Closed Bug 1677138 (CVE-2022-34474) Opened 4 years ago Closed 3 years ago

sandboxed iframes can "redirect" to external schemes

Categories

(Core :: DOM: Core & HTML, defect, P2)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
102 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- wontfix
firefox-esr91 --- wontfix
firefox83 --- wontfix
firefox84 --- wontfix
firefox85 --- wontfix
firefox86 --- wontfix
firefox100 --- wontfix
firefox101 --- wontfix
firefox102 --- fixed

People

(Reporter: tjr, Assigned: emz)

References

Details

(Keywords: sec-moderate, Whiteboard: [Fixed by Bug 1766828][post-critsmash-triage][adv-main102+])

Attachments

(4 files)

ad.html
528 bytes, text/html
Details
malicious-ad-server.py
806 bytes, text/plain
Details
publisher.py
1.53 KB, text/plain
Details
advisory.txt
306 bytes, text/plain
Details
Attached file ad.html

This was sent into the security list:

We’ve recently discovered a malicious ad campaign that is taking advantage of iFrames to attempt to redirect the user to a different app. When the ad is served in an iFrame in the publisher page and ad server sends a redirect header, we have observed that Firefox in macOS and Android does not actually ignore these redirect attempts but asks the user the permission to redirect to the app even when the iFrame is appropriately sandboxed with allow-top-navigation-by-user-activation. We have so far tested this with the schemes listed below as the value of the "Location" parameter for the header:

MacOS Schemes

  • "itms-apps://",
  • "itms-appss://",
  • "itms://",
  • "itmss://",
  • "https://itunes.apple.com/app/",
  • "ibooks://",
  • "itms-books://",
  • "itms-bookss://",
  • "contact://",
  • "message://",
  • "sms://",
  • "music://",
  • "musics://",
  • "podcasts://",
  • "itms-podcasts://",
  • "podcast://",
  • "tel://"

Android Schemes

  • "Intent://"

For example, when the "Location" value of the header is "itms-apps://itunes.apple.com/app/id378458261", Firefox attempted to open the app with id id378458261 in AppStore in MacOS. When the "Location" value of the header is "intent://#Intent;package=com.vtaxi.app;S.market_referrer=appmetrica_tracking_id%253D602904027453287968%2526ym_tracking_id%253D9847664011024495609;end", Firefox redirected to the Google Play page of that app.

I have produced a working POC with Firefox 78.4.0esr (64-bit) on my macOs 10.15.7 and with Firefox 82.1.3 (Build #2015774645) on Pixel 4 with Android 11.

I have also attached the proof of concept code that performs the attack. I have produced a working POC using the setup I described below:

  1. Run malicious-ad-server.py with python3 to serve ad.html in an iFrame using ngrok on port 8000.

  2. Run publisher.py with python3 to serve PUBLISHER-DOMAIN/safe and PUBLISHER-DOMAIN/unsafe paths using ngrok, on a different machine than the malicious server. (You also need to change "src" value of the iFrames in publisher.py to "MALICIOUS-SERVER-DOMAIN/ad.html"). PUBLISHER-DOMAIN/unsafe serves the ad in an iFrame without sandbox attributes whereas PUBLISHER-DOMAIN/safe serves the ad in a sandboxed iframe with attributes:

  • "allow-top-navigation-by-user-activation"
  • "allow-forms"
  • "allow-pointer-lock"
  • "allow-popups"
  • "allow-popups-to-escape-sandbox"
  • "allow-same-origin"
  • "allow-scripts"
  1. Using a 3rd device, visit publisher site's /safe and /unsafe pages.
Attached file malicious-ad-server.py
Attached file publisher.py

After clarifying, they confirmed this was an issue on macOS (Desktop) and Firefox for Android; not Firefox for iOS.

I'm moving the the OSX component but the Fenix fix may be different...

Group: mobile-core-security → core-security
Component: Security: Android → Widget: Cocoa
Flags: needinfo?(sarentz)
Product: Fenix → Core
Attachment #9187696 - Attachment mime type: text/x-python-script → text/plain
Attachment #9187697 - Attachment mime type: text/x-python-script → text/plain

If the navigation happens that's an issue with iframe sandboxing, not with cocoa widget code, so moving over there.

Note that from the attached testcase, I guess the frame has:

sandbox="allow-top-navigation-by-user-activation allow-forms allow-pointer-lock allow-popups allow-popups-to-escape-sandbox allow-same-origin allow-scripts"

so I think this is maybe expected, because of allow-popups and allow-popups-to-escape-sandbox ? But I am not au fait with the current discussions around sandboxing, so perhaps Anne or Christoph can look?

This also feels like something we have on file, perhaps not as a sec bug, but I don't have a bug to hand.

Group: core-security → dom-core-security
Component: Widget: Cocoa → DOM: Security
Flags: needinfo?(ckerschb)
Flags: needinfo?(annevk)

Johann and Paul are tackling non-browser URL schemes so I'll let them speak to this. (See also bug 1565574.)

Flags: needinfo?(pbz)
Flags: needinfo?(jhofmann)
Flags: needinfo?(ckerschb)
Flags: needinfo?(annevk)

So, without having run the POC, is it correct to summarize that the issue is that iframes can open external protocols without user interaction, even in a sandbox?

I think we're currently coming to the conclusion that even without a sandbox, this capability might be problematic for most protocols, which is what we're trying to change in https://github.com/whatwg/html/issues/6111 by adding a permissions policy attribute to restrict this by default. Paul is currently adding Telemetry for that.

Independent of that there's probably still a bug here, though, as the navigation itself shouldn't happen because of the sandbox? I haven't looked into that. It seems like a valid security issue.

Flags: needinfo?(jhofmann)

With respect to allow-popups-to-escape-sandbox, is the link opened in a popup-way, e.g., with a target attribute or window.open()? Otherwise it seems that should not apply (although maybe, the rules on these URL schemes are not written down) and only allow-top-navigation-by-user-activation would be the potential escape here (if there was user activation).

(Note that popups also need user activation to open)

(In reply to Johann Hofmann [:johannh] from comment #6)

Independent of that there's probably still a bug here, though, as the navigation itself shouldn't happen because of the sandbox? I haven't looked into that. It seems like a valid security issue.

Yes, I think we shouldn't allow the prompt / forward to the protocol handler in this case.
The problem is probably that the actual navigation to the external protocol is not happening top level, but in the frame. We then prompt and open the handler either top level in a new tab (web handler) or launch the external application. Perhaps navigation to external protocols should always be treated as a top level navigation sandbox wise, since we handle it that way.

Flags: needinfo?(pbz)
Component: DOM: Security → DOM: Core & HTML
Summary: Redirects from iframes occurring despite restrictions via iframe sandbox → sandboxed iframes can "redirect" to external schemes

Paul, can you test what other browsers are doing here? Is it worth including sandboxed as a key in our new telemetry?

Thanks!

Flags: needinfo?(pbz)

The telemetry for Bug 1672344 now also checks for null principal.

Flags: needinfo?(pbz)

Hi Mozilla security,

This vulnerability is being actively exploited in the wild. Do you have an ETA for a fix?

Thanks,
Amazon malvertising team

Side note: Since the change in Bug 1679456 we're requiring user activation for frames to redirect to external protocols. This should partially mitigate this issue.

We should check that bug 1680721 will keep this bug fixed and close it as resolved then. Depending on the frequency of this being exploited in the wild we should have a follow-up discussion around whether we can uplift that changeset to Beta.

Severity: -- → S3
status-firefox84: --- → affected
status-firefox85: --- → affected
Flags: needinfo?(jhofmann)
Flags: needinfo?(emilio)
Priority: -- → P1
status-firefox83: --- → wontfix
Flags: needinfo?(jhofmann)
Flags: needinfo?(jhofmann)

Yeah, I think the main question is whether we want to uplift those patches and turn dom.delay.block_external_protocol_in_iframes.enabled=false everywhere (which should be fine).

I'm not on mac but I suspect that bug will keep it fixed, if my reading of comment 0 is right, as it relies on a cross-origin iframe which wouldn't be allowed to do this without user-activation.

Flags: needinfo?(emilio)

Ah, hold on, or maybe not, if the frame is embedded by the top level page. We should still probably have tighter checks for sandboxed frames in any case though.

(In reply to Emilio Cobos Álvarez (:emilio) from comment #15)

Yeah, I think the main question is whether we want to uplift those patches and turn dom.delay.block_external_protocol_in_iframes.enabled=false everywhere (which should be fine).

Yes that would be my suggestion, too.. I can't really imagine that we'd be breaking a lot of sites by going from "every 10s" to "once then with user interaction". (Unless I'm misinterpreting the effect of that pref here)

I'm not on mac but I suspect that bug will keep it fixed, if my reading of comment 0 is right, as it relies on a cross-origin iframe which wouldn't be allowed to do this without user-activation.

Yes, this is about sandboxed iframes specifically, which are always cross-origin. I guess

Ah, hold on, or maybe not, if the frame is embedded by the top level page. We should still probably have tighter checks for sandboxed frames in any case though.

If it's cross-origin (e.g. an opaque origin) it should still not get the free initial protocol navigation without user interaction, right? So we're a bit better already.

The complete fix to this bug is probably to enact the sandbox restrictions proposed in https://github.com/whatwg/html/issues/2191. So it makes sense to leave it open to track that work.

Reporter, did you report this issue to other browser vendors? Looking at the standards issue this should be an issue in other browsers, too.

Thanks!

Flags: needinfo?(sarentz)
Flags: needinfo?(jhofmann)
Flags: needinfo?(amazon.malvertising.outreach)

Reporter, did you report this issue to other browser vendors? Looking at the standards issue this should be an issue in other browsers, too.

Thanks!

Yes, we have reported this issue to Chrome security team as well.

Flags: needinfo?(amazon.malvertising.outreach)

Hi Firefox Security teams,

After 90 days we will share the vulnerability with selected trusted threat sharing partners regardless of whether it has been fixed in order to protect end users.

Thanks,
Amazon malvertising team

Anne, what is your recommendation for next steps here? Looks like Chrome's bug is closed as wontfix.

Flags: needinfo?(annevk)

Do you have a reference to Chrome's bug? I don't see it.

There's two pieces here:

  1. How to deal with custom URL schemes in general. Bug 1626068 will tackle that.
  2. How to deal with them in sandboxed environments as pointed out in comment 17. The solution from https://github.com/whatwg/html/issues/2191 to only allow fetch schemes in a sandboxed environment seems still rather attractive, but would require some amount of investigation.

(Also, initially we allowed this without user activation which is no longer the case. So it's not clear to me this bug needs to remain closed.)

Flags: needinfo?(annevk) → needinfo?(nkochar)

Oh, the Chrome's bug that I was referring is for #2 from comment 17. The bug is https://bugs.chromium.org/p/chromium/issues/detail?id=329000 which is referenced from https://github.com/whatwg/html/issues/2191 .

Flags: needinfo?(nkochar)

I see, that's an old bug specific to iOS, so I would expect Chrome to still be willing to make changes here as per Mike West's comments in the HTML issue.

Johann, what's the status here? You talked about some other bug being fixed, and it has been fixed. Thanks.

Flags: needinfo?(jhofmann)

This bug needs to be verified on Fenix and Focus Android too. Who can help with that?

Hi Firefox Security teams,

We have tested the vulnerability again on Firefox 92.0 (64 bit) on Mac and we can confirm that the vulnerability is not fixed.

Could you give an update on the ETA please?

Thanks,
Amazon malvertising team

Both Chrome and us are still waiting on Microsoft Teams to ship an update that adds the correct sandbox flags before we can start enacting the restriction proposed in https://github.com/whatwg/html/issues/2191.

Paul (:pbz) is directly in contact with Microsoft and will follow-up once they get to a solution.

Flags: needinfo?(mail) → needinfo?(pbz)

After chatting with Ethan, assigning to Paul and adjusting the priority.

Mentor: pbz
Priority: P1 → P2

(In reply to Hsin-Yi Tsai [:hsinyi] from comment #28)

After chatting with Ethan, assigning to Paul and adjusting the priority.

Going to assume you meant to actually assign, not make Paul the mentor...

Assignee: nobody → pbz
Mentor: pbz

Looks like we have alignment with Microsoft now. They've submitted a PR to add a new sandbox flag allow-top-navigation-to-custom-protocols. There is also a patch for Chromium, behind a feature flag: https://chromestatus.com/feature/5680742077038592
I think we can follow this approach and start enforcing sandbox for custom protocol navigation in Nightly.

Flags: needinfo?(pbz)

I've submitted patches in Bug 1735746.

Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox100: --- → wontfix
status-firefox101: --- → wontfix
status-firefox102: --- → fixed
status-firefox85: affectedwontfix
status-firefox86: affectedwontfix
status-firefox-esr78: affectedwontfix
Resolution: --- → FIXED
Whiteboard: [Fixed by Bug 1766828]
Target Milestone: --- → 102 Branch
Group: dom-core-security → core-security-release
status-firefox-esr91: --- → wontfix
Depends on: 1766828
Flags: qe-verify-
Whiteboard: [Fixed by Bug 1766828] → [Fixed by Bug 1766828][post-critsmash-triage]
Whiteboard: [Fixed by Bug 1766828][post-critsmash-triage] → [Fixed by Bug 1766828][post-critsmash-triage][adv-main102+]
Attached file advisory.txt
Alias: CVE-2022-34474
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: