Closed Bug 1860065 (CVE-2024-1550) Opened 1 year ago Closed 1 year ago

Cursor mouse move automatically after fullscreen mode (using requestPointerLock()) lead to clickjacking

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
124 Branch
Tracking Flags:
Tracking Status
firefox-esr115 123+ verified
firefox122 --- wontfix
firefox123 + verified
firefox124 + verified

People

(Reporter: sas.kunz, Assigned: edgar)

References

(Depends on 1 open bug, Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [overlap with 1857430--eval bounties at the same time][reporter-external] [client-bounty-form] [verif?][adv-main123+][adv-esr115.8+])

Attachments

(11 files, 2 obsolete files)

bandicam 2023-10-19 20-55-22-457.mp4
3.07 MB, video/mp4
Details
new.html
243 bytes, text/html
Details
lock2-5.html
1.89 KB, text/html
Details
permissionshow.html
800 bytes, text/html
Details
mos.jpg
4.02 KB, image/jpeg
Details
lock2-5_new.html
1.34 KB, text/html
Details
bandicam 2023-11-03 20-40-41-123_muted.mp4
642.25 KB, video/mp4
Details
Bug 1860065 - Use sLastScreenPoint to restore mouse position after releasing pointer lock; r?smaug
48 bytes, text/x-phabricator-request
tjr
: sec-approval+
Details | Review
Bug 1860065 - Use sLastScreenPoint to restore mouse position after releasing pointer lock; r?smaug
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-beta+
Details | Review
Bug 1860065 - Use sLastScreenPoint to restore mouse position after releasing pointer lock;
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-esr115+
Details | Review
advisory.txt
362 bytes, text/plain
Details

i found vulnerability where Cursor mouse move automatically after fullscreen mode lead to spoof (it allow permission)

  1. open new.html
    2.,click open button
  2. after popup shown click once on 3-5 click button until popup window shown , then click 3-5 times

OS: Windows 10
119.0b9 (64-bit)

Flags: sec-bounty?
Attached file new.html
Attached file lock2-5.html
Attached file permissionshow.html
Attached image mos.jpg

Hello any updates?

I don't understand the "spoof" in the summary. The URL bar is visible and shows the right things, as far as I can tell?

ISTM the think this is about is clickjacking because requestPointerLock moves the mouse. Is that right?

Group: firefox-core-security → dom-core-security
Component: Security → DOM: CSS Object Model
Flags: needinfo?(sas.kunz)
Product: Firefox → Core
Summary: Cursor mouse move automatically after fullscreen mode lead to spoof → Cursor mouse move automatically after fullscreen mode (using requestPointerLock()) lead to clickjacking

Yes, it's true that this is clickjacking because the mouse cursor moves automatically after fullscreen mode

Flags: needinfo?(sas.kunz)
Component: DOM: CSS Object Model → DOM: Core & HTML
Keywords: csectype-priv-escalation, sec-moderate
Severity: -- → S3

I think this should be an S2. It does require some specific user interaction, but the results are rather bad. We should at least figure out how hard it is to fix.

Severity: S3 → S2
Attached file lock2-5_new.html

i created simple poc

Attached video bandicam 2023-11-03 20-40-41-123.mp4 (obsolete) —
Attachment #9361827 - Attachment is obsolete: true

POC:

  1. open lock2-5_new.html
  2. click fastly on the button 3-6 times

I don't understand why this bug is given sec-moderate while my other report with something similar like this is given sec-high (https://bugzilla.mozilla.org/show_bug.cgi?id=1857430)

They are both in the mushy borderline of potentially high impact vs requiring too much victim participation. "click here to win a prize" exploits are a true sec-high. "play my game" exploits will have high impact, but only on a limited number of victims because no one's got time for games like that. If you've got the skills to make a compelling enough game you would make more legit money on games than scamming people for camera permission.

As a result the ratings in this zone depend a lot on the people in the room when we triage and probably our mood. Today when I look at these two bugs again I might call this one sec-high as more convincing, and the other bug sec-moderate. But they're obviously related. Depending on how bug 1857430 is fixed that might make this bug even less convincing, because in part you're taking advantage of the same "button-enable timer is already running during the transition" effect.

Bug bounties for highest-moderate and lowest-high are in the same range, if that's your concern. I'll raise this one for now, but we need to reevaluate when we know how much the fix for one affects the other.

Keywords: sec-moderatesec-high
See Also: → CVE-2023-6206
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [overlap with 1857430--eval bounties at the same time][reporter-external] [client-bounty-form] [verif?]
See Also: → CVE-2024-0750

Bug 1863083 is about using moveTo to trick the user into clicking on a permission dialogue which is kind of in the same general ballpark.

Paul, is this something that should be dealt with in the permissions code like bug 1857430? If so, we can move it over there. Thanks.

Flags: needinfo?(pbz)

Isn't the bug here rather that pointerlock changes the mouse position? Bug 1857430 doesn't address the mouse move issue. It does however make the issue less severe by making sure the button isn't clickable for longer.

Flags: needinfo?(pbz) → needinfo?(continuation)

I don't know what the bug is, that's why I was asking. Thanks, I'll leave it here then.

Flags: needinfo?(continuation)

When pointer lock is requested, we store the mouse position and attempt to reset the mouse to the same position after pointer lock is released. These actions are all handled in content process, but content process might not always know the precise position of the mouse, e.g. mouse is not on the web content, but somewhere else. In such case, mouse is reset to top-left of content after pointer lock. We probably should handle that in parent process, rather than content process.

Edgar, assigning this to you since you've been investigating this and exploring the best solution.

Assignee: nobody → echen
Blocks: pointer-lock

The fix might require two things,

  • Lock pointer to <xul browser> also in parent process when content requests pointer lock.
  • Handle reset-pointer-to-central in parent process (now it is handled in content process).

Bug 1255338 is a more generic change which should also fix this.

Depends on: 1255338

When I am working on bug 1255338, I found there is a simpler patch that can improve this bug, though it doesn't fully fix the underlying issue, but the patch is simpler and can be uplifted safely. The full fix will still be handled in bug 1255338.

Can security bugs depend on non-security bugs?

Flags: needinfo?(dveditz)

(In reply to Hafiizh from comment #25)

Can security bugs depend on non-security bugs?

Yes, that's fine. The dependence is hidden from people who don't have security access. The main issue is ensuring that the patch gets uplifted everywhere that is appropriate, but that can usually be tracked in the security bug.

Flags: needinfo?(dveditz)
Attachment #9368856 - Attachment description: Bug 1860065 - Use sLastScreenPoint to restore mouse position after releasing pointer lock; → Bug 1860065 - Use sLastScreenPoint to restore mouse position after releasing pointer lock; r?smaug

Comment on attachment 9368856 [details]
Bug 1860065 - Use sLastScreenPoint to restore mouse position after releasing pointer lock; r?smaug

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: It may not be difficult; the patch indicates that the problem is related to the mouse position resetting after exiting pointer lock.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?: All
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: Yes
  • If not, how different, hard to create, and risky will they be?: The patch should be applied without too much conflicts.
  • How likely is this patch to cause regressions; how much testing does it need?: It should be safe; the change is not complicated.
  • Is Android affected?: Yes
Attachment #9368856 - Flags: sec-approval?

Comment on attachment 9368856 [details]
Bug 1860065 - Use sLastScreenPoint to restore mouse position after releasing pointer lock; r?smaug

Approved to land and uplift if desired

Attachment #9368856 - Flags: sec-approval? → sec-approval+
Pushed by echen@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/4a6dd45b089b Use sLastScreenPoint to restore mouse position after releasing pointer lock; r=smaug

https://hg.mozilla.org/mozilla-central/rev/4a6dd45b089b

Group: dom-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 1 year ago
status-firefox124: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 124 Branch
Attachment #9376990 - Flags: approval-mozilla-beta?

Uplift Approval Request

  • String changes made/needed: None
  • Risk associated with taking this patch: Low
  • Explanation of risk level: Using last screen pointer to restore the mouse position is pretty straightforward
  • User impact if declined: Cursor mouse might move automatically after releasing pointer lock and lead to clickjacking
  • Steps to reproduce for manual QE testing: Use the test script in https://bugzilla.mozilla.org/show_bug.cgi?id=1860065#c13
  • Code covered by automated testing: no
  • Is Android affected?: yes
  • Fix verified in Nightly: yes
  • Needs manual QE test: yes
Flags: qe-verify+
QA Whiteboard: [qa-triaged]

We also need a patch and uplift request for the ESR115 branch if all branches are affected, thanks.

Flags: needinfo?(echen)

(In reply to Pascal Chevrel:pascalc from comment #34)

We also need a patch and uplift request for the ESR115 branch if all branches are affected, thanks.

I will prepare a patch for ESR115. Thanks!

Attachment #9377148 - Flags: approval-mozilla-esr115?
Attachment #9377148 - Flags: approval-mozilla-esr115?

I have reproduced this issue on Win 11 x64 using STR from comment 0 and comment 13, on an affected Nightly build (2023-10-18).

Confirming this issue as verified fixed on 124.0a1(20240130045011) using Windows 11, Ubuntu 22 and macOS 14.

status-firefox124: fixedverified
Attachment #9376990 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Attachment #9377209 - Flags: approval-mozilla-esr115?

Uplift Approval Request

  • User impact if declined: Cursor mouse might move automatically after releasing pointer lock and lead to clickjacking
  • Fix verified in Nightly: yes
  • Steps to reproduce for manual QE testing: Use the test script in https://bugzilla.mozilla.org/show_bug.cgi?id=1860065#c13
  • Risk associated with taking this patch: Low
  • Needs manual QE test: yes
  • Explanation of risk level: Using last screen pointer to restore the mouse position is pretty straightforward
  • String changes made/needed: None
  • Is Android affected?: yes
  • Code covered by automated testing: no
Attachment #9377148 - Attachment is obsolete: true
Flags: needinfo?(echen)
Flags: sec-bounty? → sec-bounty+

Confirming this issue as verified fixed on 123.0b4(20240129091730) using Windows 11, Ubuntu 22 and macOS 14.

Status: RESOLVED → VERIFIED
status-firefox123: fixedverified
Flags: qe-verify+
Attachment #9377209 - Flags: approval-mozilla-esr115? → approval-mozilla-esr115+

Confirming this issue as verified fixed on 115.8.0esr(20240212204114) using Windows 11, Ubuntu 22 and macOS 14.

status-firefox-esr115: fixedverified
Whiteboard: [overlap with 1857430--eval bounties at the same time][reporter-external] [client-bounty-form] [verif?] → [overlap with 1857430--eval bounties at the same time][reporter-external] [client-bounty-form] [verif?][adv-main123+]
Whiteboard: [overlap with 1857430--eval bounties at the same time][reporter-external] [client-bounty-form] [verif?][adv-main123+] → [overlap with 1857430--eval bounties at the same time][reporter-external] [client-bounty-form] [verif?][adv-main123+][adv-esr115.8+]
Attached file advisory.txt
Alias: CVE-2024-1550
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: