Closed Bug 1855030 (CVE-2024-0606) Opened 1 year ago Closed 11 months ago

iOS Firefox Focus UXSS

Categories

(Focus :: Security: iOS, defect)

Firefox 122
defect

Tracking

(firefox122+ fixed)

VERIFIED FIXED
Tracking Status
firefox122 + fixed

People

(Reporter: proof131072, Assigned: lmarceau)

References

Details

(Keywords: csectype-sop, reporter-external, sec-high, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(6 files)

We are able to achieve UXSS on iOS Firefox Focus with window.open().

document.write shows we are escalating to legitimate top origin site.

PoC demo

Legitimate Top Origin Site: https://qrcodescanerror.000webhost.com/UXSS.php

<iframe src="https://pwning.click/uxsstester.php"/></iframe>

Cross-Origin Malicious Evil Site: https://pwning.click/uxsstester.php

<script>
function a(){
	window.open('javascript:document.write(document.domain)', 'x');
	setTimeout(function(){
		window.open('');
	}, 500000);
}
</script> 
<center><input type="button" class="button" value="Trigger UXSS!" onclick="a()"></center>
Flags: sec-bounty?
Group: firefox-core-security → mobile-core-security
Component: Security → Security: iOS
Product: Firefox → Focus

The site https://qrcodescanerror.000webhost.com/UXSS.php appears down or unreachable from California. Thank you for including the testcase source in the bug this time.

I could not reproduce the claimed UXSS using the the PoC I attached based on comment 0. Since the main work is done by the framed pwning.click page it shouldn't have been possible for me to screw that up, but please check.

The results I see:

  • clicking on the "Trigger UXSS" button causes a new window
  • that window says "about:blank" in the address bar (expected for script-created content)
  • the content of the window says pwning.click (the output of document.domain)
  • never see a second window open after a 500 second timeout even though I kept my device from going asleep for more than the full 8+ minutes. I'm not sure what opening a blank window that late would accomplish, plus I'd expect safari to block it since the "user activation" was already consumed by the first popup.

I don't see an XSS here: the framed content was hosted at pwning.click, and the new window also appears to be the domain pwning.click.

Expected results according to comment 0

My interpretation of "document.write shows we are escalating to legitimate top origin site." (which matches my definition of XSS) means I should have seen the text bug1855030.bmoattachments.org, or if I was able to load the site mentioned in comment 0 I should have seen qrcodescanerror.000webhost.com

I'm using Firefox for iOS 117.3, on iOS 16.7

James: what version of FIrefox for iOS were you testing? Can you still reproduce this? What version of iOS do you have, and can you reproduce this on the Safari on your machine?

Flags: needinfo?(proof131072)

Latest iOS and please test on Firefox Focus not Firefox.

Flags: needinfo?(proof131072)

And no, it doesn't work on Safari but only on Focus. I also confirmed that JavaScript runs on Top Origin Site https://bug1855030.bmoattachments.org with your attached test case.

There is also a side impact of Focus showing empty address bar, which is an example of blank address bar spoof to use it together with https://bugzilla.mozilla.org/show_bug.cgi?id=1853592 so I'll add it on that report.

Please note that for both reports, there was some confusion from your side since testing should be done on "Focus" but it was done on Firefox.

I understand this can happen time to time so please check on that part and test on Focus. Thanks!

please test on Firefox Focus not Firefox.

Ugh, sorry, wasn't paying enough attention to what I was doing.

See Also: → CVE-2024-0605

If this isn't fixed by the same thing as bug 1855575 then this is sec-high.

The severity field is not set for this bug.
:jeevans, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(jeevans)

I believe this is sec-critical due to identical impact to bug id 1719026 Android Firefox Focus Semi-UXSS I discovered before which was assigned as sec-critical without Full UXSS part I described on https://bugzilla.mozilla.org/show_bug.cgi?id=1719814 because of https://bugzilla.mozilla.org/show_bug.cgi?id=1719026#c8 (it's a reliable and easy attack vector that could spread quickly once known, and will be easy to deduce from most imaginable ways of patching this.)

Checking this as well, what are the steps here

visit: https://bug1855030.bmoattachments.org/ and then I land or bugzilla. While going https://pwning.click/uxsstester.php nothing happens.

Tap on Cool Genius Cat to reproduce this issue, thanks!

Attached file 1855030.html

But how would one do that on a Focus browser, this needs to be deployed to a webpage page right?

My steps are

You just need to click it which will load https://bug1855030.bmoattachments.org/attachment.cgi?id=9365073 and you can test it on there. document.domain should return the Origin we're running JavaScript which is https://pwning.click not https://bug1855030.bmoattachments.org

Try that by clicking on the attachment or on https://bug1855030.bmoattachments.org/attachment.cgi?id=9365073 not https://pwning.click/uxsstester.php

https://pwning.click/uxsstester.php is a main but frame document to test this UXSS vulnerability.

typo: *is not a main

Comment on attachment 9365077 [details]
Screenshot 2023-11-22v2.png

Tapping on the attachment shows its loading, is that what you meant James?

Yes, thanks for the confirmation!

Dan also explained this behaviour on https://bugzilla.mozilla.org/show_bug.cgi?id=1855030#c3 "Expected results according to comment 0" FYI.

Few things here
a) Focus doesn't have multi window support so I am not sure if this particular script is what I would consider UXSS
b) You are trying to run javascript and want to control that in WKWebview, that isn't something directly possible unless we disable it as whole. Firefox (Desktop) does the same by opening in a new link. You see about:blank in Firefox desktop as its a new tab. However in Focus we use the same webview and create one on top of the same webview.

I am not aware of any api that I can use that would help us intersect the request from that a() link

This is UXSS because of the reason you explained on "a)". Please check Android Firefox Focus version of this vulnerability I found before on https://bugzilla.mozilla.org/show_bug.cgi?id=1719026

Reply to "b)": I'm not trying but it's already UXSS since you can check document.domain value returned Top Origin site allowing to run any JavaScript (I know the size is small so it could be hard to see that but could be clearly checked from https://bugzilla.mozilla.org/show_bug.cgi?id=1855030#c19

Thanks! could we check we can reproduce https://bugzilla.mozilla.org/show_bug.cgi?id=1855117 and I have other bug that I'll report soon which I can prove this and https://bugzilla.mozilla.org/show_bug.cgi?id=1855117 is different root cause. Please also let me know on reproducing https://bugzilla.mozilla.org/show_bug.cgi?id=1855575 sometime later!

Thanks.

Attached file GitHub Pull Request
Assignee: nobody → lmarceau
Version: unspecified → Firefox 122

Hello, can someone help me with some steps on what needs to be verified here?
I wanna verify the fix and I wanna see how it was before and how it's now to make sure I verify it correctly.

I will ping you with steps [:andrei]

Verified as fixed on v9000 (17517) with iPhone 15 Pro (17.1.2).
Please note that there was no JS on the URL.
After tapping on the genius cat nothing happened.

Status: NEW → RESOLVED
Closed: 11 months ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
Group: mobile-core-security → core-security-release
Alias: CVE-2024-0606

This patch adds a call to URIFixup(), but presumably that only helps because the fix for bug 1855575 added a check for "javascript:" in URIFixup

Depends on: CVE-2024-0605
Flags: needinfo?(jeevans)
Attached file advisory.txt

[Tracking Requested - why for this release]:

Flags: sec-bounty? → sec-bounty+
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: