Closed
Bug 1312294
Opened 9 years ago
Closed 8 years ago
IDN implementation in Firefox for iOS is prone to IDN homographic attacks
Categories
(Firefox for iOS :: Browser, defect, P1)
Tracking
()
RESOLVED
FIXED
Iteration:
1.9
| Tracking | Status | |
|---|---|---|
| fxios | 6.0+ | --- |
People
(Reporter: sdna.muneaki.nishimura, Assigned: farhan)
References
(Blocks 1 open bug)
Details
(4 keywords, Whiteboard: [mobileCore])
Attachments
(2 files)
homographic_attacks.png
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Safari/602.1.50
Steps to reproduce:
Firefox for iOS 6 seems to support international domain name on address bar but that implementation (Bug 1289687) allows to display all of unicode characters without any care of IDN homographic attack.
The PoC is here:
http://mallory.csrf.jp/ios/idn.html
Actual results:
See the screenshot when I reproduced the issue on my iOS simulator.
The above PoC contains following two fake URLs.
http://xn--bidu-53d.xn--fiqs8s
It seems like "baidu.中国" but the character 'a' is U+0430 in Cyrillic.
http://xn--localhost8080-4zo6249e.xn--fiqs8s
It seems like "localhost:8080/.中国" but ':' is U+0589 and '/' is U+2215.
Expected results:
It should have a IDN rule to prevent homographic attack such as:
https://wiki.mozilla.org/IDN_Display_Algorithm
|
||
Comment 1•9 years ago
|
||
I hope the iOS APIs have appropriate functionality for this, because if you have to pull over the Desktop code it's going to be a bit of a mess (Unicode tables, some Necko utility routines, etc).
Keywords: csectype-spoof,
sec-high
|
||
Updated•9 years ago
|
Flags: sec-bounty?
|
||
Updated•9 years ago
|
tracking-fxios:
--- → ?
|
||
Updated•9 years ago
|
Assignee: nobody → fpatel
Iteration: --- → 1.9
Priority: -- → P1
Whiteboard: [MobileAS]
|
|
||
Updated•9 years ago
|
Flags: sec-bounty? → sec-bounty+
|
Assignee | |
Comment 2•9 years ago
|
||
I've had a real hard time figuring out how to fix this. Apple doesn't expose the underlying unicode methods so this makes it very tricky. The only way that I have thought of is using regex to check each character individually. This is a pretty heavy handed approach but it should work.
The issue is I don't have a way of detecting what script a Unicode character is. In the ICU[1] there is a method called getScript which returns the script type of a character. Here is the method being used in Desktop[2].
here are the unicode character types which can be used by regex http://www.regular-expressions.info/unicode.html#category
For now. I'll disable this for 6.0 and we can have the patch ready for 7.0
[1](https://en.wikipedia.org/wiki/International_Components_for_Unicode)
[2] https://dxr.mozilla.org/mozilla-central/source/netwerk/dns/nsIDNService.cpp?q=nsIDNService%3A%3AisLabelSafe&redirect_type=direct#824
Attachment #8825188 -
Flags: review?
|
|
Assignee | |
Updated•9 years ago
|
Attachment #8825188 -
Flags: review? → review?(sleroux)
|
|
||
Comment 3•9 years ago
|
||
Comment on attachment 8825188 [details] [review]
Pull Request
lgtm
Attachment #8825188 -
Flags: review?(sleroux) → review+
|
|
||
Comment 4•9 years ago
|
||
Disable Punycode feature flag patch
master b82c5e31f56ace5fa786b79a6bc9968983e53dcd
v6.x 503f06f3217ba68ab931d498235e68c46442729a
|
|
Assignee | |
Updated•8 years ago
|
Whiteboard: [MobileAS] → [mobileCore]
|
|
Assignee | |
Comment 6•8 years ago
|
||
No. we added a patch to disable this feature. But we still need to fix this bug and re-enable punycode support.
Flags: needinfo?(fpatel)
I would like to know how long can this bug be fixed?
Flags: needinfo?(fpatel)
|
|
Assignee | |
Comment 8•8 years ago
|
||
This is a big issue to tackle because Apple does not expose any of the higher level unicode methods used to check domain names.
They expose some lower level stuff but this makes things a bit tricky as you have to implement the logic yourself.
https://developer.apple.com/library/content/documentation/StringsTextFonts/Conceptual/TextAndWebiPhoneOS/LowerLevelText-HandlingTechnologies/LowerLevelText-HandlingTechnologies.html
I have not found the time to work on this. If you would like to pick it up. Feel free to assign this to yourself.
Flags: needinfo?(fpatel)
|
||
Comment 9•8 years ago
|
||
(In reply to Farhan Patel from comment #6)
> No. we added a patch to disable this feature. But we still need to fix this
> bug and re-enable punycode support.
Given that the feature is disabled, I think it's ok to open this bug and remove the security marking (though perhaps our security team would prefer closing this one and having a new one for the improved implementation, so they can make release notes/CVE point to this one).
Farhan, can you confirm that there's no remaining security issue for the Firefoxes in the field, just missing functionality (due to the disabling)?
Flags: needinfo?(fpatel)
|
|
Assignee | |
Comment 10•8 years ago
|
||
Yea. The feature is not enabled. And this issue is not affecting users in the field. We can close this one and create another one.
Flags: needinfo?(fpatel)
|
||
Updated•8 years ago
|
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
|
|
||
Updated•8 years ago
|
Group: firefox-core-security → core-security-release
|
|
||
Updated•6 years ago
|
Group: core-security-release
|
||
Updated•1 year ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•