Closed Bug 1560098 Opened 6 years ago Closed 6 years ago

Port scanning with Firefox

Categories

(Firefox :: Security, task)

Product:
Firefox
Component:
Security
Type:
task
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: gergo.czuczor, Unassigned)

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(1 file)

firefox_port_scanning.mp4
2.69 MB, video/mp4
Details

The issue was discovered using Firefox Quantum 67.0.3, Windows 10

Using the following html document, it is possible to determine if a port is open on a system visiting the page or not. (It does not work with every port, but I demonstrated, that it does on several ports in the attached video.)

<!DOCTYPE html>
<!--
To change this license header, choose License Headers in Project Properties.
To change this template file, choose Tools | Templates
and open the template in the editor.
-->
<html>
<head>
<title>Title</title>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<script type="text/javascript">

        function dummy () {
            alert(0);
            console.log("dummy");
        }
        
        function alerter() {
            var url = new URL(window.location.href);
            var param = url.searchParams.get("param");
            alert(document.getElementById('myframe').contentWindow.document.body.innerHTML + " " + param + " not open");
            console.log(param + " not open");
        }

        function prepareFrame() {
            var url = new URL(window.location.href);
            var param = url.searchParams.get("param");
            var ifrm = document.createElement("iframe");
            ifrm.setAttribute("id", "myframe");
            ifrm.setAttribute("src", "http://127.0.0.1:" + param);
            document.body.appendChild(ifrm);
        }
        window.onload = function () {
            prepareFrame();
            dummy();
            alerter();
        };
    </script>
</head>
<body>
    test
</body>

</html>

Flags: sec-bounty?

It doesn't seem to work. Am I right?

You can use iframe.contentWindow.document only if same-origin. Try to change 'http://127.0.0.1' with 'http://example.com'.
Plus, if you use the same host, but a different port, even in this scenario it will not be same-origin. This is why 'console.log(param + " not open");' is never executed: iframe.contentWindow.document is not accessible, and document.getElementById('myframe').contentWindow.document.body.innerHTML throws an exception.

Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → INVALID

(In reply to Andrea Marchesini [:baku] from comment #1)

It doesn't seem to work. Am I right?

You can use iframe.contentWindow.document only if same-origin. Try to change 'http://127.0.0.1' with 'http://example.com'.
Plus, if you use the same host, but a different port, even in this scenario it will not be same-origin. This is why 'console.log(param + " not open");' is never executed: iframe.contentWindow.document is not accessible, and document.getElementById('myframe').contentWindow.document.body.innerHTML throws an exception.

You can host a webpage with a similar content and collect information about the users connecting to your server. 'console.log(param + " not open");' executes only if the port is not open on the connecting client. If it did not execute, that means, that the port was open on the client that has just connected. I tested it with multiple clients, and it could be used to gather information about the connecting clients (which is ideally not accessible by the server).

Flags: sec-bounty? → sec-bounty-
Group: firefox-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: