Stored-XSS and Reflected-XSS in Chimein.mozilla.org secure messenger system

RESOLVED FIXED

Status

RESOLVED FIXED
3 years ago
2 years ago

People

(Reporter: yann.cam, Unassigned)

Tracking

unspecified
Bug Flags:
sec-bounty -

Details

(Whiteboard: [reporter-external] [web-bounty-form] [verif?], URL)

Attachments

(1 attachment)

(Reporter)

Description

3 years ago
Hello Mozilla security team,

The chimein.mozilla.org domain (https://chimein.mozilla.org/) provides a very simple "sign up / sign in / send message" process with asymetric encryption (public key, private key, password and passphrase) to add a strong security for message exchange.

A simple user can create an account, log in with this account, and send encrypted message (with passphrase) to any other user registered.

There are some XSS vulnerability. The most critical is a Stored-XSS in the body of any message. A user will be able to create an account as describe here :

https://www.asafety.fr/data/20161021-Chimein.mozilla.org_SXSS_001.png

Login = ycam, password = ycam, passphrase = ycam

Then, once logged in, the user can sent an arbitrary message to any other user (in the example, the message is sent to the user himself for the Proof of Concept) :

https://www.asafety.fr/data/20161021-Chimein.mozilla.org_SXSS_002.png

The Stored-XSS payload can be injected in the "body" of the message. The user selects a specific passphrase, so the payload is encrypted.

Once sent, the message is visible for the receiver logged. When this victim-user clic on the message, he has to enter the passphrase used at encryption time.

https://www.asafety.fr/data/20161021-Chimein.mozilla.org_SXSS_003.png

When the passphrase is indicated, the body of the message is decrypted and the Stored-XSS is triggered (PoC : alert(document.domain)).

https://www.asafety.fr/data/20161021-Chimein.mozilla.org_SXSS_004.png

Test user for this PoC (just click on the "ycam" user in the list, then indicate the password) :
- Login : ycam
- Password : ycam
- PoC message passphrase : ycam

Stored-XSS are very critical vulnerabilities and can be used by an attacker to steal private information such as session cookie or credential. Through XSS, an attacker can tamper with page rendering, take the control of the full browser and can use browser's exploits to gain privilege on local system (especially with dedicated framework for XSS flaw like BeEF : http://beefproject.com/).

This Stored-XSS was tested successfully with the latest Firefox version 49.0.2, latest Chrome version 53 and the latest IE version 11.

In this case, the main Stored-XSS is embeded in a personal message didacted to a victim (the victim needs to enter the passphrase to decrypt the message's body and trigger the payload). This is a serious issue because the XSS is located in a very secure chat system with asymetric encryption used.

An attacker will be able to create fake page, fake prompt, fake "re-authentication" process to steal victim's password. If the attacker gains access to a victim's account, he can used all the feature of the secure chat in place of the legitimate user.

As detailed in your submission process (https://www.mozilla.org/en-US/security/web-bug-bounty/), the POST request (encrypted) of the Stored-XSS payload is describe :

POST /message/create HTTP/1.1
Host: chimein.mozilla.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://chimein.mozilla.org/
Content-Length: 1483
Content-Type: text/plain;charset=UTF-8
DNT: 1
Connection: close

login=ycam&password=ycam&sender=ycam&recipient=ycam&subject=ycam&subject_signature=C2sgosxgaKPEqJJwLb5R29A8fqX9wxA30SLqcJzKLkhEDVuAIIZesho736eDtI7GbrjpFBgc9I8E%0D%0A%2FPMRAbK6IZF9O9G%2BkOmy9a%2FmSPY9L8yiFdwk8CXzW%2Fnvmirx3qelwQ87z3cgrxGe8um7Ntc603h2%0D%0AWrux3wQrv5JptqEMC1Cj%2BatQQQ%2FB6ahv9Q6K2z7wmIViR1mcZuNG9V26PwierLoNNOBDwXmChsPI%0D%0AKpy%2F0TgJhkpWj%2BPO3YIvxy015imeISUgmZyTmOaJAy7%2FOQzvw5GUAS5nTG%2FtU79kO7AlhQLTgjlL%0D%0AE3uKE2jM2ACuwtqZNeSpNTUeyGBLCxHD18vqMw%3D%3D&body=O8E%2BSCVlBZiL8xsg0yEg%2BK5%2BjdHKkuQA89z8FpLDekOT3CUa43B%2FQw%2BBxyCTgccngdRp7en7Zi%2BM%0D%0AwMgDouqt8f1NGa8hxk4xP0lxN0vsR8dz1DyY2etgtGtSY8ehWDoK&body_signature=kFLh%2BgNR1Ow2zuxqRebnYmiB%2FN2GEYWSFdLdK4dfdM2N5pKJw5eXsfu1YyKkznYEHU1c1z%2BYF13e%0D%0AzyWBWtwmSPff%2B6JFWIHGqYI2RR%2BqszbAduHwHSniFPkz0gKntc%2FxOe8GFX62z78pAPJfZ4tLyg8p%0D%0ALobVsLDjaipcRsy4tC0LWz56zjCWbACKPP9Gwi0VGng2Ny3KYoTSt%2B6t7GkCWf799ztY8R0WYJ8q%0D%0AskQAYD5LuHpdadi8%2B8RDdgYOaepyYPGfjuhJXXsqec9rivk84mkZSa8cAtXgrFF4bnj%2BF9z8KFgc%0D%0AvhiVAG71i65AVRbJ6pPR2CKjnnOhSkBjldNIuQ%3D%3D&session_key=a3EPAkTnptCVn9FSgmfTkpgzgjQgOGuYLFG%2BMmtmZjcwAPJjXePxH8%2F1XWWolhPn1fRmf4j9ybmo%0D%0AlXYOg4Fj1ss8k2HRcugxridBTkZ53dd0Af0qEHeSsiA1Rsm0d2G76k6qsWzgD55WBc6nuEXiOrzM%0D%0ATxVPIcT%2FvLbjTA0hrnzmm%2Ftiyq31YPVOYq3Di95urw38DFJIRPKiP%2FcJ0GoWkUrcB6OK8lCfvx0K%0D%0AWsS%2BPpAB%2Fc1xBUoG0TmFKZRkCXx8toykvz7cqC6hwZHbWRj4A5cLbnIrYdIXZ%2B2AkjhwcNzqWHQb%0D%0AHHm1wN6fkalHKXW7%2BwM2ctioB1JaE3gYE7WmGA%3D%3D&session_key_iv=zOtfAHFpmaW%2Bhm2xcJhPxw%3D%3D&

There is another Reflected XSS vulnerability in the "login" text input during registration (the user login needs to be new at each sign up) :

Payload injection :
https://www.asafety.fr/data/20161021-Chimein.mozilla.org_RXSS_001.png

Reflected XSS fired :
https://www.asafety.fr/data/20161021-Chimein.mozilla.org_RXSS_002.png

Do not hesitate to contact me for more information,

Sincerely,
Flags: sec-bounty?
(Reporter)

Comment 1

3 years ago
Note : once victim's credential have been stolen by attacker's XSS, the attacker can log in the secured messenger system to send message through the victim's identity.

Plus, a specific resquest can be done to retrieve user privatekey :

POST /user/privatekey HTTP/1.1
Host: chimein.mozilla.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://chimein.mozilla.org/
Content-Length: 24
Content-Type: text/plain;charset=UTF-8
DNT: 1
Connection: close

login=ycam&password=ycam

Response :

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 1790
Date: Fri, 21 Oct 2016 00:52:14 GMT
Connection: close

{"private_key":"n68FCFxNyybMn09iIsi8JKknIrl85+qZLAsa2ulnbMbVWK6ePX85IxPHkW1b3NTLuKiVlLkr/KRO\r\nJxqkKUBViyoG+DTRNeBJTHbjrn/hTRMK1/T5gQqvxU6MD9Fq91EheJrY7SLS4U8Op7Q+r2/BH8A/\r\nBxuuwpCO/h3AOOQHUA+uuTTGKswZlsBYYYWTTsHPZJ7IPf0wMJ0lDRVwnkqMZ1cwPCQcSlO3j60/\r\nf9PqEySpD8tQlOs6dFrKq///AgMWq9b2pEpkO7ADfQ2mTzaDOYT+JAY/RPE6fNGeHHXZosJFsLjQ\r\nxER203DFAE86fTmI5NIZUXWaNX8zix8A0zMnSASjuXfphFozxj3D27BCWyhky5gjqSJx1o1jiw4Z\r\n79yN0Tnxv7z2ASSBKXT7YDllFkLSUoJqv6z+amUaa/unUbO2izZ4oX0WMCN/YpooTUf5YtSWg1YN\r\n5qUrIK7AsD9DvwW3/RW1DcbHoxYiledfADJe65zsMrCOtUJzd4+2X56b0otP96R5qI9DAvsVmweg\r\n9nW/frZx8xfPDqxKVioicHIEc+3ol0ZW2mUw/2r16dmP/kmUAEZH9dZXevu7M+mjOuMlaH83qDQ7\r\n2TE4FVqa/Xh261RwyBRAnoykqAt+TWSR9ekExrcMWSrTZkhEhEgJBPtV+WL9atuIVZCJvYkMjuZy\r\nUtPJN8QHHgIoTAJjLrfyitTN0Fveu9MDKi7Rmf1/vdl/KGm8VQsYoDAFBOeQ6I/CvpWMoLxCBpeA\r\namA/Xa1jt/NFrMmsPd5dGw9HEIPkdO39Ap0uAFyqVoeyf0YY18UMPPDTCJqg6JZCH8807Ubpixz9\r\nbyz2V0OTVRgIa+3NJbE4Phe4nXwNvWhGuEq+O+JF6asK+MSanpphgHRAJmunQ66qJ8UM1iWMJ2z9\r\nWEglL5cB8jfV7R8ss4qduQap32yg/AYfXfdPsRxANpFR0Yz77EK+BnHw8DuFZjTmx698556md/Jt\r\naNbVxmy5gL6zXnhbSNRGpzANlancJ0DYfIHQ/tKzMnLxcBAZkjJZ3x2ZFrLiFVMkbeHNagooQ/Na\r\nPq+aM9HUB+QMzpvwzgMAbfkA38JvBG5Z2coVwyBPFLiz10uLgRlKEBTPeCfk/BrinT169VE0be7s\r\nUNaVEtMvqtwNDolKICIbXx4yYnh9sCN33fMtKLyTmIJBdA/eZ6/ZDK/4acMDYF78tVhW2XcdCc1l\r\nldSgTUr1fYLWxuCaX8wQ6ZataimHAehfPxRMC870/AmBXy2e5aXr0aB7J3tQUcRqK0iddMRRU7Eo\r\nwIzTzV+cl6fpu3q9W6zXDTNQJmkAR6OBispaGBM8ofMEm/jITGofkoDZRq29QCR2hNMA9Vtnpe/0\r\nb6VsE2lyztMKeDuKF/wpf2j4rK1Zxb21zv/PaSFUsj3CgUHKVJc2FNb1b0CIdP9wO7R1/CkUmdoj\r\nDujBOzl6oxCVPw69aCSPa+mfnqx3xld5dMNgK0ClWBknJxo+cBHfF2VHwfpO3T2uknMvCXFKV3CJ\r\nKttIG4YWrBcoAlUiMK/ok2TWR68W45E4LNHMrbDIfCULLEnq4jvfeMKEv9ltCduqIWDeeJHTTDQx\r\nplTpgu7mA0EMk9WV3yPw+iaMS9xSkNJAI+n6BtR4VHqpeAI=","private_key_iv":"FP0SpRlGFtq6d0wq7xze3w=="}
Chris, Aubrey -- is this site needed anymore?  It barely appears in Google, seems unmaintained, has security issues, and I can't find the source repository for it anywhere.  It appears to be related to a Mozilla work week back in 2013, but I otherwise can't find much context on it.

Unless it is needed for some reason, I would like to remove this site from DNS by the end of the business day.

Thanks!
Flags: needinfo?(misteranderson)
Flags: needinfo?(chrismore.bugzilla)
I couldn't remember what this domain was and I looked it up here:

https://web.archive.org/web/20140814011107/http://chimein.mozilla.org/

I remember what it was. It was the webRTC demo where users clicking on the globe created a noise that was sent out to all of the other people visiting the site currently. The demo project was eventually killed and I believe it was hosted externally by Aubrey (misteranderson) (who was an external contractor for the marketing group).

We should just remove the site from DNS as it isn't needed. Thanks!
Flags: needinfo?(chrismore.bugzilla)

Updated

3 years ago
Depends on: 1312034
(removing needinfo)
Flags: needinfo?(misteranderson)
Hey there, Yann!  Although this site is not on our bounty list (https://www.mozilla.org/en-US/security/bug-bounty/faq-webapp/) and therefore not eligible for a bounty, I'd still like to send you some gear as appreciate for finding these, if you'd like them.

I can get you either a hoodie or a shirt/mug/hat/drawstring tote package, whichever you'd prefer.  To do so, I'd need your sizing information and mailing address.  If you could email them to april@mozilla.com, that would be great.  Thanks!
Group: websites-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Flags: sec-bounty? → sec-bounty-
Resolution: --- → FIXED
(Reporter)

Comment 6

2 years ago
Hello, thank you for your feedback, and well done for the (very) quick fix !

The domain "chimein" isn't attached to Mozilla anymore, but the vulnerable web application is still accessible with vulnerabilities (https://66.135.40.46/). If there are some others critical vulnerabilities and if this application is hosted on a Mozilla's server, the threat is always present.

It is sad that it does not fall within the bug bounty ... Moreover, what are the conditions for inclusion in the Mozilla's Hall of Fame (https://www.mozilla.org/en-US/security/bug-bounty/hall-of-fame/)?

I will sent to you by email the information needed (size and mailing address).

Thank you again, and have a nice day,

Sincerely,

Yann CAM
chimein isn't running on Mozilla's infrastructure, it was always on a third party system.  I will make sure that you get on the hall of fame this quarter.
(Reporter)

Comment 8

2 years ago
Hello,

Thank you for your return, and for the Hall of Fame.

If I may suggest the following credits: "Yann CAM @ASafety/SYNETIS".

Have a nice day,

Regards,
You need to log in before you can comment on or make changes to this bug.