comment on attachment 8798241 [details] [diff] [review]
part 3 - Exit fullscreen in non-e10s when no fullscreen request is proceeded. r=smaug

Approval Request Comment
[Feature/regressing bug #]: bug 1161802
[User impact if declined]: URL Spoofing for Android users.
[Describe test coverage new/current, TreeHerder]: test is not landed because it provides an example for construct exploit
[Risks and why]: low risk, since the code path it touches shouldn't be reached in normal cases
[String/UUID change made/needed]: n/a

Only part 3 is necessary for fixing this exploit, but I think part 1 and 2 are low risk as well, so they may be uplifted at the same time.
Attachment #8798241 - Flags: approval-mozilla-beta?
Attachment #8798241 - Flags: approval-mozilla-aurora?
Proof of address bar spoofing. Crude example, wrote the code on the phone.
Posted file poc3.html
(In reply to Dão Gottwald [:dao] from comment #15)
> Comment on attachment 8797897 [details] [diff] [review]
> part 1 - Not show fullscreen warning when already exit fullscreen. r?dao
> 
> >       case "DOMFullscreen:NewOrigin": {
> >-        PointerlockFsWarning.showFullScreen(aMessage.data.originNoSuffix);
> >+        // Don't show the warning if we've already exit fullscreen.
> 
> grammar nit: "exited"

Oops... I just found I forgot to fix this...
Comment on attachment 8798241 [details] [diff] [review]
part 3 - Exit fullscreen in non-e10s when no fullscreen request is proceeded. r=smaug

Sec-high, Aurora51+, Beta50+. Xidorn, do you need to update this Beta/Aurora patch as well to address the review comment?
Flags: needinfo?(xidorn+moz)
Attachment #8798241 - Flags: approval-mozilla-beta?
Attachment #8798241 - Flags: approval-mozilla-beta+
Attachment #8798241 - Flags: approval-mozilla-aurora?
Attachment #8798241 - Flags: approval-mozilla-aurora+
Thanks.
Xidorn: in comment 9 you said desktop was affected, but later you said it wasn't. ESR-45 is non-e10s if desktop is vulnerable in any way.
Blocks: 1161802
Flags: sec-bounty?
Flags: sec-bounty+
Flags: needinfo?(xidorn+moz)
Flags: in-testsuite?
On desktop, users always have way to exit from fullscreen state, and moving cursor to the top would show the toolbar like in fullscreen mode.

It might be moderately vulnerable given that the fullscreen notice (the "some site is in full screen" message) is not shown. However, it seems to me this bug is only reliable when there is active fullscreen transition, that means on desktop, users would either see a fullscreen transition, or it would not go fullscreen at all, so I guess it isn't that vulnerable.

It is more serious on mobile because user has no way to exit fullscreen, and there is neither any notice nor any transition animation.
Flags: needinfo?(xidorn+moz)
Group: core-security → core-security-release
Flags: qe-verify+
Whiteboard: [post-critsmash-triage]
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main50+]
Alias: CVE-2016-9065
Whiteboard: [post-critsmash-triage][adv-main50+] → [post-critsmash-triage][adv-main50+] Important for Fennec
Group: core-security-release
Backed out for bc failures in dom/html/test/browser_fullscreen-newtab.js:

https://hg.mozilla.org/integration/mozilla-inbound/rev/0be0607b050e9eeaff114166618b0e486dcaa79b

Push with failures: https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&revision=e51946bbcce31799dfd5032193f4c186bfc19664&filter-resultStatus=testfailed&filter-resultStatus=busted&filter-resultStatus=exception&filter-resultStatus=success

Failure log: https://treeherder.mozilla.org/logviewer.html#?job_id=162606986&repo=mozilla-inbound&lineNumber=3630 

02:13:12     INFO - TEST-OK | dom/html/test/browser_fullscreen-contextmenu-esc.js | took 1604ms
02:13:12     INFO - checking window state
02:13:12     INFO - TEST-START | dom/html/test/browser_fullscreen-newtab.js
02:13:28     INFO - GECKO(2061) | 2018-02-16 02:13:28.206 firefox[2061:16262] Persistent UI failed to open file file:///Users/cltbld/Library/Saved%20Application%20State/org.mozilla.nightly.savedState/window_1.data: No such file or directory (2)
02:13:57     INFO - TEST-INFO | started process screencapture
02:13:57     INFO - TEST-INFO | screencapture: exit 0
02:13:57     INFO - Buffered messages logged at 02:13:12
02:13:57     INFO - Entering test bound 
02:13:57     INFO - Buffered messages logged at 02:13:13
02:13:57     INFO - Console message: [JavaScript Error: "TelemetryStopwatch: key "FULLSCREEN_CHANGE_MS" was already initialized" {file: "resource://gre/modules/TelemetryStopwatch.jsm" line: 352}]
02:13:57     INFO - start@resource://gre/modules/TelemetryStopwatch.jsm:352:9
02:13:57     INFO - start@resource://gre/modules/TelemetryStopwatch.jsm:133:12
02:13:57     INFO - handleEvent@chrome://browser/content/browser-fullScreenAndPointerLock.js:390:9
02:13:57     INFO - exitDomFullScreen@chrome://browser/content/browser-fullScreenAndPointerLock.js:356:5
02:13:57     INFO - addTab@chrome://browser/content/tabbrowser.xml:2865:13
02:13:57     INFO - loadOneTab@chrome://browser/content/tabbrowser.xml:1790:23
02:13:57     INFO - _openURIInNewTab@chrome://browser/content/browser.js:5145:15
02:13:57     INFO - browser_getContentWindowOrOpenURIInFrame@chrome://browser/content/browser.js:5301:12
02:13:57     INFO - browser_createContentWindowInFrame@chrome://browser/content/browser.js:5275:12
02:13:57     INFO - 
02:13:57     INFO - Console message: [JavaScript Error: "TelemetryStopwatch: requesting elapsed time for nonexisting stopwatch. Histogram: "FULLSCREEN_CHANGE_MS", key: "null"" {file: "resource://gre/modules/TelemetryStopwatch.jsm" line: 373}]
02:13:57     INFO - timeElapsed@resource://gre/modules/TelemetryStopwatch.jsm:373:9
02:13:57     INFO - finish@resource://gre/modules/TelemetryStopwatch.jsm:394:17
02:13:57     INFO - finish@resource://gre/modules/TelemetryStopwatch.jsm:219:12
02:13:57     INFO - receiveMessage@chrome://browser/content/browser-fullScreenAndPointerLock.js:416:9
02:13:57     INFO - 
02:13:57     INFO - Console message: [JavaScript Error: "TelemetryStopwatch: requesting elapsed time for nonexisting stopwatch. Histogram: "FULLSCREEN_CHANGE_MS", key: "null"" {file: "resource://gre/modules/TelemetryStopwatch.jsm" line: 373}]
02:13:57     INFO - timeElapsed@resource://gre/modules/TelemetryStopwatch.jsm:373:9
02:13:57     INFO - finish@resource://gre/modules/TelemetryStopwatch.jsm:394:17
02:13:57     INFO - finish@resource://gre/modules/TelemetryStopwatch.jsm:219:12
02:13:57     INFO - receiveMessage@chrome://browser/content/browser-fullScreenAndPointerLock.js:416:9
02:13:57     INFO - 
02:13:57     INFO - Buffered messages finished
02:13:57     INFO - TEST-UNEXPECTED-FAIL | dom/html/test/browser_fullscreen-newtab.js | Test timed out - 
02:13:57     INFO - GECKO(2061) | MEMORY STAT | vsize 4497MB | residentFast 459MB | heapAllocated 81MB
02:13:57     INFO - TEST-OK | dom/html/test/browser_fullscreen-newtab.js | took 45014ms
02:13:57     INFO - Not taking screenshot here: see the one that was previously logged
02:13:57     INFO - TEST-UNEXPECTED-FAIL | dom/html/test/browser_fullscreen-newtab.js | Found a tab after previous test timed out: about:blank - 
02:13:57     INFO - Not taking screenshot here: see the one that was previously logged
02:13:57     INFO - TEST-UNEXPECTED-FAIL | dom/html/test/browser_fullscreen-newtab.js | Found a tab after previous test timed out: http://example.org/browser/dom/html/test/file_fullscreen-newtab.html - 
02:13:57     INFO - checking window state
Looks like it fails on macOS: https://treeherder.mozilla.org/#/jobs?repo=try&revision=cfcf47579a6783b2537cf4b7c49c277c47fbb727

I'm going to land the test with it disabled on macOS, and open a new bug to track why it fails there.
Flags: needinfo?(xidorn+moz)
Depends on: 1494843
Pushed by xquan@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/43ace919d4d6
part 4 - Add test for this bug. r=smaug
Flags: in-testsuite? → in-testsuite+

Hi, I can reproduce the issue following the steps from the description on the affected version (Firefox 49 Release version).
Devices:

  • Prestigio Grace X5 (Android 4.4.2)
  • Motorola Nexus 6 (Android 7.1.1)

Also, verified as fixed on the latest versions:

  • Nightly 66.0a1 (2018-01-11)
  • Beta 65.0b9
  • Release 64.0.2

Due to that, I'll remove the qe-verify flag, thanks.

Status: RESOLVED → VERIFIED
Flags: qe-verify+
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.