Closed Bug 1610458 Opened 6 years ago Closed 6 years ago

Blob URL created by compromised content process can access accounts.firefox.com

Categories

(Core :: DOM: Content Processes, defect)

Product:
Core
Component:
DOM: Content Processes
Version:
72 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: s.h.h.n.j.k, Unassigned)

References

Details

(Keywords: reporter-external)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36

Steps to reproduce:

  1. Go to https://translate.google.com/robots.txt (or any other site)
  2. Attach debugger (e.g. WinDbg) to the content process
  3. Set break point on xul!mozilla::dom::BroadcastBlobURLRegistration
  4. Open devtools and Run following script in the context of https://translate.google.com/robots.txt
    var text = <body onclick='w=window.open("https://accounts.firefox.com/signin?service=sync&context=fx_desktop_v3&entrypoint=fxa_discoverability_native&action=email");setTimeout(()=>{alert(w.document.body.innerHTML)},3000)'>Click here!</body>;
    var blob = new Blob([text], {type : 'text/html'});
    var url = URL.createObjectURL(blob);
    console.log(url);
  5. When you hit break point set on step 3, set break point on xul!mozilla::ipc::PrincipalToPrincipalInfo and hit Go
  6. When you hit break point set on step 5, step right before the call to ContentPrincipalInfo, and spoof originNoSuffix, spec, and baseDomain to match accounts.firefox.com instead of translate.google.com. baseDomain will change to firefox.com so change the mLength of baseDomain to 0xb.
  7. Run bc* in the debugger to clear all break points and hit go
  8. Open created Blob URL in new tab, and click on "Click here" text.

Actual results:

Blob URL created by compromised content process has access to accounts.firefox.com.

I read https://www.thezdi.com/blog/2019/12/15/syncing-out-of-the-firefox-sandbox, and while I don't have access to bugs that patched this issue (i.e. Bug 1538008, Bug 1538015, and Bug 1539595), this advisory (https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11741) suggests that part of issue was resolved by isolating the content process of accounts.firefox.com from other content processes.

But, compromised content process can call BroadcastBlobURLRegistration with arbitrary content principal data and URL, therefore it can also create Blob URL for accounts.firefox.com origin.

Then, the created Blob URL can access accounts.firefox.com using Window reference and/or DOM APIs. I manually checked that this allows Blob URL to enable sync with arbitrary Firefox account.

Expected results:

It shouldn't, according to description of https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/#CVE-2019-11741.

Flags: sec-bounty?

(Moving to Firefox::Security as an interim component, feel free to move somewhere else)

Although we already have reduced the local attack surface through sync in the linked bugs, this doesn't feel like it should be possible.

I guess Tom you're already looking at this bug, can you move this forward?

Also CC Baku, who worked on blob url registration broadcasting recently, so things might have changed there.

Status: UNCONFIRMED → NEW
Component: Untriaged → Security
Ever confirmed: true
Flags: needinfo?(tom)

Jun did you test this on Nightly Firefox or Release?

We had to unship the fix for CVE-2019-11741 from Release due to stability work needed, presently its only enabled on Nightly. I would expect this to work on Release, but not Nightly. Specifically, on Nightly after creating the Blob URL you should not be able to sign into sync from the blob url (which runs in the Content Process), and you should not be able to manipulate a separate window running in the 'Privileged Mozilla Content' isolated process that can sign into sync. However now that I think about it - you might be able to do that manipulation, so I'd appreciate you testing on Nightly. :)

From about:support -> scroll to Remote Processes and you will see 'Privileged Mozilla Content' if you have that process running. Visiting addons.mozilla.org or sync.firefox.com will trigger its creation. On my nightly pids are shown when I hover over the tab which is handy in identifying the pid of that process.

Flags: needinfo?(tom)
Group: firefox-core-security → core-security
Component: Security → DOM: Content Processes
Depends on: CVE-2019-11741
Product: Firefox → Core

I’ve only tested on Stable. I’ll try on Nightly later today.

I tested in Nightly, and even though Blob URL will be created, navigating to that Blob URL only shows invalid error page. So it's kinda no repro.

Okay; I'm going to resolve this for now; but I would not be surprised if there was something exploitable here so I don't want to discourage you from poking around. If you can bypass the protection we have in Nightly that would be very valuable. Thanks for poking!

Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → INVALID
Flags: sec-bounty? → sec-bounty-
Group: core-security
You need to log in before you can comment on or make changes to this bug.