1441193 - Firefox for Android: A specially-crafted HTML file leads to a Bug which will download all WebPages instead to load these WebPages and can lead to Same-Origin Policy Bypass

Status: RESOLVED FIXED

(Firefox for Android Graveyard :: General, defect, P3)

Description

[Jordi Chancel]

Attachment: video demo.html

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:59.0) Gecko/20100101 Firefox/59.0
Build ID: 20180219114835

Steps to reproduce:

Explanation:

The Malicious Webpage contains a first link to open a specially-crafted HTML file leading to a bug which will download all Webpages instead to go on these WebPages
If an user is connected on his https://bugzilla.mozilla.org/ account and go to the Malicious Webpage on the Attacker's server,
The malicious Webpage contains a 2nd link to https://bugzilla.mozilla.org/user_profile ,
When the user clicks on this 2nd link, a file "user_profile" will be automatically downloaded and the source-code of this file has the same content as https://bugzilla.mozilla.org/user_profile when the user is connected on his account (so the file downloaded contains sensitive/private information about the user and his account).

The Malicious WebPage has also previously downloaded an HTML file (open-me.html) to steal the content of the downloaded file "user_profile" and send it to the attacker's server

(The Video Demo in Attachements will show you how this vulnerability works)
/!\ A better testcase with less user interaction can be coded /!\
------------------------------

With this vulnerability it is also possible to download automatically the content of the local file: browser.db using the view-source: URL 
(eg: view-source:file:///data/data/org.mozilla.firefox/files/mozilla/????.default/browser.db )
I will make another testcase and video demo to demonstrate that.


Actual results:

This can lead to Same-Origin Policy Bypass


Expected results:

A possibility to fixe this bug need to know why webpages are downloaded after that the specially-crafted HTML file is loaded in Firefox for Android.

Comment 1

[Jordi Chancel]

URL: http://www.alternativ-testing.fr/Research/Mozilla/android/~Hgf4d8k2-SOP-Bypass-using-Bug-downloading-webpage-instead-to-browsing-on-it~/PoC-CSP-Bypass.html (link to the PoC)

Comment 2

[Michael Comella (:mcomella) [NI reported issues only: ex-Mozilla]]

To summarize my understanding:
- The user is logged into an account with private information
- The user visits the malicious page and clicks a link to download a malicious HTML file
- The user clicks a link to download an HTML page with their private information
- The user opens the malicious HTML file, which copies the HTML page with their private information to the attacker's server, violating the Same-Origin Policy

In the video, I'm not sure the significance of clicking a link and waiting for a non-responsive script, but I imagine it's important to these steps above.

[triage] The end result is really bad but it seems like it requires a lot of user intervention (and it's sec-moderate) so I'm going to call this non-critical. Please NI me if you disagree.

NI Susheel to verify my thinking.

Comment 3

[:sdaswani]

Agree.

Comment 4

[Jordi Chancel]

Attachment: video demo2 (Firefox local file browser.db stealing).html

It is the video demo demonstrating that we can steal the content of the local file "file:///data/data/org.mozilla.firefox/files/mozilla/1234.default/browser.db".

Comment 5

[Daniel Veditz [:dveditz]]

This is an Android dupe of many bugs about the save-as functionality combined with our "same-directory" file:// origin policy. This is not something that we would or could solve for Android only -- it's a Gecko issue.

Comment 6

[Daniel Veditz [:dveditz]]

This was fixed in the browser engine by making all files a unique origin (see bug 803143 and its dependencies).