Closed Bug 1676311 (CVE-2020-26977) Opened 4 years ago Closed 4 years ago

Spoof URL by connecting to an invalid port with a setTimeout call in the originating tab

Categories

(Fenix :: General, defect)

Product:
Fenix
Component:
General
Platform:
Unspecified
Android
Type:
defect

Tracking

(firefox83 wontfix, firefox84 fixed, firefox85 fixed)

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox83 --- wontfix
firefox84 --- fixed
firefox85 --- fixed

People

(Reporter: u635660, Unassigned)

References

Details

(Keywords: csectype-spoof, sec-moderate, Whiteboard: [adv-main84+])

Attachments

(2 files, 2 obsolete files)

bug1676311.html
288 bytes, text/html
Details
advisory.txt
324 bytes, text/plain
Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36

Steps to reproduce:

go to https://servicenger.com/t.html

click me

click ok
and then Facebook is spoofed

Actual results:

facebook.com is spoofed

Expected results:

it should not spoof

chrome is not affected on andriod and ios

CC list accessible: false

Amedyne can we find someone who knows the toolbar to look at this?

CC list accessible: true
Flags: needinfo?(amoya)
Summary: firefox andriod url spoof → Spoof URL by connecting to an invalid port with a setTimeout call in the originating tab

:snorp is checking

Flags: needinfo?(amoya)

I can't reproduce this on GVE, and in fact we never get a facebook.com URL at all in onLocationChange(). It's critical that Fenix only displays URLs delivered via onLocationChange() in the toolbar.

Sorry, we do eventually get a https://www.facebook.com:1234/ in onLocationChange() once the connection times out and we get an error. That's expected.

I'm looking into it

First, we are getting an OPEN WindowRequest, which adds a new tab and dispatches an AddTabAction through the SessionManager. The AddTabAction uses toTabSessionState which codifies the initial URL (the Facebook URL) as the tab truth in the ContentState.

It then selects that tab, and since the tab has been selected and state changed, the ToolbarPresenter renders the new URL.

I propose removing the Android-Components Session initialUrl argument altogether, because it sounds like we should never be trusting URLs we pass in from our side. We should trust the onLocationChange callbacks after attempting a load of the initial URL.

Adding Sebastian from AC for feedback.

Flags: needinfo?(s.kaspari)

This seems to be related to us hiding the initial load of about:blank, that Gecko does:
https://github.com/mozilla-mobile/android-components/blob/master/components/browser/engine-gecko-nightly/src/main/java/mozilla/components/browser/engine/gecko/GeckoEngineSession.kt#L436-L441

We did this to workaround issues with about:blank appearing briefly in the toolbar, looking like a UI glitch.

In this situation here, the page actually injects content into that about:blank page and the load of facebook.com:1234 takes quite a while to timeout. If we'd stop suppressing the about:blank update then Fenix would behave like desktop and we'd display about:blank in the URL bar until the timeout, where we switch to facebook.com:1234 and show the error page. However that would potentially re-introduce the UI glitch. Unfortunately we do not seem to be able to distinguish between the initial about:blank load and the state where there's actually content getting injected. As a potential workaround for this we could try disabling the about:blank check for sessions that have a parent. That may be the smallest possible patch?

(In reply to Emily Kager [:ekager] from comment #7)

I propose removing the Android-Components Session initialUrl argument altogether, because it sounds like we should never be trusting URLs we pass in from our side. We should trust the onLocationChange callbacks after attempting a load of the initial URL.

Separating the "initial url to load" from the "content url" is an option too. But it will have a ripple effect on a lot of things and potentially cause regressions. I would like to look at all the options before this "heart surgery". :)

I started to look into Fennec source.. it doesn't reproduce in Fennec and we always have a URL for the tab - without the UI glitch happening afaik. Curious how this was solved there.

Flags: needinfo?(s.kaspari)

If we'd stop suppressing the about:blank update then Fenix would behave like desktop and we'd display about:blank in the URL bar until the timeout, where we switch to facebook.com:1234 and show the error page.

There are some edge cases where this does introduce other undesired behaviors (like showing about:blank when manually entering a URL and staying on about:blank when stopping the load).

There might be an easier solution after all. This problem only exists when opening a new window (link with a target), where we set the URL of the new tab to the given URL immediately. There's absolutely no need to do this, since we are not initiating the load - Gecko(View) does it.

Related code:
https://github.com/mozilla-mobile/android-components/blob/master/components/feature/tabs/src/main/java/mozilla/components/feature/tabs/WindowFeature.kt#L46-L62

Christian wrote WindowFeature and we looked at the various scenarios and this seems to be a viable option. I'll attach a patch for discussion.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Group: mobile-core-security → core-security-release
Attached file bug1676311.html

Preserving testcase in case the reporter's server goes away.

Whiteboard: [adv-main84+]
Attachment #9192414 - Attachment is obsolete: true
Attached file advisory.txt (obsolete) —
Attached file advisory.txt
Attachment #9192416 - Attachment is obsolete: true
Alias: CVE-2020-26977
Group: core-security-release
Component: Security: Android → General
OS: Unspecified → Android
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: