Closed Bug 1789439 (CVE-2022-42929) Opened 2 years ago Closed 2 years ago

Persistent Popup DoS with window.print

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
106 Branch
Tracking Flags:
Tracking Status
firefox-esr102 106+ fixed
firefox105 --- wontfix
firefox106 + fixed

People

(Reporter: andreien, Assigned: emilio)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-dos, reporter-external, sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage][adv-main106+][adv-esr102.4+])

Attachments

(5 files)

Test-case from reporter.
149 bytes, text/html
Details
Bug 1789439 - Don't allow reentrant programmatic print calls. r=smaug,peterv
48 bytes, text/x-phabricator-request
pascalc
: approval-mozilla-esr102+
Details | Review
Bug 1789439 - Throw rather than logging an error when tab-modal print is already open. r=jwatt,mstriemer
48 bytes, text/x-phabricator-request
pascalc
: approval-mozilla-esr102+
Details | Review
Bug 1789439 - Test. r=smaug,peterv,jwatt
48 bytes, text/x-phabricator-request
Details | Review
advisory.txt
248 bytes, text/plain
Details

I have been testing the window.print functionality in Firefox. At some point, I found that running two print() calls simultaneously in the console (without closing the dialog after the first one) leads to a new browser window opening without any popup permissions. The tab inside the new window is mostly broken, for example it cannot be redirected, but it does get restored by session restore function when quitting firefox.

After a bit of testing different methods to reproduce the parallel nature of this bug within single-threaded JavaScript, I ended up the the following (warning: will keep spawning windows indefinitely, in my case leading to OOM):

window.addEventListener('beforeprint', (event) => {
  print()
});
print()

This denial of service is persistent in multiple ways; if the malicious website remains open after session restore, or if the windows open by the malicious website are kept in session restore. When testing this it was difficult to stop the browser because the new windows were stealing focus, exacerbating the issue. Therefore this can lead to persistent full denial of service of browser functionality in the worst case.

This has been tested on Nightly, Mozilla Firefox 106.0a1 20220906092849 20220906092849.

Flags: sec-bounty?
Group: firefox-core-security → core-security
Component: Security → DOM: Core & HTML
Product: Firefox → Core
Group: core-security → dom-core-security
Severity: -- → S2
Assignee: nobody → emilio
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true

Depends on D156683

Should I land the test right away?

Flags: needinfo?(dveditz)

https://hg.mozilla.org/mozilla-central/rev/85a99403dd29
https://hg.mozilla.org/mozilla-central/rev/a219e399d593
https://hg.mozilla.org/mozilla-central/rev/4cbbc3ea57a0

Group: dom-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox105: --- → wontfix
status-firefox106: --- → fixed
status-firefox-esr102: --- → affected
tracking-firefox106: --- → +
tracking-firefox-esr102: --- → 106+
Resolution: --- → FIXED
Target Milestone: --- → 106 Branch

Since this could abuse people it'd be nice to wait until this hits release (106) before landing the test.

Flags: needinfo?(dveditz)
Flags: sec-bounty? → sec-bounty+
Flags: qe-verify-
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage]

Is this ready for an ESR approval request? It grafts cleanly.

Flags: needinfo?(emilio)

Comment on attachment 9293485 [details]
Bug 1789439 - Throw rather than logging an error when tab-modal print is already open. r=jwatt,mstriemer

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: comment 0, trivial-ish / simple fix
  • User impact if declined: comment 0
  • Fix Landed on Version: 106
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Fix is rather trivial. Alternative would be not taking the patch on esr.
Flags: needinfo?(emilio)
Attachment #9293485 - Flags: approval-mozilla-esr102?
Attachment #9293484 - Flags: approval-mozilla-esr102?

Do we also want to uplift https://hg.mozilla.org/mozilla-central/rev/4cbbc3ea57a0 ?

Flags: needinfo?(emilio)

Yes, that's a test-only patch.

Flags: needinfo?(emilio)

Comment on attachment 9293485 [details]
Bug 1789439 - Throw rather than logging an error when tab-modal print is already open. r=jwatt,mstriemer

Approved for ESR 102.4.0, thanks.

Attachment #9293485 - Flags: approval-mozilla-esr102? → approval-mozilla-esr102+
Attachment #9293484 - Flags: approval-mozilla-esr102? → approval-mozilla-esr102+
Whiteboard: [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage] → [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage][adv-main106+]
Whiteboard: [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage][adv-main106+] → [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage][adv-main106+][adv-esr102.4+]
Attached file advisory.txt
Alias: CVE-2022-42929
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: