Closed Bug 1790815 (CVE-2022-45404) Opened 2 years ago Closed 2 years ago

Window.print allow focus stealing can be abused to overlap fullscreen security notification

Categories

(Toolkit :: Printing, defect)

Product:
Toolkit
Component:
Printing
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
108 Branch
Tracking Flags:
Tracking Status
firefox-esr102 107+ verified
firefox106 --- wontfix
firefox107 + verified
firefox108 + verified

People

(Reporter: sourc7, Assigned: emilio)

Details

(Keywords: csectype-spoof, reporter-external, sec-high, Whiteboard: [reporter-external] [client-bounty-form] [verif?][adv-main107+][adv-esr102.5+])

Attachments

(6 files)

testcase.html
831 bytes, text/html
Details
Firefox - Window.print focus stealing able to overlap fullscreen notification toast.mp4
230.89 KB, video/mp4
Details
Bug 1790815 - Don't raise the window for tab-modal SubDialogs and in print. r=mstriemer,Gijs,pbz
48 bytes, text/x-phabricator-request
dmeehan
: approval-mozilla-beta+
dmeehan
: approval-mozilla-esr102+
tjr
: sec-approval+
Details | Review
testcase.auto.html
877 bytes, text/html
Details
Firefox - Window.print focus stealing auto close.mp4
360.42 KB, video/mp4
Details
advisory.txt
272 bytes, text/plain
Details
Attached file testcase.html

After create new child window with window.open then invoke requestFullScreen repeatedly on parent window and window.print() on child window simultaneously, the parent window will turn into full screen, then interestingly child window will be focused and overlapping the fullscreen notification.

Tested on:

  • Firefox Nightly 106.0a1 (2022-09-14) (64-bit) on Windows 11
  • Firefox Nightly 106.0a1 (2022-09-14) (64-bit) on Arch Linux
  • Firefox 104.0.2 (64-bit) on Windows 11
  • Firefox ESR 91.13.0esr (64-bit) on Windows 11

Steps to reproduce:

  1. Visit attached testcase.html
  2. Click "New Window" button
  3. Click "Spoof" button on parent window
  4. Fullscreen notification will be overlapped with child window
    (There is a race possibility that caused window.print on child window to appear late, if that happens please try again)
Flags: sec-bounty?
Group: firefox-core-security → core-security
Component: Security → DOM: Core & HTML
Product: Firefox → Core
Group: core-security → dom-core-security
Keywords: csectype-spoof

Marking S2, since when circumstances are as in the video, this can completely defeat the fullscreen transition warning and cause UI spoofing.

I couldn't repro on Ubuntu on Wayland with 1440 px high screen, though: the print preview window opened lower on the screen relative to the fullscreen warning. One way to fix this would be ensuring that the print preview window always opens at lower coordinates than the fullscreen warning, since that wouldn't require any cross-process checks of what's actually going on. That might not be the optimal UI on less tall screens, though.

needinfoing Edgar for the fullscreen connection and Emilio for the print preview connection.

Severity: -- → S2
Flags: needinfo?(emilio)
Flags: needinfo?(echen)

I am not sure if it is expected that print() called on a inactive window would make the window focused. If so, then making the window that lose the focus exiting the fullscreen might be the thing we should do, so we behave the same as the case that a window.open which will open a new foreground window, in that case we exit the fullscreen, too.

Flags: needinfo?(echen)

There are two window.focus() calls from privileged code that are relevant here. With a patch like this the attack doesn't work:

diff --git a/toolkit/components/printing/content/print.js b/toolkit/components/printing/content/print.js
index 050fd6d37a906..5b9201ca94946 100644
--- a/toolkit/components/printing/content/print.js
+++ b/toolkit/components/printing/content/print.js
@@ -355,7 +355,7 @@ var PrintEventHandler = {
     await new Promise(resolve => window.requestAnimationFrame(resolve));
 
     // Now that we're showing the form, select the destination select.
-    window.focus();
+    // window.focus();
     let fm = Services.focus;
     fm.setFocus(document.getElementById("printer-picker"), fm.FLAG_SHOWRING);
 
diff --git a/toolkit/modules/SubDialog.jsm b/toolkit/modules/SubDialog.jsm
index 652477df40f05..11632a14f003f 100644
--- a/toolkit/modules/SubDialog.jsm
+++ b/toolkit/modules/SubDialog.jsm
@@ -879,7 +879,7 @@ SubDialog.prototype = {
     if (!focusedElement) {
       // Ensure the focus is pulled out of the content document even if there's
       // nothing focusable in the dialog.
-      this._frame.contentWindow.focus();
+      // this._frame.contentWindow.focus();
     }
   },

At a glance, both those things don't really want to raise the window, just to move focus inside a given window. Henri, do you know if there's a nice way of doing that from front-end code? Off-hand I don't see any API that could work for that (but it is probably not too terrible to add it?).

Group: dom-core-security → firefox-core-security
Component: DOM: Core & HTML → Printing
Flags: needinfo?(emilio) → needinfo?(hsivonen)
Product: Core → Toolkit

Err, nevermind, it's trivial I think.

Assignee: nobody → emilio
Assignee: nobody → emilio
Status: NEW → ASSIGNED
Attached file testcase.auto.html

Alright I found that the window.print() focused window can be closed automatically by delaying navigation to the window.close() page, which similar to bug 1735071 the focused window closed automatically.

Clearing ni? to Henri because it was trivial after all. Can I get a sec-rating (and approval if needed)?

Flags: needinfo?(tom)
Flags: needinfo?(hsivonen)
Flags: needinfo?(dveditz)

Comment on attachment 9295163 [details]
Bug 1790815 - Don't raise the window for tab-modal SubDialogs and in print. r=mstriemer,Gijs,pbz

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: The fix hints at what the problem might be a little bit.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Unknown
  • Which older supported branches are affected by this flaw?: all
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: Yes
  • If not, how different, hard to create, and risky will they be?: Should backport cleanly.
  • How likely is this patch to cause regressions; how much testing does it need?: unlikely, fairly simple fix.
  • Is Android affected?: No
Attachment #9295163 - Flags: sec-approval?

Comment on attachment 9295163 [details]
Bug 1790815 - Don't raise the window for tab-modal SubDialogs and in print. r=mstriemer,Gijs,pbz

Approved to land and uplift after beta branches

Flags: needinfo?(tom)
Attachment #9295163 - Flags: sec-approval? → sec-approval+

Don't raise the window for tab-modal SubDialogs and in print. r=Gijs
https://hg.mozilla.org/integration/autoland/rev/d5801e96e111e27cc99a2594f6e4163cb79ad836
https://hg.mozilla.org/mozilla-central/rev/d5801e96e111

Group: firefox-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox108: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 108 Branch
Flags: sec-bounty? → sec-bounty+
Keywords: sec-high

Please nominate this for Beta and ESR102 approval when you get a chance.

status-firefox106: --- → wontfix
status-firefox107: --- → affected
status-firefox-esr102: --- → affected
tracking-firefox107: --- → +
tracking-firefox108: --- → +
tracking-firefox-esr102: --- → 107+
Flags: needinfo?(dveditz) → needinfo?(emilio)

Comment on attachment 9295163 [details]
Bug 1790815 - Don't raise the window for tab-modal SubDialogs and in print. r=mstriemer,Gijs,pbz

Beta/Release Uplift Approval Request

  • User impact if declined: comment 0
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: Yes
  • If yes, steps to reproduce: comment 0
  • List of other uplifts needed: none
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Relatively simple fix.
  • String changes made/needed: none
  • Is Android affected?: No

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration:
  • User impact if declined: comment 0
  • Fix Landed on Version: none
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Relatively simple / low-risk fix.
Flags: needinfo?(emilio)
Attachment #9295163 - Flags: approval-mozilla-esr102?
Attachment #9295163 - Flags: approval-mozilla-beta?
Flags: qe-verify+

Comment on attachment 9295163 [details]
Bug 1790815 - Don't raise the window for tab-modal SubDialogs and in print. r=mstriemer,Gijs,pbz

Approved for 107.0b4.

Attachment #9295163 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
QA Whiteboard: [qa-triaged]

I have reproduced this bug on macOS 11, using an affected Nightly build, 106.0a1 (20220914213649).

The issue is verified as fixed on Beta 107.0b4 and latest Nightly 108.0a1, across platforms: Win 10 x64, macOS 11 and Ubuntu 18.04 x64.

Status: RESOLVED → VERIFIED
status-firefox107: fixedverified
status-firefox108: fixedverified
Flags: qe-verify+

Comment on attachment 9295163 [details]
Bug 1790815 - Don't raise the window for tab-modal SubDialogs and in print. r=mstriemer,Gijs,pbz

Approved for 102.5esr.

Attachment #9295163 - Flags: approval-mozilla-esr102? → approval-mozilla-esr102+

This is also verified as fixed on 102.5.0esr (20221024131106), using Win 10 x64, macOS 11 and Ubuntu 18.04 x64.

status-firefox-esr102: fixedverified
QA Whiteboard: [qa-triaged]
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][adv-main107+]
Attached file advisory.txt
Whiteboard: [reporter-external] [client-bounty-form] [verif?][adv-main107+] → [reporter-external] [client-bounty-form] [verif?][adv-main107+][adv-esr102.5+]
Alias: CVE-2022-45404
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: