Closed Bug 1834949 Opened 1 year ago Closed 1 year ago

Fix 1816287 can be Bypassed using setInterval/setTimout Functions

Categories

(Core :: DOM: Core & HTML, defect)

defect

Tracking

()

RESOLVED DUPLICATE of bug 1821884
116 Branch
Tracking Status
firefox116 --- fixed

People

(Reporter: fazim.pentester, Assigned: edgar)

References

Details

(Keywords: csectype-spoof, sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [verif?] [adv-main116-])

Attachments

(4 files)

Attached file poc.zip

The fix applied in the report (https://bugzilla.mozilla.org/show_bug.cgi?id=1816287) to address full-screen notification obscuration in Firefox using maximized external application can be bypassed by utilizing the "setInterval" function.

Tested on latest Firefox Nightly (115.0a1) build

Flags: sec-bounty?
Attached file poc.html
Group: firefox-core-security → dom-core-security
Component: Security → DOM: Core & HTML
Product: Firefox → Core
Severity: -- → S2
Flags: needinfo?(sefeng)
Flags: needinfo?(echen)
See Also: → CVE-2023-37207

Rating the same as bug 1816287 assuming this works. It doesn't seem to on Mac: I get console errors

⚠️ Request for fullscreen was denied because requesting element is not in the currently focused tab.
❗️⃝ Uncaught (in promise) TypeError: Fullscreen request denied

which I think means the previous fix is working on mac. Or maybe it's because I've got "ask every time" turned on?

Lets wait for bug 1821884 to be resolved first, the solution there might help this as well.

Depends on: CVE-2023-4051
Flags: needinfo?(sefeng)
Flags: needinfo?(echen)
Blocks: 1828276
No longer blocks: 1828276
Summary: Bypassing for Full-Screen Notification Obscuration in Firefox (Using maximized external application) → Bypassing for fix 1816287 (Using maximized external application)
Summary: Bypassing for fix 1816287 (Using maximized external application) → Fix 1816287 can be Bypassed using setInterval/setTimout Functions

(In reply to Edgar Chen [:edgar] from comment #3)

Lets wait for bug 1821884 to be resolved first, the solution there might help this as well.

Did this work out ie has this been addressed by that fix?

Flags: needinfo?(echen)

Hmm, I could not reproduce this on Mac, Linux and Windows, I always got

Request for fullscreen was denied because requesting element is not in the currently focused tab.

So I can not verify, but I believe it should as long as we update the focus properly when other application is opened.

Flags: needinfo?(echen)

Reporter, are you still seeing this on today's nightly build? (https://nightly.mozilla.org/ )

Flags: needinfo?(fazim.pentester)

(In reply to :Gijs (he/him) from comment #6)

Reporter, are you still seeing this on today's nightly build? (https://nightly.mozilla.org/ )

Yes, this poc still works on the latest Firefox Nightly build 116.0a1 (2023-06-11) (64-bit)

Flags: needinfo?(fazim.pentester)

(In reply to Shaheen Fazim from comment #7)

(In reply to :Gijs (he/him) from comment #6)

Reporter, are you still seeing this on today's nightly build? (https://nightly.mozilla.org/ )

Yes, this poc still works on the latest Firefox Nightly build 116.0a1 (2023-06-11) (64-bit)

Oh, I tested it again, and it's not working.

(In reply to Shaheen Fazim from comment #8)

Oh, I tested it again, and it's not working.

I assume you see the fullscreen notification after switching focus back to the browser window that is in fullscreen mode, am I correct? Thanks!

Attached image nice-fix.png

(In reply to Edgar Chen [:edgar] from comment #9)

I assume you see the fullscreen notification after switching focus back to the browser window that is in fullscreen mode, am I correct? Thanks!

Yes.

Attached video demo.mp4

Thanks for the video, this has been addressed by bug 1821884, i.e. the fullscreen notification isn't be hidden by other application, so mark as RESOLVED FIXED.

Status: UNCONFIRMED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Assignee: nobody → echen
Group: dom-core-security → core-security-release
Target Milestone: --- → 116 Branch
Duplicate of bug: CVE-2023-4051
Resolution: FIXED → DUPLICATE

This turned out to be a duplicate of, despite the variation in what alternate window was used in the PoC.

Flags: sec-bounty? → sec-bounty-

(In reply to Frederik Braun [:freddy] from comment #15)

This turned out to be a duplicate of, despite the variation in what alternate window was used in the PoC.

Can you please CC me?

Thanks 😄

Oh, this is a different method I didn't think of. Nice! Even if there's a new method, I guess fixing this will prevent these issues. Thanks for the fixes, @edgar and @sefeng.

See Also: → CVE-2023-4053
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?] [adv-main116-]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: