Closed Bug 1684627 (CVE-2021-23976) Opened 4 years ago Closed 4 years ago

Any websites can run with PWA privileges on Fenix (bypassing fix of Bug 1657026)

Categories

(Fenix :: General, defect)

Product:
Fenix
Component:
General
Platform:
Unspecified
Android
Type:
defect

Tracking

(firefox84 wontfix, firefox85 wontfix, firefox86 fixed)

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox84 --- wontfix
firefox85 --- wontfix
firefox86 --- fixed

People

(Reporter: sdna.muneaki.nishimura, Assigned: sebastian)

References

Details

(Keywords: csectype-other, reporter-external, sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage][adv-main86+])

Attachments

(1 file)

advisory.txt
549 bytes, text/plain
Details

Bug 1657026 can still be reproduced on the latest Fenix Nightly (retested it today).

As a countermeasure of Bug 1657026, a function isUnderFennecManifestDirectory was introduced for verifying given manifest directory is under <filesDir>/mozilla/<profile>/manifests/ (see below).
https://github.com/mozilla-mobile/fenix/blob/faf765a57d78be91deed9ed9ef54d24f31075192/app/src/main/java/org/mozilla/fenix/customtabs/FennecWebAppIntentProcessor.kt#L130

But the verification logic seems incorrect.

Here, if an attacker gives wrong manifest path such as /data/local/tmp/dummy_manifest.json, manifestsDir.name != "manifests" returns true, but true means that given manifest path is under the expected directory.

return manifestsDir == null || manifestsDir.name != "manifests" ||
    // Check that the folder two levels up is named "mozilla"
    manifestsDir.parentFile?.parentFile != getMozillaDirectory()

It seems this comparison part should be changed like below.

return manifestsDir == null || (manifestsDir.name == "manifests" &&
        // Check that the folder two levels up is named "mozilla"
        manifestsDir.parentFile?.parentFile == getMozillaDirectory())

Sorry for the delay in discovering the mistake.

Flags: sec-bounty?

Sebastian, can you take a look when you're back? Thanks!

Group: firefox-core-security → mobile-core-security
Type: task → defect
Component: Security → Security: Android
Flags: needinfo?(s.kaspari)
OS: Unspecified → Android
Product: Firefox → Fenix
See Also: → CVE-2020-26954

I'll take a look.

Assignee: nobody → s.kaspari
Status: NEW → ASSIGNED
Flags: needinfo?(s.kaspari)

Patch landed in Fenix Nightly and should go out with the 86 train.

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox86: --- → fixed
Resolution: --- → FIXED
Group: mobile-core-security → core-security-release
status-firefox84: --- → wontfix
status-firefox85: --- → wontfix
Flags: sec-bounty? → sec-bounty+
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage]
Whiteboard: [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage] → [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage][adv-main86+]
Attached file advisory.txt
Alias: CVE-2021-23976
Group: core-security-release
Component: Security: Android → General
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: