Closed Bug 1683536 (CVE-2021-23972) Opened 4 years ago Closed 4 years ago

Bypassing http auth spoofing warning prompt when there's a cached redirect

Categories

(Core :: Networking, defect, P2)

Desktop
All
defect

Tracking

()

VERIFIED FIXED
86 Branch
Tracking Status
firefox-esr78 --- wontfix
firefox84 --- wontfix
firefox85 --- wontfix
firefox86 --- verified

People

(Reporter: vijay.tikudave, Assigned: kershaw)

References

()

Details

(Keywords: csectype-spoof, reporter-external, sec-low, Whiteboard: [reporter-external] [client-bounty-form] [verif?][necko-triaged][post-critsmash-triage][adv-main86+])

Attachments

(2 files)

As firefox browser nightly have open redirect prevention whereby the warning prompt will be shown to user in case of malicious attempt of making redirect with help of "@" eg. if you open www.facebook.com@go.com

It will show warning prompt to prevent any spoofing.

However this could be bypass with emoji.

eg. if user click on below url , it won't be prompted for redirect warning & adversary could use the bug to exploit issue.

https://www.facebook.com@☺️.com

it will redirect to adversary page without any redirect prompt

Flags: sec-bounty?

This appears to work correctly on desktop nightly (though you get a certificate warning first with the https link from comment #0 that you need to click through before you get the other warning, if you modify the link to http:// then you get the warning immediately). Based on the original summary, I assume the intent was to report an issue with Fenix / Firefox for Android.

Group: firefox-core-security → mobile-core-security
Type: task → defect
Component: Security → Security: Android
OS: Unspecified → All
Product: Firefox → Fenix
Hardware: Unspecified → Desktop
Summary: Bypassing redirect prompts warning : Firefox browser Nightly android → Bypassing http auth spoofing prompt warning on Firefox Nightly for Android using emoji domain

Yes, It is intended for Firefox android Fenix. is it accepted yet for progress?

(In reply to Vijay Tikudave from comment #2)

Yes, It is intended for Firefox android Fenix. is it accepted yet for progress?

Most folks here are on break for the end of year, so it may be until January until someone responds. Any updates will appear on this bug.

Amedyne is there someone who you would recommend to look at this?

Flags: needinfo?(amoya)

I got the warning the first time I tried this, but not after that. I see a similar behavior on Desktop: once the redirect from xn--74h.com to frueh.net is cached I no longer get the phishing warning. When I try the testcase with DevTools open (which disables the cache by default) I always get the warning, but with normal caching I don't.

This doesn't seem to have anything to do with the emoji, but with whether there is a redirect and whether that redirect is cached. You can reproduce this behavior with non-emoji domains like:
https://foo@www.gmail.com/
http://foo@cnn.com/

The fact that the redirect is cached means the user has been there before, but that doesn't negate this as an attack. For example in the CNN case above it's quite likely that if the user has gone to CNN at all they probably just typed it in to the addressbar without the 'www' and thus would have the redirect cached. Of course CNN isn't a phishing site, but maybe an attacker could load the phishing site in a hidden iframe to prime the redirect first, and then show the phishing link to the user.

Since this warning is generated in Necko (other than the display) common behavior makes sense, and this should be moved to Networking.

Group: mobile-core-security → core-security
Status: UNCONFIRMED → NEW
Component: Security: Android → Networking
Ever confirmed: true
Product: Fenix → Core
Summary: Bypassing http auth spoofing prompt warning on Firefox Nightly for Android using emoji domain → Bypassing http auth spoofing warning prompt when there's a cached redirect
Group: core-security → network-core-security

Networking scope.

Flags: needinfo?(amoya)

Apparently, nsHttpChannelAuthProvider::CheckForSuperfluousAuth is only called when the http response is from network. To fix this bug, we need to also call nsHttpChannelAuthProvider::CheckForSuperfluousAuth for cache path.

Assignee: nobody → kershaw
Severity: -- → S3
Priority: -- → P2
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][necko-triaged]
Group: network-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → 86 Branch

Hi,

is it eligible for bounty?

Flags: qe-verify+
Whiteboard: [reporter-external] [client-bounty-form] [verif?][necko-triaged] → [reporter-external] [client-bounty-form] [verif?][necko-triaged][post-critsmash-triage]

The sec-bounty flag has been set on this bug. It will be reviewed when the security group meets.

Flags: sec-bounty? → sec-bounty+

I've managed to confirm this fix on macOS 10.14, Ubuntu 18.04 x64 and Windows 10 x64, by following this steps:

  1. Open http://foo@example.com
  2. Expect to see the warning prompt
  3. Open http://foo@example.com again. This time the response is from the cache.
  4. The warning prompt should be shown again.

I've tested the bug on Beta 86.0b5. Thanks Kershaw, for helping me to verify this.

Status: RESOLVED → VERIFIED
Flags: qe-verify+

Hi,

is it eligible for CVE-ID alias?

Whiteboard: [reporter-external] [client-bounty-form] [verif?][necko-triaged][post-critsmash-triage] → [reporter-external] [client-bounty-form] [verif?][necko-triaged][post-critsmash-triage][adv-main86+]
Blocks: 1693705
Attached file advisory.txt
Alias: CVE-2021-23972
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: