Closed Bug 1744158 (CVE-2022-22739) Opened 3 years ago Closed 3 years ago

Security: Background page using iframe can show external protocol dialog in other tabs and without throttling

Categories

(Core :: DOM: Security, task)

Product:
Core
Component:
DOM: Security
Type:
task

Tracking

()

Status:
VERIFIED FIXED
Milestone:
97 Branch
Tracking Flags:
Tracking Status
firefox-esr91 96+ verified
firefox95 --- wontfix
firefox96 + verified
firefox97 + verified

People

(Reporter: bugzilla-mozilla, Assigned: emz)

References

Details

(Keywords: csectype-spoof, reporter-external, sec-low, Whiteboard: [reporter-external] [client-bounty-form][adv-main96+][adv-ESR91.5+])

Attachments

(6 files, 1 obsolete file)

spoof-calc-diff-tab.html
1.79 KB, text/html
Details
spoof-iframe-src-calc.html
619 bytes, text/html
Details
cross-tab-nightly.mp4
3.09 MB, video/mp4
Details
cross-tab-spoof-stable.mp4
3.61 MB, video/mp4
Details
Bug 1744158, r=Gijs!
48 bytes, text/x-phabricator-request
diannaS
: approval-mozilla-beta+
RyanVM
: approval-mozilla-esr91+
Details | Review
advisory.txt
184 bytes, text/plain
Details

This is a standalone bug for Scenario 5 reported in bug 1705211. I didn't previously report separately since I thought this would be fixed in that bug. I assumed that fixing origin display would fix dialog<->tab association, but seems dialog isn't properly associated with the tab in even with fix when using iframes.

When a background page navigates an iframe to an external protocol URL, the external protocol dialog is shown on the currently focused tab. The dialog will repeatedly be shown on the currently focused tab and any other tab if the user switches tabs.

Firefox behaves as expected when a background page navigates itself (whole tab) to an external protocol URL. This issue only seems to occur when the background page performs the navigation using an iframe.

After the fix for bug 1705211, the dialog shows the correct origin (https://aogarantiza.com in this case). However, since there's no throttling or user activation requirement, a user can still feel pressured to proceed with the dialog or potentially think the dialog is mistaken about the origin or that it's coming from the browser itself due to the persistence and cross-tab presence. The dialog will keep re-appearing until the user closes the malicious tab, which could be any other tab.

REPRODUCTION CASE
One way to repro is to use Scenario 5's PoC from bug 1705211:

  1. Navigate to https://alesandroortiz.com/security/firefox/external-protocol/spoof-calc-diff-tab.html
  2. Click "Continue to Google.com" button

Observed: Dialog initiated by background page is shown in the currently active tab, even if the tab is on a different origin. Dialog will repeatedly be shown on any of the focused tabs.
Expected: Dialog is only shown in tab containing iframe which opened the dialog, along with appropriate throttling.

Another way to repro is to use Scenario 4's PoC from bug 1705211:

  1. Navigate to https://alesandroortiz.com/security/firefox/external-protocol/spoof-iframe-src-calc.html
  2. Switch to another tab or open a new tab
  3. (Optional:) Continue switching tabs and opening new tabs.

Observed: Same as first PoC in this report.
Expected: Same as first PoC in this report.

VERSION
Firefox Version: 94.0.2 Stable (Build ID 20211119140621), also repros in 96.0a1 Nightly (Build ID 20211202094249)
Operating System: Windows_NT 10.0 19042

CREDIT INFORMATION
Reporter credit: Alesandro Ortiz https://AlesandroOrtiz.com

Flags: sec-bounty?
Attached video cross-tab-nightly.mp4

I've attached videos of current Stable and Nightly behavior using the first PoC in this report. Observe how the dialogs appear on any focused tab as long as the initiating background tab is still open. In Stable, this is worse because of the spoof reported in bug 1705211. In Nightly which has fix, impact is less but the persistence and cross-tab presence may be sufficient to trick a user into allowing a malicious site to launch an external protocol.

Group: firefox-core-security → core-security
Component: Security → DOM: Security
Product: Firefox → Core
Group: core-security → dom-core-security
Flags: sec-bounty? → sec-bounty+

Wrong tab. We'll take a look at this one from a bounty perspective, once it's been fixed. Sorry!

Flags: sec-bounty+ → sec-bounty-

Gah...

Flags: sec-bounty- → sec-bounty?

Paul, can you take an initial look as to why these dialogs are appearing in the wrong tab?

Flags: needinfo?(pbz)

Is part of this the timing of a race between opening the new tab and loading the content into a frame? That's less convincing. A better spoof would be if you could launch the external handler 30 seconds later or something (I'll take 5s for a testcase though -- I don't want to wait around 30 seconds to prove it).

Calling it sec-low for now because the timing/spamyness seems to be required and will be putting people on their guard to start with.

Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(bugzilla-mozilla)
Keywords: csectype-spoof, sec-low
See Also: → CVE-2022-22748

A quick test shows that a malicious page can initiate the dialog at any time, as long as the malicious page is open in a tab. The new tab doesn't need to be opened from the malicious page (i.e. a user can open or switch to another tab on their own, and malicious page can still show dialog at any point.)

PoC A: https://aogarantiza.com/firefox/1744158-a.html -- will show dialog 10 seconds after clicking button

PoC B: https://aogarantiza.com/firefox/1744158-b.html -- will show dialog 20 seconds after page load.

