Open Bug 1804816 Opened 2 years ago Updated 9 months ago

Css Draw Mouse Cursor 32x32 (zoom out) to hide omni box

Categories

(Core :: DOM: CSS Object Model, defect)

Product:
Core
Component:
DOM: CSS Object Model
Type:
defect

Tracking

()

Status:
REOPENED

People

(Reporter: sas.kunz, Unassigned)

References

(
URL
)

Details

(Keywords: csectype-spoof, reporter-external, sec-low, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(1 file)

bandicam 2022-12-09 10-41-18-873.mp4
2.94 MB, video/mp4
Details

when the mouse drawing cursor at 32x32 and zoom out the web page less than 90% , it should be able to bust out of the web content area and can hide omnibox . maybe it could be more useful to an attacker if the cursor image was a spoofed URL

  1. open https://cr.kungfoo.net/style/cursor/abusive-cursor.html
  2. Zoom out the web page less than 90% ( i used 70%)
  3. move cursor to hide omnibox

i attached the POC video

Flags: sec-bounty?

on steps 3 : move cursor on yellow box then move to omnibox

I used Firefox : 107.0.1 (64-bit) Windows OS version

Group: firefox-core-security → dom-core-security
Component: Security → DOM: CSS Object Model
Product: Firefox → Core
See Also: → CVE-2022-45418

This seems intentional? We don't block 32x32 or smaller cursors at all, see the code. This is customizable by layout.cursor.block.max-size.

We've had similar problems with this testcase multiple times, and they're usually related to zoom in some way. I filed one on mac a long while ago that ended up being because of my system scaling setting. IN this case it's the FIrefox page zoom. They're all really kind of the same, although maybe we'd need to look at different places of possible scaling factors.

"hiding" the awesomebar doesn't seem possible or practical. 32x32 doesn't cover much, and the user isn't going to hold still so you can put some spoof content on it.

The "offset pointer" trick might work, but you don't have a lot of room to work with since you do have to draw your fake pointer in part of that box

URL: https://cr.kungfoo.net/style/cursor/a...
Keywords: sec-low
Group: dom-core-security → layout-core-security

I think this is WONTFIX (as in, working as expected). If we wanted to block smaller cursors we could just flip layout.cursor.block.max-size to zero, but when developing this that was deemed not an issue.

Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → WONTFIX
Flags: sec-bounty? → sec-bounty-
Group: layout-core-security
Duplicate of this bug: 1864476
Duplicate of this bug: 1866300

GIven that the addressbar is only 40px high I wouldn't mind lowering the size limit to 16px (simple pref change), or limiting a 32x32px cursor to only bleed over half its size (the same 16px) before reverting to the real pointer (a code change). We should keep talking to Google folks to see if they've seen anything that has made them reconsider the size limit.

See Also: → https://crbug.com/1502051
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: