Closed Bug 1736886 (CVE-2021-43530) Opened 3 years ago Closed 3 years ago

uxss on qrcode code reader (mozilla android version: 93.2.0 (Build #2015839747))

Categories

(Fenix :: General, defect)

Product:
Fenix
Component:
General
Platform:
Unspecified
Android
Type:
defect

Tracking

(firefox93 wontfix, firefox94+ fixed, firefox95+ fixed)

Status:
VERIFIED FIXED
Tracking Flags:
Tracking Status
firefox93 --- wontfix
firefox94 + fixed
firefox95 + fixed

People

(Reporter: sas.kunz, Assigned: royang)

References

Details

(Keywords: csectype-sop, reporter-external, sec-high, Whiteboard: [reporter-external] [client-bounty-form] [verif?][adv-main94+])

Attachments

(3 files)

uxssmozilla.mpeg
4.91 MB, video/mpeg
Details
add_load_url_flag_external_1.patch
1.34 KB, patch
csadilek
: review+
tjr
: sec-approval+
Details | Diff | Splinter Review
advisory.txt
301 bytes, text/plain
Details
Attached video uxssmozilla.mpeg

hello i found uxss on qr code reader (mozilla android version: 93.2.0 (Build #2015839747), using the payload:

javascript:alert(document.cookie) // :<br>

https://www.google.com

the user will be confused because the link will be shown below ( on permit dialog show ). example "http://google.com". the user can see that the link is "https://google.com"

step to produced:

  1. go to https://goqr.me (to create qr code).
  2. insert text :
    javascript:alert(document.cookie) // :<br>

https://www.google.com
3. the qr code will be created
4. open mozilla on android
5. go to https://google.com
6 . scan the qr code.
7. click permit, the user will be confused because the link will be shown below. example "http://google.com"
8. then the xss will be executed,

i attached the poc video file.
thank you

Flags: sec-bounty?
Group: firefox-core-security → mobile-core-security
Component: Security → Security: Android
Product: Firefox → Fenix

A similar bug in Fennec was found but at the time the problem did not affect Fenix. Unfortunately we added the bug back in (bug 1590288).

More relevant is bug 1705094 found during our Fenix audit and apparently not fixed?! But that one says javascript: didn't work (or at least that's how I interpret it) and it was other schemes that troubled us. When did this regress?

Status: UNCONFIRMED → NEW
Type: task → defect
status-firefox93: --- → affected
status-firefox94: --- → affected
status-firefox95: --- → affected
tracking-firefox94: --- → +
tracking-firefox95: --- → +
Ever confirmed: true
Flags: needinfo?(agi)
Keywords: csectype-sop, sec-high
Flags: needinfo?(agi)

The fix mentioned in https://bugzilla.mozilla.org/show_bug.cgi?id=1705094#c5 should fix this problem too. I'm not sure how this got missed, do we not prioritize Fenix: Security bugs? Amedyne can we get somebody on AC/Fenix to make this change?

Flags: needinfo?(amoya)
Flags: needinfo?(amoya)

Will have someone look into this.

Assignee: nobody → royang
Status: NEW → ASSIGNED
Attachment #9247328 - Flags: review?(csadilek)
Attachment #9247328 - Flags: review?(agi)
Attachment #9247328 - Flags: review?(agi)
Comment on attachment 9247328 [details] [diff] [review] add_load_url_flag_external_1.patch Review of attachment 9247328 [details] [diff] [review]: ----------------------------------------------------------------- Tested the patch and verified that the javascript:alert isn't executed. r+ to address the immediate problem, with two follow-ups: - Let's make sure we only attempt to load https URLs going forward (and inform the user) (Bug 1705094) - Let's make this code unit testable so we can verify we pass along the correct flags (https://github.com/mozilla-mobile/fenix/issues/22106)
Attachment #9247328 - Flags: review?(csadilek) → review+

Comment on attachment 9247328 [details] [diff] [review]
add_load_url_flag_external_1.patch

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: The patch is pointing to the QR feature, but the change to add the load URL flags does not immediately give away the security problem. The commit message is vague on purpose, but the patch will still provide a hint to the root of the problem.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?: All
  • If not all supported branches, which bug introduced the flaw?: N/A
  • Do you have backports for the affected branches?: Yes
  • If not, how different, hard to create, and risky will they be?:
  • How likely is this patch to cause regressions; how much testing does it need?: Very unlikely.
Attachment #9247328 - Flags: sec-approval?
Attachment #9247328 - Flags: sec-approval? → sec-approval+

Please land this on main and releases_v94.0.0 ASAP.

Flags: needinfo?(royang)

Will do. Thanks!

Flags: needinfo?(royang)

Change is in both Nightly and v94. Thanks!

main: https://github.com/mozilla-mobile/fenix/commit/367c5f42d874b15b5ce40632146ccdcb5169c00e
releases_v94.0.0: https://github.com/mozilla-mobile/fenix/commit/2e1a15a58c422272c2182834e2128c1cbacc1773

Group: mobile-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox94: affectedfixed
status-firefox95: affectedfixed
Resolution: --- → FIXED
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][adv-main94+]

Thanks Mozilla Team for the patch, I confirmed the issue has been resolved. i have tested on firefox preview 1.0.2144(Build #1) AC:95.0.20211025134949, 65e650b0a8 GV:95.0a1-20211025093729 AS: 86.0.0. "javascript:" didn't work after scan the qrcode.

Status: RESOLVED → VERIFIED
See Also: → CVE-2019-17003
Flags: sec-bounty? → sec-bounty+
Attached file advisory.txt

i have tested using this payload: data:text/html,<script></script><h5>Test page</h5> <a href="attacker.com"> attacker.com</a> juga tereksekusi juga di versi 93.2.0. tetapi di versi 94.0 this payload cannot executed. and its already fixed too.
thank you.

Alias: CVE-2021-43530
Group: core-security-release
Component: Security: Android → General
OS: Unspecified → Android
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: