Closed Bug 1573549 Opened 6 years ago Closed 6 years ago

Abusing the app crashing due to Unprotected Activity - Firefox Preview Android Application

Categories

(Firefox for Android :: General, defect)

Product:
Firefox for Android
Component:
General
Platform:
Unspecified
Android
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: kntbyron, Unassigned)

References

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(1 file)

Android POC App and Video https://drive.google.com/open?id=1kdgG3C_HjReeNYN0PIjga-AV53ZOQWRo
1.60 MB, application/vnd.android.package-archive
Details

Summary
The Firefox Preview Android Application suddenly crash. Crash can be induced, and that the app can be hardened against it. Other malicious app can access the activity and launch further attacks due to null permissions on activity app. This can disrupt user to use the app.

Steps to Reproduce:

  1. Download the APK https://play.google.com/store/apps/details?id=org.mozilla.fenix&hl=en_US
  2. Install the app to your android device or android emulator adb install app.apk
  3. Open your Drozer host and drozer agent in your android device and forward the connection adb forward tcp:31415 tcp:31415
  4. Open your drozer in your command line drozer console connect
  5. Execute this command to the command line run run app.activity.start --component org.mozilla.fenix androidx.test.core.app.InstrumentationActivityInvoker$BootstrapActivity
    It will run the activity and crashes the application.

I made a POC application and video.
Please see the attachments for reference.

To Fix
The Android application exports Activity for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains. To fix this set the exported to false. android:exported="true" to android:exported="false".

Component: Activity Stream → Security: Android
Product: Firefox for Android → Fenix

Colin do we depend on exporting activities?

Flags: needinfo?(colee)

We cannot run an Android application without exporting some activities. I think it would be trivial to remove the export for the activity in question, since it should only be available for instrumentation tests. This was a good find, even only as a denial of service. I'll get this resolved.

Flags: needinfo?(colee)

This should be fixed in the latest Fenix Nightly build from today. The exported activity used for the crash loop should not longer exist in released APKs. Thank you again.

Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED

(In reply to Colin Lee from comment #3)

This should be fixed in the latest Fenix Nightly build from today. The exported activity used for the crash loop should not longer exist in released APKs. Thank you again.

Thankyou @Colin Lee. I'm glad to help.

(In reply to Daniel Veditz [:dveditz] from comment #8)

(In reply to Kent Bayron from comment #5)

Once again, Is this eligible for reward sir ?

I don't know why "Once again" as this appears to be the first mention, but see https://www.mozilla.org/en-US/security/client-bug-bounty/ for how to apply for a bounty. I have only skimmed this bug but if it's only a DoS it's likely not eligible: https://www.mozilla.org/en-US/security/bug-bounty/faq/#dos-bugs

Thank you for your response sir. Sorry for that English is not my first language. Anyways, I will fill up the form.

Thank you.

Best Regards,
Kent

I think bug 1573950 was just a duplicate filed for bounty consideration, so I think I've copied all of the bounty stuff over to this bug, which is the original report.

Flags: sec-bounty?
Whiteboard: [reporter-external] [client-bounty-form] [verif?]

(In reply to Andrew McCreight [:mccr8] from comment #11)

I think bug 1573950 was just a duplicate filed for bounty consideration, so I think I've copied all of the bounty stuff over to this bug, which is the original report.

Thank you for the response. I am the author of bug https://bugzilla.mozilla.org/show_bug.cgi?id=1573950. I was told by Colin and Daniel to fill out this link https://www.mozilla.org/en-US/security/client-bug-bounty. I'm glad to help.

Best Regards,
Kent

(In reply to Kent Bayron from comment #12)

I am the author of bug https://bugzilla.mozilla.org/show_bug.cgi?id=1573950. I was told by Colin and Daniel to fill out this link https://www.mozilla.org/en-US/security/client-bug-bounty.

There's a step in there "if you already have a bug, mail the link to the security team" which is what I meant, but it's all straightened out. thanks.

Minusing this for security bug bounty as a DOS is not bounty eligible. Thank you for your report.

Flags: sec-bounty? → sec-bounty-
Group: mobile-core-security → core-security-release

(In reply to Al Billings [:abillings] from comment #14)

Minusing this for security bug bounty as a DOS is not bounty eligible. Thank you for your report.

Thans for your reply, I think you should consider this because it a misconfiguration of component not an DOS itself. This Activity should only be available for instrumentation tests not for production.

Warm Regards,
Kent

Hi,
Just want to ask question, is it eligible for hall of fame ?
Thanks,
Kent

Hi,
Can i disclose this to my blog?
Thanks,.

Regards,
Kent

Group: core-security-release

Hi,
Just want to ask a question since it is closed, is it eligible for hall of fame or bounty?
Thanks,
Kent

Component: Security: Android → General
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: