Closed Bug 1790542 (CVE-2023-29540) Opened 2 years ago Closed 1 year ago

allow-top-navigation-to-custom-protocols iframe sandbox bypass using sourceMappingUrls

Categories

(DevTools :: Console, defect, P3)

Desktop
Windows 10
defect

Tracking

(firefox-esr102 wontfix, firefox110 wontfix, firefox111 wontfix, firefox112 verified, firefox113 verified)

VERIFIED FIXED
112 Branch
Tracking Status
firefox-esr102 --- wontfix
firefox110 --- wontfix
firefox111 --- wontfix
firefox112 --- verified
firefox113 --- verified

People

(Reporter: haxatron1, Assigned: bomsy)

References

(Blocks 1 open bug, Regressed 1 open bug)

Details

(Keywords: sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage][adv-main112+])

Attachments

(5 files, 4 obsolete files)

Attached file source-map.html (obsolete) —

Using a redirect embedded into sourceMappingUrls it is possible to navigate to external protocol links in sandboxed iframes without allow-top-navigation-to-custom-protocols, (without a user gesture even!).

  1. Host source-map.html and redirect.php on site 1 (attacker site), iframe.html on site 2 (victim site), as always change the URL present in the source-map.html and iframe.html files.
  2. Open iframe.html in victim site, external protocol dialog will launch even with allow-top-navigation-to-custom-protocols absent.

Very useful for malvertisers as it also bypasses the user gesture requirement for external protocols.

Flags: sec-bounty?
Attached file redirect.php (obsolete) —
Attached file iframe.html (obsolete) —

Like the previous report, I realised that for Step 2, you must open devtools console, to load the sourcemap and trigger the external protocol prompt.

Group: firefox-core-security → dom-core-security
Component: Security → DOM: Security
Product: Firefox → Core
Blocks: source-maps
Group: dom-core-security → firefox-core-security
Component: DOM: Security → Console
Product: Core → DevTools

Our sourcemap implementation only checks the protocol of the sourcemap url before attempting to fetch it. So when the php redirects to another protocol, we ahve no way to check this new URL. We could completely forbid redirects when using fetch. Moving the sourcemap handling to the devtools server would also help.

Severity: -- → S3
Priority: -- → P3

Hi Daniel,

Could you help assess the priority and severity of this bug?

Flags: needinfo?(dveditz)

Hi Haxatron1,

Thanks for the files and the STR.
I tried following the steps but was not able to reproduce. it does not trigger the external protocol prompt.

Can you clarify that the victims platform should be windows?

The suggestion from Julian makes sense, we could block redirects to as a quick easy fix for this.

Flags: needinfo?(haxatron1)
Attached file source.html
Attachment #9294375 - Attachment is obsolete: true
Attachment #9294376 - Attachment is obsolete: true
Attached file iframe.html (obsolete) —
Attached file iframe.html
Attachment #9294377 - Attachment is obsolete: true
Attachment #9313759 - Attachment is obsolete: true
Flags: needinfo?(haxatron1)

Hi, i've just uploaded a new set of PoCs that can be reproduced on bmoattachments. STR:

  1. Open the iframe.html
  2. Then press F12 to open Devtools, the external protocol prompt should popup asking to open ms-calculator:

And yes this reproduce on Windows (for ms-calculator: prompt). Haven't tried out other platforms yet.

Thanks for updating files. I can easily reproduce the issue.

Status: UNCONFIRMED → NEW
Ever confirmed: true
  • Block redirects on sourceMappingUrl
  • Add debugger test
Assignee: nobody → hmanilla
Status: NEW → ASSIGNED

.sjs files depend on redirects to load static files.
In D168648 we block redirects on sourceMappingUrl, so this browser_source_map-reload.js
fails because we use .sjs to serve the content.

This patch refactors to no longer use .sjs files

Depends on D168648

Group: firefox-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Flags: needinfo?(dveditz) → in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → 112 Branch
Flags: sec-bounty? → sec-bounty+
Flags: qe-verify+
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage]

Using steps in comment 10, I have reproduced this issue In Release v109.0.1 and v111.0.1 and verified the fix in Beta v112.0 (RC) and Nightly v113.0a1.
This issue could only be reproduced in Windows 10. It wouldn't reproduce in Win 7 or any others.

Status: RESOLVED → VERIFIED
Flags: qe-verify+
OS: Unspecified → Windows 10
Hardware: Unspecified → Desktop
Whiteboard: [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage] → [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage][adv-main112+]
Alias: CVE-2023-29540
Regressions: 1828376
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: