Closed Bug 1306696 (CVE-2016-9065) Opened 8 years ago Closed 8 years ago

Location bar spoofing Entering Fullscreen and lock exit fullscreen mode

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Version:
49 Branch
Platform:
All
Android
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla52
Tracking Flags:
Tracking Status
firefox49 --- wontfix
firefox-esr45 --- wontfix
fennec 50+ ---
firefox50 + fixed
firefox51 + fixed
firefox52 + fixed
firefox64 --- verified
firefox65 --- verified
firefox66 --- verified

People

(Reporter: Laraweron, Assigned: xidorn)

References

(Depends on 1 open bug,
URL
)

Details

(Keywords: csectype-spoof, regression, sec-high, Whiteboard: [post-critsmash-triage][adv-main50+] Important for Fennec)

Attachments

(8 files, 1 obsolete file)

4.png
48.39 KB, image/png
Details
poc1.html
701 bytes, text/html
Details
part 1 - Not show fullscreen warning when already exit fullscreen. r?dao
1.41 KB, patch
dao
: review+
Details | Diff | Splinter Review
part 2 - Ensure content document handles fullscreen request even if it becomes inactive. r?smaug
2.86 KB, patch
smaug
: review+
Details | Diff | Splinter Review
part 3 - Exit fullscreen in non-e10s when no fullscreen request is proceeded. r=smaug
1.44 KB, patch
xidorn
: review+
ritu
: approval-mozilla-aurora+
ritu
: approval-mozilla-beta+
Details | Diff | Splinter Review
(DON'T CHECKIN UNTIL BUG GETS PUBLIC) part 4 - Add test for this bug. r=smaug
3.87 KB, patch
xidorn
: review+
Details | Diff | Splinter Review
Screenshot_2016-10-06-17-.png
43.04 KB, image/png
Details
poc3.html
1.00 KB, text/html
Details
Attached image 4.png 
User Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36

Steps to reproduce:

User Agent: Mozilla 49
OS/ Android 4.4 kitkat

Steps to reproduce:

When you enable full screen mode, the user has the browser address bar disappears when the user goes to another site the option to return to the normal display mode does not work to exit full-screen mode, the user is forced to restart the browser.


Actual results:

Steps
1.Go to the testcase uploaded http://unix.testvt.testforhost.com/poc1.html
2. Touch the web page "click here" ( the fullscreen mode is activated )
3 Try to go out of the fullscreen mode by pressing the back button on your Android device
4 Try to go up in the web page for try to view the location bar

Actual results:

Each time that you touch the web page , the fullscreen mode is activated and leads to an URL and SSL spoofing vulnerability with a fake location bar.
An attacker could also depict you the address bar  the browser.




Expected results:

Expected results:

The fullscreen mode should be activated with the possibility to forbid this action on the webpage concerned.

----------
Sorry but I have a bad English
URL: unix.testvt.testforhost.com/poc1.html
Flags: sec-bounty?
Attached file poc1.html 
tracking-fennec: --- → ?

    
    

    
  
This seems familiar, we may already have a bug on this. Maybe one of Jordi's bugs? The behavior changed in bug 1180295 though the old behavior was not much better. Seems similar to bug 928023. 

I am not sure that this is a security bug, at best it is a DOS. It leaves the browser in an unusable broken state. Workaround is to swipe close Firefox and let Firefox session restore recover the browser state.

    
    

    
  
Yes I agree with you that this problem was ranih versions of Firefox, but as you can see, there is now an error. I believe that this is the vulnerability of small, but with a different use of possible spoofing address bar or as you said Dos in the form of advertising (Popunder & clickunder)

    
    

    
  
(In reply to Kartikaya Gupta (email:kats@mozilla.com) from comment #4)
> Possible dupe of bug 1173831?

Yes you are right

    
    

    
  
[Tracking Requested - why for this release]:

          tracking-firefox49:
          --- → ?

    
    

    
  
bug 1173831 leaves the browser in a usable state. This cannot be a dupe of 1173831.
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Unspecified → Android
Hardware: Unspecified → All

    
  
Flags: needinfo?(xidorn+moz)

    
    

    
  
I can get into this state by browsing around Vimeo.

    
    

    
  
This bug is somehow reproducible on desktop as well. It messes up the DOM Fullscreen and Fullscreen mode on Firefox desktop.

I'd say this is a bug in Core rather than Firefox.
Group: firefox-core-security → core-security
Component: General → DOM
Product: Firefox for Android → Core

    
    

    
  
And this bug affects non-e10s only (so Android included).

    
  
Assignee: nobody → xidorn+moz
Flags: needinfo?(xidorn+moz)

    
    

    
  
Part 1 and part 2 are separate bugs I found when I was debugging. Part 3 is the fix of this bug. The test in part 3 depends on the behavior fix in part 2.

    
    

    
  
Comment on attachment 8797897 [details] [diff] [review]
part 1 - Not show fullscreen warning when already exit fullscreen. r?dao

>       case "DOMFullscreen:NewOrigin": {
>-        PointerlockFsWarning.showFullScreen(aMessage.data.originNoSuffix);
>+        // Don't show the warning if we've already exit fullscreen.

grammar nit: "exited"

        Attachment #8797897 -
        Flags: review?(dao+bmo) → review+

        Attachment #8797899 -
        Flags: review?(bugs) → review+

        Attachment #8797900 -
        Flags: review?(bugs) → review+

    
    

    
  
This bug can lead to spoofing of full URL bar for Firefox Android, and it requires no more than normal browsing actions (clicking anything would be enough). Based on the rating rules, I suppose it should be sec-high. But note that it isn't a security issue for desktop Firefox.
Keywords: sec-high

    
    

    
  
Comment on attachment 8797900 [details] [diff] [review]
part 3 - Exit fullscreen in non-e10s when no fullscreen request is proceeded. r?smaug

[Security approval request comment]
How easily could an exploit be constructed based on the patch?
An exploit is easy to contruct given the test includes an example. If the test is not included, this probably isn't very easy to construct the exploit from this patch.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
May or may not. This is a security issue for Firefox Android, not for desktop Firefox, while the comment doesn't mention Firefox Android at all, so people may not relate this with the exploit on Android.

Which older supported branches are affected by this flaw?
All current support branches. The related code landed in Firefox 41 in bug 1161802. But given it is an Android-only exploit, I guess we don't need to care about ESR at least.

If not all supported branches, which bug introduced the flaw?
All supported branches.

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
This single patch should be very easy to uplift to all affected branches, and I don't think it is risky. It uses the behavior we've been using in e10s mode. And it only affects edge cases where users shouldn't reach normally.

How likely is this patch to cause regressions; how much testing does it need?
Unlikely. Fullscreen API should be good in terms of test coverage, and this patch also adds a test for this bug.

        Attachment #8797900 -
        Flags: sec-approval?

    
    

    
  
Good job Xidorn 3 of the patch for a short time.To spoof the address bar, you can use a GIF or a flash animation that will create a more realistic effect. I guess to use the flash address bar ,as if the site will have to scroll the flash animation of the address bar will simulate the effect of sliding

    
    

    
  
Xidorn, if possible, can you uplift this to 50?
tracking-fennec: ? → 50+
Flags: needinfo?(xidorn+moz)

    
    

    
  
Yes. I think the patches are safe to uplift.
Flags: needinfo?(xidorn+moz)

    
    

    
  
Comment on attachment 8797900 [details] [diff] [review]
part 3 - Exit fullscreen in non-e10s when no fullscreen request is proceeded. r?smaug

sec-approval+ for trunk without test. The test shouldn't go in until after we ship the fix publicly. 

We should backport this to 51 and 50 if we get nominated patches for those branches.

        Attachment #8797900 -
        Flags: sec-approval? → sec-approval+

    
    

    
  


  
The patch with test removed.

        Attachment #8797900 -
        Attachment is obsolete: true

    
  

        Attachment #8798241 -
        Flags: review+

    
    

    
  
Comment on attachment 8798241 [details] [diff] [review]
part 3 - Exit fullscreen in non-e10s when no fullscreen request is proceeded. r=smaug

Approval Request Comment
[Feature/regressing bug #]: bug 1161802
[User impact if declined]: URL Spoofing for Android users.
[Describe test coverage new/current, TreeHerder]: test is not landed because it provides an example for construct exploit
[Risks and why]: low risk, since the code path it touches shouldn't be reached in normal cases
[String/UUID change made/needed]: n/a

Only part 3 is necessary for fixing this exploit, but I think part 1 and 2 are low risk as well, so they may be uplifted at the same time.

        Attachment #8798241 -
        Flags: approval-mozilla-beta?

        Attachment #8798241 -
        Flags: approval-mozilla-aurora?

    
    

    
  
Proof of address bar spoofing. Crude example, wrote the code on the phone.

    
    

    
  


  

    
    

    
  

      
      
      
      

        Attached file
          
        poc3.html
      

    


  

    
    

    
  
(In reply to Dão Gottwald [:dao] from comment #15)
> Comment on attachment 8797897 [details] [diff] [review]
> part 1 - Not show fullscreen warning when already exit fullscreen. r?dao
> 
> >       case "DOMFullscreen:NewOrigin": {
> >-        PointerlockFsWarning.showFullScreen(aMessage.data.originNoSuffix);
> >+        // Don't show the warning if we've already exit fullscreen.
> 
> grammar nit: "exited"

Oops... I just found I forgot to fix this...

    
    

    
  
Comment on attachment 8798241 [details] [diff] [review]
part 3 - Exit fullscreen in non-e10s when no fullscreen request is proceeded. r=smaug

Sec-high, Aurora51+, Beta50+. Xidorn, do you need to update this Beta/Aurora patch as well to address the review comment?
Flags: needinfo?(xidorn+moz)

        Attachment #8798241 -
        Flags: approval-mozilla-beta?

        Attachment #8798241 -
        Flags: approval-mozilla-beta+

        Attachment #8798241 -
        Flags: approval-mozilla-aurora?

        Attachment #8798241 -
        Flags: approval-mozilla-aurora+

    
    

    
  
Thanks.

    
    

    
  
Xidorn: in comment 9 you said desktop was affected, but later you said it wasn't. ESR-45 is non-e10s if desktop is vulnerable in any way.
Blocks: 1161802

          status-firefox-esr45:
          unaffected?
Flags: sec-bounty?
Flags: sec-bounty+
Flags: needinfo?(xidorn+moz)
Flags: in-testsuite?
Keywords: csectype-spoof, 
          
            regression

    
    

    
  
On desktop, users always have way to exit from fullscreen state, and moving cursor to the top would show the toolbar like in fullscreen mode.

It might be moderately vulnerable given that the fullscreen notice (the "some site is in full screen" message) is not shown. However, it seems to me this bug is only reliable when there is active fullscreen transition, that means on desktop, users would either see a fullscreen transition, or it would not go fullscreen at all, so I guess it isn't that vulnerable.

It is more serious on mobile because user has no way to exit fullscreen, and there is neither any notice nor any transition animation.
Flags: needinfo?(xidorn+moz)
Group: core-security → core-security-release
Flags: qe-verify+
Whiteboard: [post-critsmash-triage]
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main50+]
Alias: CVE-2016-9065

          status-firefox-esr45:
          ?wontfix
Whiteboard: [post-critsmash-triage][adv-main50+] → [post-critsmash-triage][adv-main50+] Important for Fennec
Group: core-security-release

    
    

    
  
Pushed by xquan@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/ab54d7ef9a67
part 4 - Add test for this bug. r=smaug

    
    

    
  
Pushed by xquan@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/e51946bbcce3
part 4 - Add test for this bug. r=smaug

    
    

    
  
Backed out for bc failures in dom/html/test/browser_fullscreen-newtab.js:

https://hg.mozilla.org/integration/mozilla-inbound/rev/0be0607b050e9eeaff114166618b0e486dcaa79b

Push with failures: https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&revision=e51946bbcce31799dfd5032193f4c186bfc19664&filter-resultStatus=testfailed&filter-resultStatus=busted&filter-resultStatus=exception&filter-resultStatus=success

Failure log: https://treeherder.mozilla.org/logviewer.html#?job_id=162606986&repo=mozilla-inbound&lineNumber=3630 

02:13:12     INFO - TEST-OK | dom/html/test/browser_fullscreen-contextmenu-esc.js | took 1604ms
02:13:12     INFO - checking window state
02:13:12     INFO - TEST-START | dom/html/test/browser_fullscreen-newtab.js
02:13:28     INFO - GECKO(2061) | 2018-02-16 02:13:28.206 firefox[2061:16262] Persistent UI failed to open file file:///Users/cltbld/Library/Saved%20Application%20State/org.mozilla.nightly.savedState/window_1.data: No such file or directory (2)
02:13:57     INFO - TEST-INFO | started process screencapture
02:13:57     INFO - TEST-INFO | screencapture: exit 0
02:13:57     INFO - Buffered messages logged at 02:13:12
02:13:57     INFO - Entering test bound 
02:13:57     INFO - Buffered messages logged at 02:13:13
02:13:57     INFO - Console message: [JavaScript Error: "TelemetryStopwatch: key "FULLSCREEN_CHANGE_MS" was already initialized" {file: "resource://gre/modules/TelemetryStopwatch.jsm" line: 352}]
02:13:57     INFO - start@resource://gre/modules/TelemetryStopwatch.jsm:352:9
02:13:57     INFO - start@resource://gre/modules/TelemetryStopwatch.jsm:133:12
02:13:57     INFO - handleEvent@chrome://browser/content/browser-fullScreenAndPointerLock.js:390:9
02:13:57     INFO - exitDomFullScreen@chrome://browser/content/browser-fullScreenAndPointerLock.js:356:5
02:13:57     INFO - addTab@chrome://browser/content/tabbrowser.xml:2865:13
02:13:57     INFO - loadOneTab@chrome://browser/content/tabbrowser.xml:1790:23
02:13:57     INFO - _openURIInNewTab@chrome://browser/content/browser.js:5145:15
02:13:57     INFO - browser_getContentWindowOrOpenURIInFrame@chrome://browser/content/browser.js:5301:12
02:13:57     INFO - browser_createContentWindowInFrame@chrome://browser/content/browser.js:5275:12
02:13:57     INFO - 
02:13:57     INFO - Console message: [JavaScript Error: "TelemetryStopwatch: requesting elapsed time for nonexisting stopwatch. Histogram: "FULLSCREEN_CHANGE_MS", key: "null"" {file: "resource://gre/modules/TelemetryStopwatch.jsm" line: 373}]
02:13:57     INFO - timeElapsed@resource://gre/modules/TelemetryStopwatch.jsm:373:9
02:13:57     INFO - finish@resource://gre/modules/TelemetryStopwatch.jsm:394:17
02:13:57     INFO - finish@resource://gre/modules/TelemetryStopwatch.jsm:219:12
02:13:57     INFO - receiveMessage@chrome://browser/content/browser-fullScreenAndPointerLock.js:416:9
02:13:57     INFO - 
02:13:57     INFO - Console message: [JavaScript Error: "TelemetryStopwatch: requesting elapsed time for nonexisting stopwatch. Histogram: "FULLSCREEN_CHANGE_MS", key: "null"" {file: "resource://gre/modules/TelemetryStopwatch.jsm" line: 373}]
02:13:57     INFO - timeElapsed@resource://gre/modules/TelemetryStopwatch.jsm:373:9
02:13:57     INFO - finish@resource://gre/modules/TelemetryStopwatch.jsm:394:17
02:13:57     INFO - finish@resource://gre/modules/TelemetryStopwatch.jsm:219:12
02:13:57     INFO - receiveMessage@chrome://browser/content/browser-fullScreenAndPointerLock.js:416:9
02:13:57     INFO - 
02:13:57     INFO - Buffered messages finished
02:13:57     INFO - TEST-UNEXPECTED-FAIL | dom/html/test/browser_fullscreen-newtab.js | Test timed out - 
02:13:57     INFO - GECKO(2061) | MEMORY STAT | vsize 4497MB | residentFast 459MB | heapAllocated 81MB
02:13:57     INFO - TEST-OK | dom/html/test/browser_fullscreen-newtab.js | took 45014ms
02:13:57     INFO - Not taking screenshot here: see the one that was previously logged
02:13:57     INFO - TEST-UNEXPECTED-FAIL | dom/html/test/browser_fullscreen-newtab.js | Found a tab after previous test timed out: about:blank - 
02:13:57     INFO - Not taking screenshot here: see the one that was previously logged
02:13:57     INFO - TEST-UNEXPECTED-FAIL | dom/html/test/browser_fullscreen-newtab.js | Found a tab after previous test timed out: http://example.org/browser/dom/html/test/file_fullscreen-newtab.html - 
02:13:57     INFO - checking window state

    
    

    
  
Looks like it fails on macOS: https://treeherder.mozilla.org/#/jobs?repo=try&revision=cfcf47579a6783b2537cf4b7c49c277c47fbb727

I'm going to land the test with it disabled on macOS, and open a new bug to track why it fails there.
Flags: needinfo?(xidorn+moz)

    
  
Depends on: 1494843

    
    

    
  
Pushed by xquan@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/43ace919d4d6
part 4 - Add test for this bug. r=smaug

    
  
Flags: in-testsuite? → in-testsuite+

    
    

    
  
Hi, I can reproduce the issue following the steps from the description on the affected version (Firefox 49 Release version).

Devices:


    

  • Prestigio Grace X5 (Android 4.4.2)
    • 

  • Motorola Nexus 6 (Android 7.1.1)
    • 



Also, verified as fixed on the latest versions:


    

  • Nightly 66.0a1 (2018-01-11)
    • 

  • Beta 65.0b9
    • 

  • Release 64.0.2
    • 



Due to that, I'll remove the qe-verify flag, thanks.


Status: RESOLVED → VERIFIED

          status-firefox64:
          --- → verified

          status-firefox65:
          --- → verified

          status-firefox66:
          --- → verified
Flags: qe-verify+
Component: DOM → DOM: Core & HTML

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: