Closed Bug 1694513 (CVE-2024-6607) Opened 4 years ago Closed 1 year ago

Force PointerLock to Remain on Locked State even "escape" Key Pressed (able to trick user to press another combination to escape)

Categories

(Core :: DOM: Core & HTML, defect, P3)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
128 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- wontfix
firefox126 --- wontfix
firefox127 --- wontfix
firefox128 --- fixed

People

(Reporter: sourc7, Assigned: edgar)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-spoof, reporter-external, sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [verif?][secdom:pointerlock] [adv-main128+])

Attachments

(3 files, 3 obsolete files)

pointerlock+validitymessage.html
2.47 KB, text/html
Details
Firefox - PointerLock Remain on Locked State + Overlap Spoof Message.mp4
695.08 KB, video/mp4
Details
advisory.txt
370 bytes, text/plain
Details

By setting CSS property to display then create a Blob canvas object, afterward set the callback parameter to element.onselectstart to call theelement.requestPointerLock() function, when user double-click the element the cursor will remain locked on the target element even if the user presses the "escape" key (default unlock gesture) to unlock the pointer.

I also found that it is possible to overlap the Firefox WebExtension install dialog or permission request dialog using the select element custom validity message.

Therefore when user unable to unlock the pointer, the attacker can show spoof message "Press Alt+A" to unlock the pointer, after user presses the combination key, the pointer will unlocked and user also unconsciously pressed combination key to allow the extension install or permission request.

Version affected:

  • Firefox Nightly 88.0a1 (2021-02-23) (64-bit)
  • Firefox Release 86.0 (64-bit)
  • Firefox ESR 78.8.0esr (64-bit)

Steps to Reproduce:

  1. Visit attached pointerlock+validitymessage.html
  2. Double click the instruction text
  3. Press "escape" key repeatedly to test whether user able to unlock the pointer
  4. After ~4s permission request dialog will appear, afterward the select custom validity message will also appear to overlap the dialog
  5. Press "Alt+A" to take back control
  6. Notification permission are allowed and the pointer is now unlocked
Flags: sec-bounty?
Group: firefox-core-security → dom-core-security
Component: Security → DOM: Core & HTML
Product: Firefox → Core
Summary: Force PointerLock to Remain on Locked State even "escape" Key Pressed (able to prompt user to press another combination to escape) → Force PointerLock to Remain on Locked State even "escape" Key Pressed (able to trick user to press another combination to escape)

There's at least two issues here:

  1. Malicious page should not be able to draw ANYTHING on top of our doorhangers
  2. Malicious page should not be able to keep you in pointerlock

We need to spin out a bug for one of those because those involve different teams

Status: UNCONFIRMED → NEW
Type: task → defect
Ever confirmed: true
Keywords: csectype-spoof, sec-moderate

Comment on attachment 9208435 [details]
Bug 1694513 - Reject pointer lock request if we already know the focus has moved away;

Revision D107275 was moved to bug 1694698. Setting attachment 9208435 [details] to obsolete.

Attachment #9208435 - Attachment is obsolete: true
Severity: -- → S3
Priority: -- → P3
See Also: → CVE-2021-38508

Dan, do you know if bug 1366818 covers the issue #1 in comment 2?

Flags: needinfo?(dveditz)

bug 1366818 is exactly the technique (custom validity messages) abused in this specific POC. My point #1 was meant as a general design principal in case there are any other features that create similar floating panels.

Flags: needinfo?(dveditz)

Edgar, is this issue fixed? Thanks.

Flags: needinfo?(echen)

After bug 1366818, the form validity popup won't be able to show on top of the permission dialog. But the point #2 in comment #2 is still exist, page should not be able to keep the browser in pointerlock.

Flags: needinfo?(echen)
Flags: sec-bounty? → sec-bounty+

Linking to the eviltraps meta bug -- this technique can be used by malvertizers to add to the scariness of their dialogs about their computer being infected and that the users need to call their helpful "Microsoft" tech support number.

It's not a permanent DOS -- users can try to close the page (if they know the shortcut) or Alt-Tab to go to another app to get out, but many won't think of that.

Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][secdom:pointerlock]

(In reply to Edgar Chen [:edgar] from comment #8)

After bug 1366818, the form validity popup won't be able to show on top of the permission dialog. But the point #2 in comment #2 is still exist, page should not be able to keep the browser in pointerlock.

We move the escape key handling for pointer lock to parent process in bug 1743329 which should also fix this, so close this as RESOLVED FIXED.

Assignee: nobody → echen
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Group: dom-core-security → core-security-release
status-firefox126: --- → wontfix
status-firefox127: --- → wontfix
status-firefox128: --- → fixed
status-firefox-esr115: --- → wontfix
Depends on: CVE-2024-6608
Target Milestone: --- → 128 Branch
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify+
Whiteboard: [reporter-external] [client-bounty-form] [verif?][secdom:pointerlock] → [reporter-external] [client-bounty-form] [verif?][secdom:pointerlock] [adv-main128+]
Attached file advisory.txt (obsolete) —
Attached file advisory.txt (obsolete) —
Attachment #9411706 - Attachment is obsolete: true
Attached file advisory.txt
Attachment #9411712 - Attachment is obsolete: true
Alias: CVE-2024-6607
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: