Compromised content process can UpdateDocumentURI
Categories
(Core :: DOM: Content Processes, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr102 | --- | wontfix |
| firefox-esr115 | --- | wontfix |
| firefox113 | --- | wontfix |
| firefox114 | --- | wontfix |
| firefox115 | + | wontfix |
| firefox116 | --- | wontfix |
| firefox117 | --- | wontfix |
| firefox119 | --- | wontfix |
| firefox120 | --- | wontfix |
| firefox121 | - | wontfix |
| firefox122 | + | wontfix |
| firefox123 | --- | wontfix |
| firefox124 | --- | wontfix |
| firefox125 | --- | wontfix |
| firefox126 | --- | fixed |
People
(Reporter: y, Assigned: aiunusov)
References
Details
(4 keywords, Whiteboard: [disclosure 11 Aug 2023][reporter-external] [client-bounty-form] [verif?][adv-main122+] [adv-main126-])
Attachments
(5 files, 3 obsolete files)
WindowGlobalParent::RecvUpdateDocumentURI does not validate the new DocumentURI, so a compromised content process is able to set an arbitrary documentURI (https://searchfox.org/mozilla-central/rev/675d6b7b04c4a802493d29632ee45f6e036a5702/dom/ipc/WindowGlobalParent.cpp#370).
This is used in several places including but not limited to:
-
Address bar and related components, when the history is updated, e.g.,
history.pushState()orhistory.back(). -
Hub.fillInAddressforextensions/ConduitsParent(https://searchfox.org/mozilla-central/rev/675d6b7b04c4a802493d29632ee45f6e036a5702/toolkit/components/extensions/ConduitsParent.jsm#187)
This setsMessageSender.urlfor extension messages. Many extensions rely onMessageSender.urlto verify whether the message came from a trusted source. -
webrtcUI.getActiveStreams(https://searchfox.org/mozilla-central/rev/675d6b7b04c4a802493d29632ee45f6e036a5702/browser/modules/webrtcUI.jsm#180)
This is used in "Tabs sharing devices" menu (the permission prompt is not affected). -
LoginAutoComplete::startSearch(https://searchfox.org/mozilla-central/rev/675d6b7b04c4a802493d29632ee45f6e036a5702/toolkit/components/passwordmgr/LoginAutoComplete.jsm#531) andLoginManagerChild::_filterForExactFormOriginLogins(https://searchfox.org/mozilla-central/rev/675d6b7b04c4a802493d29632ee45f6e036a5702/toolkit/components/passwordmgr/LoginManagerChild.jsm#2646)
It seems only fill via the context menu is possible, autofill seems not affected.
Threrefore, the compromised content process can spoof the address bar, extension message from trusted component, Tabs sharing devices" menu, and get logins for another origin.
REPRODUCTION CASE
- Apply the attached
poc.patch. - Create a new login for
https://example.cominabout:logins. - Install the attached extension.
- Visit the attached
poc.htmlover secure origin (an online version is available in https://chs17f87gytb304hg6vk.glitch.me/) - Press "Click" and check the address bar.
- Check the extension message sender.
- Press "getUserMedia(audio)" and check "Tabs sharing devices" menu.
- 5-7 should show example.com.
- Open context menu on the Username field and select the login added in 2. Check the password field is filled.
|
Reporter | |
Comment 1•2 years ago
|
||
|
|
Reporter | |
Comment 2•2 years ago
|
||
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
|
||
Comment 3•2 years ago
|
||
Nika, it looks like you have a comment in this function that sounds like the basic issue described in comment 0. Do we have a bug on file for this?
|
||
Comment 4•2 years ago
|
||
I wasn't able to find one with a quick search. When I first wrote this code the WindowGlobalParent version of things wasn't used for anything yet, so there wasn't much of an impact, but we should definitely try to do better here.
It would be nice to do the full suite of checks which would be performed by a call like pushState here, however it's likely we'll need to relax things slightly at least at first while we're working on this. Perhaps we could start out by just having an origin check between the previous URI and a new URI, or some other check to make sure that the origin of the new URI matches mDocumentPrincipal. There will need to be some other checks to allow e.g. about:blank or about:srcdoc in some cases as well.
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
||
Comment 5•2 years ago
|
||
It's not quite a sandbox escape yet, but there might be some front-end code that would grant additional privileges to a chrome or about URL. Otherwise, you can definitely use this for spoofing and violating same-origin, which is sec-moderate if it requires a compromised process to get there.
|
||
Comment 6•2 years ago
|
||
The severity field is not set for this bug.
:edenchuang, could you have a look please?
For more information, please visit auto_nag documentation.
|
|
||
Comment 7•2 years ago
|
||
I think we should fix this at some point and not just let it linger. It sounds like there's a reasonable path forward here to at least get some protection.
|
|
||
Comment 8•2 years ago
|
||
Jens, could you maybe find somebody to work on this? I'm not who exactly is responsible for WindowGlobalParent stuff at this point. Nika laid out a plan of attack in comment 4, but doesn't have time to work on it. It is a little open ended, but it feels like a reasonably scoped project. Thanks.
|
||
Comment 9•2 years ago
|
||
In addition to documentURI, we probably want to tweak isInitialDocument.
|
|
||
Comment 10•2 years ago
•
|
||
Taking this, although I may not be the one working on this (but rather helping someone else to fix this).
|
||
Updated•2 years ago
|
|
Assignee | |
Updated•2 years ago
|
|
|
Assignee | |
Updated•2 years ago
|
|
|
Assignee | |
Comment 11•2 years ago
|
||
|
|
Assignee | |
Comment 12•2 years ago
|
||
Differencial Revision: https://phabricator.services.mozilla.com/D159340
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
|
Assignee | |
Comment 13•2 years ago
|
||
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
||
Comment 14•2 years ago
|
||
FIX Compromised content process can UpdateDocumentURI, r=smaug,necko-reviewers
https://hg.mozilla.org/integration/autoland/rev/a364609f354a7d00bd1d44c0272b21b3eeb9b177
https://hg.mozilla.org/mozilla-central/rev/a364609f354a
|
||
Updated•2 years ago
|
|
|
||
Comment 15•2 years ago
|
||
The patch landed in nightly and beta is affected.
:aiunusov, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox114towontfix.
For more information, please visit BugBot documentation.
|
|
||
Comment 16•2 years ago
|
||
Backed out on request from Artur for causing frequent crashes (bug 1832321):
https://hg.mozilla.org/mozilla-central/rev/045b0358990bc474903d8c11101271faeec8482c
|
|
Assignee | |
Comment 17•2 years ago
|
||
Backed out. No need to nominate for beta
|
|
Assignee | |
Updated•2 years ago
|
|
|
Assignee | |
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
|
Assignee | |
Updated•2 years ago
|
|
|
||
Comment 18•1 years ago
|
||
There is an r+ patch which didn't land and no activity in this bug for 2 weeks.
:aiunusov, could you have a look please?
If you still have some work to do, you can add an action "Plan Changes" in Phabricator.
For more information, please visit BugBot documentation.
|
|
||
Updated•1 years ago
|
|
|
||
Updated•1 year ago
|
|
||
Comment 20•1 year ago
|
||
|
|
||
Updated•1 year ago
|
|
|
||
Comment 21•1 year ago
•
|
||
|
|
||
Comment 22•1 year ago
|
||
|
|
Assignee | |
Comment 23•1 year ago
|
||
|
|
||
Updated•1 year ago
|
|
|
Reporter | |
Comment 24•1 year ago
|
||
Please note this issue will be published and presented in the upcoming USENIX Security on Friday, Auguest 11. Only the MessageSender.url part will be mentioned and neither PoC nor the detail will be made public.
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
||
Comment 25•1 year ago
|
||
|
|
||
Comment 26•1 year ago
|
||
|
|
||
Comment 27•1 year ago
|
||
Backed out previous changeset on request from aiunusov because a sufficient amount of crash reports has been collected:
https://hg.mozilla.org/integration/autoland/rev/62357f3d85016b6d944d6da24d20f3a579efc623
|
|
||
Comment 28•1 year ago
|
||
Interesting, in all the collected Fenix crashes we come through if (!mozilla::SessionHistoryInParent()) after a GoBack. That would explain why it does not happen elsewhere, IIUC SHIP is active everywhere except for Android?
|
|
||
Comment 29•1 year ago
|
||
Backout merged to central: https://hg.mozilla.org/mozilla-central/rev/62357f3d8501
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
||
Comment 31•1 year ago
|
||
|
|
||
Comment 32•1 year ago
|
||
https://hg.mozilla.org/mozilla-central/rev/724cb235ebec
Is there anything left to be done here or can this bug be closed?
|
|
||
Updated•1 year ago
|
|
|
Assignee | |
Comment 33•1 year ago
|
||
We need to monitor https://crash-stats.mozilla.org for the possible crashes, at least, for one week.
If this patch will not be backed out afterwards - we can close it
|
|
||
Comment 34•1 year ago
•
|
||
Trying to capture a thought we had when talking Artur and I:
The crashes we see (again) have HandleSameDocumentNavigation on their stack by chance, as there seem to be an expensive synchronous execution. In fact, SendDocumentURI is asynchronous and we cannot be 100% sure that the RecvDocumentURI that caused the dump corresponds to the SendDocumentURI inside this HandleSameDocumentNavigation call - it might just have been an earlier invocation of SendDocumentURI that might have come from different code paths. There is a time window between sending the IPC message on the child side, elaborating it on the parent side and then requesting a dump from the client that could be arbitrarily long, such that we end up scheduling a second SendDocumentURI in the meantime. It might be worth looking out for any SetDocumentURI invocation on the child side, especially if coming from Java code.
|
||
Comment 35•1 year ago
|
||
Backed out for crashes on crash stats on Android Nightly
Backout link: https://hg.mozilla.org/integration/autoland/rev/571c293cedd28db6ac86fd553e2810f40e382e80
|
|
||
Updated•1 year ago
|
|
|
||
Comment 36•1 year ago
|
||
SetDocumentURI coming from client side from java code? Can't figure out what that might mean.
|
|
||
Comment 37•1 year ago
|
||
backout merge to central: https://hg.mozilla.org/mozilla-central/rev/571c293cedd2
|
|
||
Comment 38•1 year ago
|
||
(In reply to Olli Pettay [:smaug][bugs@pettay.fi] from comment #36)
SetDocumentURI coming from client side from java code? Can't figure out what that might mean.
That I don't know, but I just wanted to point out that we might not come through the code path we think we are coming through on the child side, at least in theory.
|
|
||
Comment 39•1 year ago
|
||
|
|
||
Comment 40•1 year ago
|
||
|
|
Assignee | |
Comment 41•1 year ago
|
||
I guess we can wait for another week, and then close the bug
|
|
Assignee | |
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
||
Comment 42•1 year ago
|
||
What are your thoughts on backports here? It grafts cleanly to both Beta but needs a bit of rebasing for ESR115. But I'm also wondering how much bake time you think we need?
|
|
Assignee | |
Comment 43•1 year ago
|
||
We need to test this patch at least until next soft freeze
I would target a Beta at this moment
|
|
||
Comment 44•1 year ago
|
||
Alright, let's let this ride Fx122 then and we can revisit the ESR backport next cycle.
|
|
Assignee | |
Comment 45•1 year ago
|
||
Sounds good
|
||
Updated•1 year ago
|
|
|
Assignee | |
Comment 46•1 year ago
•
|
||
If we are going to merge it to esr 115, then I must to prepare this patch and https://bugzilla.mozilla.org/show_bug.cgi?id=1868387
In order to have a pref (to disable the whole feature in case of an incident)
(so far, amount is quite low)
|
||
Updated•1 year ago
|
|
|
Assignee | |
Comment 47•11 months ago
•
|
||
These patches requires uplift (if they not in the release already):
https://phabricator.services.mozilla.com/D159340
https://phabricator.services.mozilla.com/D196290
https://phabricator.services.mozilla.com/D195554
https://phabricator.services.mozilla.com/D197698
(sounds like I have no enough rights to create Uplift form)
|
|
Assignee | |
Comment 48•11 months ago
|
||
Just want to make sure, that all the patches mentioned above will go to release before soft freeze.
But I have no rights for doing uplift.
could you, please, guide me, how to proceed in that case?
|
|
||
Comment 49•11 months ago
|
||
All of those are on track to ride 122 to Release. If you want to nominate them for ESR approval also, you can do so by setting the approval-mozilla-esr115 dropdown to ? on the Details link for each attachment and fill out the form. That said, the urgency probably isn't very high there since bug 1873052 would disable the behavior anyway.
|
|
Assignee | |
Comment 50•11 months ago
|
||
all clear, then. Thanks!
|
|
||
Updated•11 months ago
|
|
||
Comment 51•11 months ago
|
||
(In reply to Young Min Kim from comment #0)
REPRODUCTION CASE
- Apply the attached
poc.patch.- Create a new login for
https://example.cominabout:logins.- Install the attached extension.
- Visit the attached
poc.htmlover secure origin (an online version is available in https://chs17f87gytb304hg6vk.glitch.me/)- Press "Click" and check the address bar.
- Check the extension message sender.
- Press "getUserMedia(audio)" and check "Tabs sharing devices" menu.
- 5-7 should show example.com.
- Open the context menu on the Username field and select the login added in 2. Check the password field is filled.
I am unable to reproduce using the REPRODUCTION CASE in comment 0. Could you help clear out the steps to reproduce so that I know how to properly reproduce and verify the fix? Questions:
- Could a QA do the first step? How do I apply this patch? Is this not a build compilation process?
- Regarding step 2, should I create a login for https://example.com? Should I not create logins for the test page's location https://chs17f87gytb304hg6vk.glitch.me/ instead?
- Regarding step 3, should I add the attached extension as a temporary addon?
- Regarding step 4, I assume I should be loading the specified link (https://chs17f87gytb304hg6vk.glitch.me/), right?
- Regarding step 5, what should I check about the address bar?
- Regarding step 6, what should I check, exactly?
- Regarding step 7, should I allow the permission that is displayed after clicking "getUserMedia(audio)"? What should I be checking about the Permissions Menu?
- Regarding step 8, What exactly should be showing "example.com"?
- Do I left-click the Username field to select the saved login? Or do I have to use right-click and "Use saved logins"?
- The affected behavior is that the password is not autocompleted when selecting the username, so the fixed behavior is that the password is not being auto-filled, right?
I am sorry to ask such specific questions. I am QA and do not possess the technical level of development engineers. We (QA) need to make sure we reproduce the issue to properly verify it's fixed. Thank you!
|
||
Updated•11 months ago
|
|
|
||
Comment 52•11 months ago
|
||
|
|
||
Updated•11 months ago
|
|
|
Assignee | |
Comment 53•11 months ago
|
||
1 Need to patch a code. I can do this for you
2 yes, you have to go to the about:logins and create a login
3 - yes, extension is needed
4 https://chs17f87gytb304hg6vk.glitch.me - exactly that link
5 yes
6 - you should expect a tab crash
7 yes, and expect tab crash
8 tab must crash
|
|
Assignee | |
Comment 54•11 months ago
|
||
I will prepare a link with the patched version for the testing soon
|
|
||
Comment 55•10 months ago
|
||
This message serves as a reminder to address the QA requirement in order to reproduce and verify the fix. Thank you.
|
|
Assignee | |
Comment 56•10 months ago
•
|
||
Prepared builds for QA:
https://treeherder.mozilla.org/jobs?repo=try&revision=f719296de0493d23f647ff2e6372a636bfadcb28
Writing the instruction at the moment
|
|
||
Comment 57•10 months ago
|
||
The steps in comment 0 still don't cause a crash while using the newly created patch build. It's important to notice that the extension does not seem to work even though it loads as a temporary addon. Furthermore, I would like to know why we should consider the fix valid considering the reproduction needs a different build than the officially released ones. Should we be expecting new instructions? Thank you.
|
|
Assignee | |
Comment 58•10 months ago
|
||
We need a patched build in order to simulate a compromised content process
(I am checking that patched version at the moment)
|
|
Assignee | |
Comment 60•10 months ago
•
|
||
Figured out. It seems that poc.patch was a bit outdated (after the recent changes in Firefox itself).
I prepared a new version of the patched builds, and tested them locally:
https://treeherder.mozilla.org/jobs?repo=try&revision=49861ebd428cd9d9de3610c72d200b39cdc021fa
Tab must crash in that version.
Could you please, check again?
(we cannot use the normal nightly for the testing, since we do not know yet, how to compromise the content process in a real scenario)
|
|
Assignee | |
Comment 61•10 months ago
•
|
||
0 Download a patched version from https://treeherder.mozilla.org/jobs?repo=try&revision=49861ebd428cd9d9de3610c72d200b39cdc021fa
1 Create a new login for https://example.com in about:logins.
2 Install the attached extension.
3 Visit the attached poc.html over secure origin (an online version is available in https://chs17f87gytb304hg6vk.glitch.me/)
(after a visiting poc.html or https://chs17f87gytb304hg6vk.glitch.me/, tab must immediately crash)
|
|
||
Comment 62•10 months ago
|
||
I can reproduce this tab crash using the build and extension provided in the previous comment on Windows 10 and 11, but the creation of a login for https://example.com/ is not necessary. The tab crashes with and without it. Is this a correct reproduction of the issue in question?
Furthermore, how should I proceed to verify this fix considering that the reproduction was made on a patched build to simulate a compromised content process? Thank you.
|
|
Assignee | |
Comment 63•10 months ago
•
|
||
I think creating a new login isn't really necessary (since the tab will crash anyway before a compromised process tries to even access it).
Regarding the second question, I think, reading POC.patch might help (which compromises a content process in a simple and dirty way) and building a version for verification on your machine:
https://firefox-source-docs.mozilla.org/setup/windows_build.html
https://firefox-source-docs.mozilla.org/setup/linux_build.html
https://firefox-source-docs.mozilla.org/setup/macos_build.html
(Just one extra command is required in order to patch it: hg import POC.patch)
You can also play with the new setting (dom.security.setdocumenturi). For example, disable it and perform the steps (4-9).
|
|
||
Comment 64•10 months ago
|
||
Unfortunately (as QA) we don't have the required time and resources to patch our test builds. Would you be able to patch another build for us so we can verify it? Thank you.
|
|
Assignee | |
Comment 65•10 months ago
•
|
||
Sure. I can patch any revision you ask.
If you need just a patched version of today's Nightly, I will provide it soon today
|
|
||
Comment 66•10 months ago
|
||
It would be best to verify it in the latest Nightly and latest Release if it's not too much to ask. Thank you for your support!
|
|
Assignee | |
Comment 67•10 months ago
|
||
Builds are on their way: https://treeherder.mozilla.org/jobs?repo=try&revision=a8142806fa2ea2b1c58702bd049c015a2de947bb
|
|
||
Comment 68•9 months ago
|
||
This issue still occurs with the provided Nightly v125.0a1 try build using the provided steps.
Furthermore, Microsoft Defender has detected a virus in the provided try build: Trojan:Script/Wacatac.B!ml
I cannot verify the fix in either of the latest branches.
|
|
Assignee | |
Comment 69•9 months ago
•
|
||
The provided binaries contained only this change: https://hg.mozilla.org/try/rev/02babe736726c6e21e1a4783009d14b6a667b20a
which is of course, could be detected by the antivirus as malicious software. Since this POC intentionally makes a content process compromised (for testing purposes only)
|
|
Assignee | |
Comment 70•9 months ago
•
|
||
Could you please, explain the issue with Nightly v125.0a1?
In any case I can provide a new binaries for testing
How about this build (this is today's Nightly, with the patched content process, in order to be 'compromised'): https://treeherder.mozilla.org/jobs?repo=try&revision=137cf9c00e4f7b565da87be8fc05d11937ac3f75
in case of any issues, you can also ping me in Matrix :)
|
|
Assignee | |
Comment 71•9 months ago
|
||
UPD: I double checked everything, and managed to reproduce the tab crash using the steps above and binaries from https://treeherder.mozilla.org/jobs?repo=try&revision=137cf9c00e4f7b565da87be8fc05d11937ac3f75
|
|
||
Updated•9 months ago
|
|
|
Assignee | |
Comment 72•9 months ago
|
||
The original issue has been fixed. Now, instead of leaking data, the tab crashes immediately.
But since we don't yet know if it's even possible to compromise the content process, it makes for QA too difficult to test. This is why custom binaries are needed.
|
|
||
Comment 73•9 months ago
|
||
From the answers in comment 53, I have understood that to reproduce the issue, the tab must crash so I expected the tab not to crash in the fixed builds. In my testing, the same outcome was observed in both the "affected" build and the "fixed" one as the tab crashes.
As a consequence, I need to ask for more details: Assuming that the data leak is the actual issue, how am I to determine whether the build leaks data or not so I can correctly verify the fix?
Thank you for your help!
|
|
Assignee | |
Comment 74•9 months ago
•
|
||
In short, this is the correct behavior: the tab should crash, in order not to allow to change a document URI and steal the data.
Basically, we're dealing with a security issue that not exist, but could arise in the future if someone finds a way to compromise the content process (that is why testing is so unusual and sometimes complicated)
(I think, to confirm that fix is working, I could also provide a patched old version, before my fix. To double check that tab was potentially allowing to steal the data)
|
|
||
Comment 75•9 months ago
|
||
Due to the high level of technicality and the fact that is quite hard to reproduce or verify (as mentioned in comment 72), I will be removing the qe+ flag. However, if verification of this report is necessary, please provide us with the necessary custom builds and information needed to complete.
Thank you.
|
|
Assignee | |
Comment 77•8 months ago
|
||
Follow up bug (enhancement): https://bugzilla.mozilla.org/show_bug.cgi?id=1890569
|
|
||
Updated•8 months ago
|
|
|
||
Comment 78•7 months ago
|
||
Unless I'm misunderstanding, I think this should have remained marked fixed in 122 (based on comment 72).
|
|
||
Comment 79•7 months ago
|
||
I guess, though it didn't actually ride the trains until 126 (bug 1889331).
|
||
Updated•6 months ago
|
|
|
||
Updated•3 months ago
|
Description
•