Closed Bug 1653827 (CVE-2020-15662) Opened 9 months ago Closed 9 months ago

Rogue download handler can be injected by any web contents

Categories

(Firefox for iOS :: Browser, defect)

Other
iOS
defect

Tracking

()

RESOLVED FIXED
Tracking Status
fxios 28 ---

People

(Reporter: sdna.muneaki.nishimura, Assigned: garvan)

References

Details

(Keywords: csectype-sop, sec-high, Whiteboard: [sec-survey])

Attachments

(3 files)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.2 Safari/605.1.15

Steps to reproduce:

Any web content can define rogue download handler (window.firefox.download).
That can be a cause of several security issue.

Example (A). Cross Origin URL Leakage
(1) Victim visits http://csrf.jp/2020/download_handler_injection_cross_origin_data_leakage.html .
This page has an <iframe> that shows CERN's website (info.cern.ch).
(2) Victim long taps a hyperlink in the CERN's page and choose "Download Link" from context menu.
(3) Parent frame (csrf.jp) shows the URL that Victim tries to download in <iframe>.

Example (B). Security Token Leakage
At first, Firefox for iOS uses Security Token to identify that privileged JS bridge is called from browser frame (but not from web contents). If the Token is leaked, any web contents can abuse browser feature, e.g., disabling Tracking Protection.
(1) Victim visits http://csrf.jp/2020/download_handler_injection_security_token_leakage.html
(2) Victim long taps a hyperlink "Download Juicy Content Here".
Then the leaked Security Token is shown in the page.
(3) Push "Disable Tracking Protection by abusing securityToken" button in the page.
Then Tracking Protection is disabled for csrf.jp.
(4) In order to check if the protection is really off, push "Show window.fetch object" button.
If the protection is on, window.fetch object should be the following function code because Tracking Protection overrides the navive fetch() function.
https://github.com/mozilla-mobile/firefox-ios/blob/76faae8c6c94e22c8fbc0de72e2d06f615738e2c/content-blocker-lib-ios/js/TrackingProtectionStats.js#L132
But if the protection is disabled, window.fetch object shows [native code].

Actual results:

The reason why legitimate download handler is changed is that DownloadHelper.js is injected at the timing of AtDocumentEnd.
https://github.com/mozilla-mobile/firefox-ios/blob/76faae8c6c94e22c8fbc0de72e2d06f615738e2c/Client/Frontend/UserContent/UserScripts/AllFrames/AtDocumentEnd/DownloadHelper.js#L8

WKWebView's JS hook lifecycle is below.
[1] AtDocumentStart -> [2] Load web document -> [3] AtDocumentEnd

The exploit code below is executed at [2] and then define the handler as an immutable object. So the setting of legitimate handler at [3] is rejected.

Object.defineProperty(window.__firefox__, "download", {
  enumerable: true,
  configurable: true,
  writable: false,
  value: function(url, securityToken) {
    window.securityToken = securityToken
  }
});

Expected results:

The legitimate download handler (window.firefox.download) should be set at [1] AtDocumentStart.

Adding bounty nomination per email from the reporter

Flags: sec-bounty?

(3) Push "Disable Tracking Protection by abusing securityToken" button in the page.
Then Tracking Protection is disabled for csrf.jp.

ASIDE: this doesn't disable tracking protection, it shuts off the stats. The ETP stats reported from the page are easily disabled or manipulated, and there is no plan to fix that for iOS <14, due to limitations of the platform, we don't treat that as sec-sensitive.

Status: NEW → RESOLVED
Closed: 9 months ago
Resolution: --- → FIXED
tracking-fxios: --- → 28
Assignee: nobody → gkeeley
Attached file advisory.txt

(In reply to :garvan from comment #3)

x-ref to https://github.com/mozilla-mobile/firefox-ios/issues/7002

Bugzilla pro tip: You can add these to the "See Also" field which will make them easy to find in the summary section of the bug, rather than buried in a possibly-very-long collection of comments.

assigned CVE-2020-15662

Alias: CVE-2020-15662

Bugzilla pro tip: You can add these to the "See Also" field which will make them easy to find in the summary section of the bug, rather than buried in a possibly-very-long collection of comments.

Thanks! Will start doing that

Flags: sec-bounty? → sec-bounty+
Group: mobile-core-security → core-security-release

As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.

Please visit this google form to reply.

Flags: needinfo?(gkeeley)
Whiteboard: [sec-survey]

filled out requested form

Flags: needinfo?(gkeeley)
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.