Flags: needinfo?(bugzilla-mozilla)

Thanks Gijs!

Opening the external protocol in an iframe means we pass null for the embedder element here: https://searchfox.org/mozilla-central/rev/4ca2f73ae9346709d39de2c8fe33874e4203b9e6/toolkit/mozapps/handling/ContentDispatchChooser.jsm#534
Passing null into gBrowser.getTabDialogBox means it will fall back to the selected browser here: https://searchfox.org/mozilla-central/rev/4ca2f73ae9346709d39de2c8fe33874e4203b9e6/browser/base/content/tabbrowser.js#869

I'll work on a fix.

Assignee: nobody → pbz
Status: NEW → ASSIGNED
Flags: needinfo?(pbz)
Attached file Bug 1744158, r=Gijs!
Attached file Bug 1744158 - Test, r=Gijs! (obsolete) —

Depends on D133392

Blocks: 1745253

Comment on attachment 9254590 [details]
Bug 1744158 - Test, r=Gijs!

Revision D133393 was moved to bug 1745253. Setting attachment 9254590 [details] to obsolete.

Attachment #9254590 - Attachment is obsolete: true
Blocks: 1745256

Dan, will we change the security rating based on comment 9? I'd like to confirm before landing my patch.

Flags: needinfo?(dveditz)

We'll re-evaluate but this certainly won't pass the bar for sec-high; i.e., You can land this without sec-approval

Flags: needinfo?(dveditz)

Thanks for confirming! I'll land the fix now and the test later.

r=Gijs
https://hg.mozilla.org/integration/autoland/rev/79451984211e7439152084b32ba25611ecbf44ef
https://hg.mozilla.org/mozilla-central/rev/79451984211e

Group: dom-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox97: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 97 Branch

Verified as fixed in Nightly 2021-12-11 on Windows 10, using PoCs from original report and #c9. Thanks for fixing, :pbz!

Given 1705211 was uplifted to esr, do we need to uplift this too?

Flags: needinfo?(ryanvm)

(In reply to :Gijs (he/him) from comment #19)

Given 1705211 was uplifted to esr, do we need to uplift this too?

Seems reasonable to uplift to Beta/ESR so we get all the relevant fixes shipped in this cycle.

Flags: needinfo?(ryanvm)

Comment on attachment 9254589 [details]
Bug 1744158, r=Gijs!

Beta/Release Uplift Approval Request

  • User impact if declined: Security issue
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: Yes
  • If yes, steps to reproduce: See comment 0
  • List of other uplifts needed: n/a
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Straightforward JS-only change
  • String changes made/needed: None

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: Security bug related to other sec-moderate that we just uplifted (severity for this one tbc).
  • User impact if declined: See above
  • Fix Landed on Version: 97 uplift request to 96 pending
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): See above
  • String or UUID changes made by this patch: None
Attachment #9254589 - Flags: approval-mozilla-esr91?
Attachment #9254589 - Flags: approval-mozilla-beta?
Flags: qe-verify+

Comment on attachment 9254589 [details]
Bug 1744158, r=Gijs!

Approved for 96.0b5

Attachment #9254589 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Thanks to the other bug this popup over the wrong site does now say the correct origin (which might, for all the user knows, be in a frame in that page). Much less spoofy, but still wrong and some users don't read dialogs so we'll also award an incremental bounty for this missing case.

Flags: sec-bounty? → sec-bounty+

(From https://bugzilla.mozilla.org/show_bug.cgi?id=1705211#c39 )

Does Mozilla have an automatic disclosure timeline for this type of bug? I'd like to set a date of March 21st, 2022 for public disclosure of this bug and bug 1705211.

Please let me know if the disclosure timeline is acceptable for both bugs.

This allows over 14 weeks for both bug fixes to reach users.

Flags: needinfo?(pbz)

We strongly prefer that disclosure wait until we've shipped patches, and for the most harmful bugs it's good to give people several weeks to patch. This fix is not one of those severe types so any time after we ship 97 (early February?) is fine.

Flags: needinfo?(pbz)

I agree. The suggested date is about 14 weeks after this bug was marked as fixed (same as Chromium's timeline), which should be sufficient time for users to update.

Using March 21st as disclosure date for now. Thanks for response.

QA Whiteboard: [qa-triaged]

Comment on attachment 9254589 [details]
Bug 1744158, r=Gijs!

Approved for 91.5esr.

Attachment #9254589 - Flags: approval-mozilla-esr91? → approval-mozilla-esr91+

I've reproduced this bug using the STR from comment 0, on Win 10 x64 with Nightly 96.0a1 2021-12-02.

The issue is verified as fixed on the latest builds: Beta 96.0b7, Nightly 97.0a1 and ESR 91.5.

Status: RESOLVED → VERIFIED
status-firefox96: fixedverified
status-firefox97: fixedverified
status-firefox-esr91: fixedverified
Flags: qe-verify+
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form][adv-main96+][adv-ESR91.5+]
Attached file advisory.txt
Alias: CVE-2022-22739

Coordinated disclosure date has arrived. Can someone please make this bug public? I've requested the same from Chromium for their related bug.

Flags: needinfo?(ckerschb)

Updating needinfo like in bug 1705211

Flags: needinfo?(ckerschb) → needinfo?(dveditz)
Group: core-security-release
Flags: needinfo?(dveditz)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: