Closed Bug 1832627 (CVE-2024-1548) Opened 2 years ago Closed 1 year ago

select option with hides fullscreen notification, leads to spoof

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
123 Branch
Tracking Flags:
Tracking Status
firefox-esr115 123+ verified
firefox121 --- wontfix
firefox122 --- wontfix
firefox123 + verified

People

(Reporter: sas.kunz, Assigned: m_kato)

References

Details

(Keywords: csectype-spoof, reporter-external, sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [verif?][adv-main123+][adv-esr115.8+])

Attachments

(6 files)

bandicam 2023-05-04 20-34-33-377.mp4
2.26 MB, video/mp4
Details
selectoption2.html
2.99 KB, text/html
Details
Bug 1832627 - Popup should be closed. r=edgar!
48 bytes, text/x-phabricator-request
dmeehan
: approval-mozilla-beta-
RyanVM
: approval-mozilla-esr115+
tjr
: sec-approval+
Details | Review
Bug 1832627 - Add mochitest. r=edgar!
48 bytes, text/x-phabricator-request
Details | Review
Gif showing the issue on fixed Nightly
121.85 KB, image/gif
Details
advisory.txt
243 bytes, text/plain
Details

I found a vulnerability where a select option can cover fullscreen notifications which can lead to spoofs.

steps to produce

  1. open http://103.186.0.20/selectoption2.html or selectoption2.html
  2. double click or 3 times click (not fast click) on select option , (when the select option clicked it covers the fullscreen notification)
Flags: sec-bounty?
Attached file selectoption2.html
Group: firefox-core-security → dom-core-security
Component: Security → DOM: Core & HTML
Product: Firefox → Core

I was able to reproduce this on MacOS, although the bar covered the notification even less than in the video. It felt like the first click triggered the full screen and the second triggered the select, so maybe it is a bit sensitive to timing.

m_kato, is this the same basic issue as bug 1832195, or do you think it might be different? Thanks.

Flags: needinfo?(m_kato)

(In reply to Andrew McCreight [:mccr8] from comment #3)

m_kato, is this the same basic issue as bug 1832195, or do you think it might be different? Thanks.

As long as I look sample HTML, this is same issue.

Flags: needinfo?(m_kato)
Status: NEW → RESOLVED
Closed: 2 years ago
Duplicate of bug: CVE-2023-37204
Resolution: --- → DUPLICATE

This was filed within the collision window of its dupe and therefore eligible for a split bounty

Flags: sec-bounty? → sec-bounty+

Hmm, bug 1832195 is similar bug, but it isn't same since this isn't regression. reopen this.

Assignee: nobody → m_kato
Status: RESOLVED → REOPENED
No longer duplicate of bug: CVE-2023-37204
Resolution: DUPLICATE → ---
Severity: -- → S2

Hi Makoto! Any updates on this issue? Thanks!

Flags: needinfo?(m_kato)

I asked emilio (https://bugzilla.mozilla.org/show_bug.cgi?id=1832195#c22) whether notification box (HTML element) can override select box (XUL element). But no way. So I am finding to get notification box's rectangle when showing select box. I seem to get its rectangle, so I am working on.

Flags: needinfo?(m_kato)

hello any updates?

(In reply to Hafiizh from comment #10)

hello any updates?

I am still working in progress. we need more work since I need to fix timing issue too. I hope that it is ready for review next week.

Severity: S2 → S3

(In reply to Makoto Kato [:m_kato] from comment #11)

(In reply to Hafiizh from comment #10)

hello any updates?

I am still working in progress. we need more work since I need to fix timing issue too. I hope that it is ready for review next week.

hello any updates?

See Also: → 1869607
Duplicate of this bug: 1869607

Comment on attachment 9369850 [details]
Bug 1832627 - Popup should be closed. r=edgar!

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: When entering full screen by user interaction, if user script can show pop up of <select> by same interaction and can move its element to same area of full screen notification box, its notification box keeps invisible.

But this depends on timing issue, this exploit isn't be always successful. Attacker has to consider a way to delay to open select's popup because opening popup requires user interaction. It isn't easy.

  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?: 115
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: Yes
  • If not, how different, hard to create, and risky will they be?:
  • How likely is this patch to cause regressions; how much testing does it need?: Low. I add new custom event to close popup.
  • Is Android affected?: No
Attachment #9369850 - Flags: sec-approval?

Comment on attachment 9369850 [details]
Bug 1832627 - Popup should be closed. r=edgar!

Approved to request uplift and land

Attachment #9369850 - Flags: sec-approval? → sec-approval+

Comment on attachment 9369850 [details]
Bug 1832627 - Popup should be closed. r=edgar!

Beta/Release Uplift Approval Request

  • User impact if declined: When entering full screen by user interaction, if user script can show pop up of <select> by same interaction and can move its element to same area of full screen notification box, its notification box keeps invisible.
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: Yes
  • If yes, steps to reproduce: see comment #0
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Low. When showing full screen notification box, all pop up by <select> element is closed.
  • String changes made/needed:
  • Is Android affected?: No

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: sec bug
  • User impact if declined: When entering full screen by user interaction, if user script can show pop up of <select> by same interaction and can move its element to same area of full screen notification box, its notification box keeps invisible.
  • Fix Landed on Version:
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Low. When showing full screen notification box, all pop up by <select> element is closed.
Attachment #9369850 - Flags: approval-mozilla-esr115?
Attachment #9369850 - Flags: approval-mozilla-beta?
Flags: qe-verify+
Group: dom-core-security → core-security-release
Status: REOPENED → RESOLVED
Closed: 2 years ago1 year ago
status-firefox123: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 123 Branch
QA Whiteboard: [qa-triaged]

Comment on attachment 9369850 [details]
Bug 1832627 - Popup should be closed. r=edgar!

Rejecting beta uplift request.
This landed in central for Fx123 and will ride the train to beta next week.

Attachment #9369850 - Flags: approval-mozilla-beta? → approval-mozilla-beta-

Reproduced the initial issue using an old Nightly build from 2023-04-30 on Windows 11 and using latest Nightly with the fix I can still kind of reproduce but using a kind of a pause between clicks (see gif attached) which probably can't be counted as double click but I thought was worth mentioning. It could take a few tries but you can definitely still make the full screen notification be covered.

Any thoughts?

Flags: needinfo?(m_kato)

(In reply to Bogdan Maris, Desktop QA from comment #22)

Created attachment 9373497 [details]
Gif showing the issue on fixed Nightly

Reproduced the initial issue using an old Nightly build from 2023-04-30 on Windows 11 and using latest Nightly with the fix I can still kind of reproduce but using a kind of a pause between clicks (see gif attached) which probably can't be counted as double click but I thought was worth mentioning. It could take a few tries but you can definitely still make the full screen notification be covered.

Any thoughts?

Before landing this, notification box is never showed. So this fix shows this box and cancel popup when this box is animated. So this is expected.

Flags: needinfo?(m_kato)

(In reply to Makoto Kato [:m_kato] from comment #23)

(In reply to Bogdan Maris, Desktop QA from comment #22)

Created attachment 9373497 [details]
Gif showing the issue on fixed Nightly

Reproduced the initial issue using an old Nightly build from 2023-04-30 on Windows 11 and using latest Nightly with the fix I can still kind of reproduce but using a kind of a pause between clicks (see gif attached) which probably can't be counted as double click but I thought was worth mentioning. It could take a few tries but you can definitely still make the full screen notification be covered.

Any thoughts?

Before landing this, notification box is never showed. So this fix shows this box and cancel popup when this box is animated. So this is expected.

Thanks. In this case I'll go ahead and mark this as verified fixed on Firefox 123 after I checked on Windows 11, macOS 13 and Ubuntu 22.04, but not closing the bug since esr115 is affected and tracked.

status-firefox123: fixedverified

Comment on attachment 9369850 [details]
Bug 1832627 - Popup should be closed. r=edgar!

Approved for 115.8esr.

Attachment #9369850 - Flags: approval-mozilla-esr115? → approval-mozilla-esr115+

Also verified using Firefox 115.8.0esr build across platforms (Windows 11, macOS 13.6 and Ubuntu 22.04).

Status: RESOLVED → VERIFIED
status-firefox-esr115: fixedverified
Flags: qe-verify+
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][adv-main123+]
Whiteboard: [reporter-external] [client-bounty-form] [verif?][adv-main123+] → [reporter-external] [client-bounty-form] [verif?][adv-main123+][adv-esr115.8+]
Attached file advisory.txt
Alias: CVE-2024-1548
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: