Closed Bug 1839079 (CVE-2023-4053) Opened 2 years ago Closed 2 years ago

New Update Hide Full Screen Popup Ui Windows with mailto: link

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Version:
Firefox 115
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
117 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- wontfix
firefox-esr115 117+ verified
firefox115 --- wontfix
firefox116 + verified
firefox117 + verified

People

(Reporter: Puf, Assigned: edgar)

References

Details

(Keywords: csectype-spoof, reporter-external, sec-moderate, Whiteboard: [adv-main116+] [adv-esr115.2+])

Attachments

(7 files)

Puf POC Firefox.mp4
884.35 KB, video/mp4
Details
POC Code.html
325 bytes, text/html
Details
Update POC Video.mp4
1.23 MB, video/mp4
Details
NewPOC Video.mp4
1.23 MB, video/mp4
Details
Bug 1839079 - Activate the window only when it is the foreground window; r?cmartin,rkraesig
48 bytes, text/x-phabricator-request
diannaS
: approval-mozilla-beta+
RyanVM
: approval-mozilla-esr115+
tjr
: sec-approval+
Details | Review
1839079.gif
5.47 MB, image/gif
Details
advisory.txt
280 bytes, text/plain
Details
Attached video Puf POC Firefox.mp4

Steps to reproduce:

OS: Windows 10

Last Time I Have Reported Same Type of Bug Using Malito to Hide Full Screen Popup Ui but It Is Closed Due to Duplicate

But This Time I Came with New Vulnerability Now We Can Hide Full Screen Popup Ui
Using Malito: + setTimeout Function Using Js In Firefox Browser in Windows

  1. I Have Created HTML Page

  2. And I Have Added a Button & Two Functions in One Button

One Function to Open Mailto: Link

Second Function ::

function PufWin() {
setTimeout(function () {
document.documentElement.requestFullscreen();
}, 100);

Now Let's Click On [Button]

Actual results:

First It Will Open Mailto Link Outlook Application and Then It Will Go to Full Screen Mode in Background Without Knowing User/Victim

Expected results:

It Should Prevent/Stop Mailto: Link on the Time of Full Screen Mode

Attached file POC Code.html

More Reference : https://bugzilla.mozilla.org/show_bug.cgi?id=1837600 = Duplicate of bug: 1816287

Other people also reported the same thing, unfortunately. This was fixed by bug 1821884, the fix for which is not present in Firefox 115, the version you tested with. You should be able to verify the issue is fixed in Firefox 116 (https://nightly.mozilla.org/)

Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Duplicate of bug: CVE-2023-4051
Resolution: --- → DUPLICATE
See Also: → 1837600

Hello

I Have Tested in Nightly I Think My Vulnerability is Different
My Bug Is Working Fine in Nightly too.

Please Verify Once
Thank You

Attached video Update POC Video.mp4

Tested In Version 116.0a1

My Bug is Completely Different Because This Vulnerability Uses Outlook Application to Hide Full Screen Ui Popup

I'll reopen per your comment, but I can't reproduce the video. When I close the mail window, which restores focus to Firefox, the fullscreen warning shows a second time, which is what is expected here after the fix from bug 1821884. Is it possible the screen recorder or some other application is stealing focus here once the mail window closes, or something? What happens if instead of clicking the [x], you just click in the blank space in the document instead?

Edgar, can you check what's happening here, in case I'm missing something?

Group: firefox-core-security → dom-core-security
Status: RESOLVED → REOPENED
Component: Untriaged → DOM: Core & HTML
No longer duplicate of bug: CVE-2023-4051
Ever confirmed: true
Flags: needinfo?(pufind1an)
Flags: needinfo?(echen)
Product: Firefox → Core
Resolution: DUPLICATE → ---
See Also: → CVE-2023-4051

(In reply to Puf from comment #6)

My Bug is Completely Different Because This Vulnerability Uses Outlook Application to Hide Full Screen Ui Popup

I duped because one of the other dupes of that bug is:

Fix 1816287 can be Bypassed using setInterval/setTimout Functions

which is exactly what you're doing here.

The point is that we decided to fix by re-showing the warning once the window regains focus. This should also fix the case where the initial warning is hidden by an external application like a mail client. As I said, I cannot reproduce your video so it's not clear to me why the fix isn't working on your machine.

Let Me Explain

i Have tested With Microsoft Edge Link but this Bug is Not Working in Edge in Latest 116.0a1
The Window regains Focus on when we try to open on Edge Browser it shows again full screen popup

But the bug is Working Fine in Outlook Application i Have Tested Multiple Times in My System , in outlook the focus is not working
in background the popup comes and go back

i hope you understand sir.

Flags: needinfo?(pufind1an)

I got the Point Here When I Click on Inside the Outlook Application the Popup Go back.

Attached video NewPOC Video.mp4

the issue when a User/victim click on inside the Application the popup go back

i Have attached the video.

I Click on Discard/Send or any Other Options, Anywhere in Outlook Application the Full Screen Popup Go back.

(In reply to Puf from comment #13)

I Click on Discard/Send or any Other Options, Anywhere in Outlook Application the Full Screen Popup Go back.

I'm not sure what this is trying to say. Are you saying you see different results depending on whether you interact / don't interact with outlook?

What does "go back" mean here - you mean it hides, or it reshows, or it doesn't reshow, or...?

Flags: needinfo?(pufind1an)

"go back" = I mean it hides

Flags: needinfo?(pufind1an)

When We Click on Outlook the Fullscreen Popup Hides I Have Recorded the complete New POC Video

  1. Victim Click on Button on the Page

  2. The Outlook Application Immediately Open

  3. Example: Now User/Victim Try to Click on Discard / Or Click on Any Options in Outlook Application

When The User/Victim Try to interact With Outlook = the Fullscreen UI popup Hides Background Without knowing User/Victim

I Hope You Understand

I Have Recorded New Updated POC Video Please Check It Out

So from the video in comment 11, Outlook is opened first and then browser window goes into fullscreen, but the Outlook is still the top-most window. In theory, fullscreen notification should be hidden immediately and re-shown again when browser get focus back. But it seems somehow
focus isn't updated properly and browser think it still has the focus, so the fix from bug 1821884 doesn't work. I could also reproduce same behavior on my Windows machine.

I think this is basic the same as bug 1834949 with different timer value setup.

(In reply to Edgar Chen [:edgar] from comment #17)

So from the video in comment 11, Outlook is opened first and then browser window goes into fullscreen, but the Outlook is still the top-most window.

In such case, we receive following message from Windows,

  • WM_ACTIVATE with WA_ACTIVE
  • WM_SETFOCUS
  • WM_WINDOWPOSCHANGED with SWP_NOACTIVATE flag set

There is no WM_ACTIVATE with WA_INACTIVE and WM_KILLFOCUS, so widget didn't notify WindowDeactivated. It seems we should handle activation changes when receive WM_WINDOWPOSCHANGED message as well.

Flags: sec-bounty?

(In reply to Edgar Chen [:edgar] from comment #19)

There is no WM_ACTIVATE with WA_INACTIVE and WM_KILLFOCUS, so widget didn't notify WindowDeactivated. It seems we should handle activation changes when receive WM_WINDOWPOSCHANGED message as well.

We do receive WM_KILLFOCUS message when we are no longer the foreground application, then we switch to fullscreen and receive WM_WINDOWPOSCHANGED, we notify that we are activated in https://searchfox.org/mozilla-central/rev/9a4666e63199bd1bcfc9095f6efec3488c358458/widget/windows/nsWindow.cpp#9511-9513, but we are not actually the foreground application.

Flags: needinfo?(echen)
Assignee: nobody → echen
Severity: -- → S3

Comment on attachment 9342444 [details]
Bug 1839079 - Activate the window only when it is the foreground window; r?cmartin,rkraesig

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: I don't think it is trivial to construct a exploit.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?: All
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: Yes
  • If not, how different, hard to create, and risky will they be?: Patch should be applied cleanly.
  • How likely is this patch to cause regressions; how much testing does it need?: This give a correct condition and also prevent hypothetical bug, it should be safe.
  • Is Android affected?: No
Attachment #9342444 - Flags: sec-approval?

The bug is marked as tracked for firefox116 (beta) and tracked for firefox117 (nightly). However, the bug still has low severity.

:hsinyi, could you please increase the severity for this tracked bug? If you disagree with the tracking decision, please talk with the release managers.

For more information, please visit BugBot documentation.

Flags: needinfo?(htsai)

Comment on attachment 9342444 [details]
Bug 1839079 - Activate the window only when it is the foreground window; r?cmartin,rkraesig

Approved to land and request uplift

Attachment #9342444 - Flags: sec-approval? → sec-approval+
Pushed by echen@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/0243833959b9 Activate the window only when it is the foreground window; r=rkraesig
Flags: sec-bounty? → sec-bounty+
Keywords: csectype-spoof, sec-moderate
See Also: → 1834949, CVE-2023-37207
Flags: needinfo?(htsai)

The patch landed in nightly and beta is affected.
:edgar, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox116 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(echen)

Comment on attachment 9342444 [details]
Bug 1839079 - Activate the window only when it is the foreground window; r?cmartin,rkraesig

Beta/Release Uplift Approval Request

  • User impact if declined: Fullscreen notification might be hidden by other application and the user might be confused.
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: Yes
  • If yes, steps to reproduce: Steps:

Expected result:

  • Browser doesn't get into fullscreen mode, or
  • Fullscreen notification is shown after browser becomes foreground application.
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This give a correct condition and also prevent hypothetical bug, it should be safe.
  • String changes made/needed: None
  • Is Android affected?: No
Flags: needinfo?(echen)
Attachment #9342444 - Flags: approval-mozilla-beta?
Flags: qe-verify+
QA Whiteboard: [qa-triaged]

Comment on attachment 9342444 [details]
Bug 1839079 - Activate the window only when it is the foreground window; r?cmartin,rkraesig

Approved for 116.0b7

Attachment #9342444 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Attached image 1839079.gif

Reproduced the issue on Windows 11x64 with Firefox 116.0a1 (2023-06-20). I reproduced it on Windows 10x64 with an affected build as well, but the reproducing rate is more intermittent on Windows 10 for some reason. After clicking the Click Me! button the Mail application is opened, Firefox is changed to Fullscreen in the background and the fullscreen notification is not visible if the Mail app is over the notification.

I can no longer reproduce the issue with Firefox 117.0a1 (2023-07-18) and Firefox 116.0b7 on Windows 10x64 and Windows 11x64 (tried multiple times). The fullscreen notification is no longer displayed because after clicking the Click Me! button Firefox is entering fullscreen for a brief time and then exits again. Also clicking the Click Me! button and then rapidly clicking the page to focus Firefox will change Firefox to fullscreen and the fullscreen notifications will be displayed while the Mail app is in the background.

I have also made a screen recording of both behaviors. Is it ok that after clicking the Click Me! button Firefox enters and exists fullscreen while opening the Mail app or am I doing something wrong? Thank you in advance!

Flags: needinfo?(echen)

(In reply to Alexandru Trif, Desktop QA [:atrif] from comment #32)

I can no longer reproduce the issue with Firefox 117.0a1 (2023-07-18) and Firefox 116.0b7 on Windows 10x64 and Windows 11x64 (tried multiple times). The fullscreen notification is no longer displayed because after clicking the Click Me! button Firefox is entering fullscreen for a brief time and then exits again. Also clicking the Click Me! button and then rapidly clicking the page to focus Firefox will change Firefox to fullscreen and the fullscreen notifications will be displayed while the Mail app is in the background.

This is the expected behavior, what you should observe is either:

  • Firefox entering fullscreen mode and then exiting it
  • Or Firefox still proceeding to fullscreen mode and showing a notification when it becomes the foreground application.

The exact outcome depends on timing, so the results could vary based on your environment/machine. Thanks!

Flags: needinfo?(echen)

(In reply to Edgar Chen [:edgar] from comment #33)

This is the expected behavior, what you should observe is either:

  • Firefox entering fullscreen mode and then exiting it
  • Or Firefox still proceeding to fullscreen mode and showing a notification when it becomes the foreground application.

The exact outcome depends on timing, so the results could vary based on your environment/machine. Thanks!

Thank you for the detailed response. I'm going to change the flags based on comment 32 and comment 33 because the browser enters and exits fullscreen as expected after clicking the Click Me! button and if the focus is moved rapidly on the browsers after clicking the button the browser enters fullscreen and the notification is displayed.

status-firefox116: fixedverified
status-firefox117: fixedverified
Flags: qe-verify+
Whiteboard: [adv-main116+]

Comment on attachment 9342444 [details]
Bug 1839079 - Activate the window only when it is the foreground window; r?cmartin,rkraesig

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: This can make the solution for bug 1821884 work more properly on Windows.
  • User impact if declined: Fullscreen notification might be hidden by other application and the user might be confused.
  • Fix Landed on Version: 117
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This give a correct condition and also prevent hypothetical bug, it should be safe.
Attachment #9342444 - Flags: approval-mozilla-esr115?

Comment on attachment 9342444 [details]
Bug 1839079 - Activate the window only when it is the foreground window; r?cmartin,rkraesig

Approved for 115.2esr.

Attachment #9342444 - Flags: approval-mozilla-esr115? → approval-mozilla-esr115+
Whiteboard: [adv-main116+] → [adv-main116+] [adv-esr115.2+]

Verified fixed with Firefox 115.2.0esr on Windows 11x64. After clicking the Click me button from the attached test case Firefox enters and exists fullscreen and the mail application is opened as expected per comment 33. Thank you!

Status: RESOLVED → VERIFIED
QA Whiteboard: [qa-triaged]
status-firefox-esr115: fixedverified
Group: core-security-release
Alias: CVE-2023-4053
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: