Closed Bug 1864476 Opened 1 year ago Closed 1 year ago

Custom Cursor 32x32 hijacking on padlock, hamburger menu, extension icon etc

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1804816

People

(Reporter: sas.kunz, Unassigned)

References

Details

(Keywords: csectype-spoof, reporter-external, sec-low, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(5 files)

bandicam 2023-11-13 23-18-02-256.mp4
2.77 MB, video/mp4
Details
cursorhack32.html
3.75 KB, text/html
Details
cursor1.png
9.82 KB, image/png
Details
popout.png
139.88 KB, image/png
Details
bandicam 2023-11-15 16-14-13-134.mp4
2.19 MB, video/mp4
Details

this vulnerabilty like https://bugs.chromium.org/p/chromium/issues/detail?id=1454515 but this case is not using iframe, only use custom cursor 32x32. it is possible to bypass the 32x32 custom cursor hijacking mitigation and render a 32x32 cursor over url bar, hamburger menu, extension icon etc

Operating System: Windows 10

REPRODUCTION CASE

  1. Go to http://pwed.my.id/cursorhack32.html
  2. Hover over anywhere on the page to gain the fake cursor
  3. Using the fake cursor, click on the padlock icon and see fake status or click on hamburger menu
Flags: sec-bounty?
Attached file cursorhack32.html
Attached image cursor1.png
Attached image popout.png

Emelio: is this the right component for cursor overbleed issues?

iirc we had explicitly allowed 32x32 as the maximum size that wouldn't cause problems, but it seems like it needs to be smaller?

Group: firefox-core-security → core-security
Component: Security → CSS Parsing and Computation
Flags: needinfo?(emilio)
Product: Firefox → Core
See Also: → https://bugs.chromium.org/p/chromium/issues/detail?id=1454515

Hafiizh: what is the value of this spoof? You can't change the lock state. If the domain name is typo-spoofy enough and you have a valid cert for it then you don't really need to spoof the site identity drop-down. I guess you could spoof "EV" information that would normaly not show in a DV cert.

Not sure what you can do fooling people about the protection or permission information.

Group: core-security → layout-core-security
Flags: needinfo?(sas.kunz)
Keywords: csectype-spoof

Let's move to layout, which is the original component of bug 1445844. This seems to be working as intended. This is all prefable, the max size is controlled by layout.cursor.block.max-size, which is indeed a default of 32. Chrome also has that default.

Going lower than that risks potentially harming some legit use cases (i.e., games), but we could if needed.

Component: CSS Parsing and Computation → Layout
Flags: needinfo?(emilio)
See Also: → CVE-2019-11695

One hypothetical improvement here would be to prevent the cursor from overdrawing above the UI, I guess, e.g. by clipping the custom-cursor drawable area to prevent it from overdrawing browser UI components.

(I'm not sure how straightforward that would be to implement, or to what extent that would break real-world use cases. Obviously a "crosshair"-type cursor (or anything else with some drawing on all sides of the click target) would then get clipped at the top of the viewport which would probably be undesirable.)

(In reply to Daniel Holbert [:dholbert] from comment #7)

One hypothetical improvement here would be to prevent the cursor from overdrawing above the UI, I guess, e.g. by clipping the custom-cursor drawable area to prevent it from overdrawing browser UI components.

That's the behavior of "blocked" cursors. Setting layout.cursor.block.max-size=1 would give you that.

Hi David, this is not only a spoof on domains that are in padlock but also a spoof on the menu bar. in the poc video I didn't add a fake image for a fake menu bar. when clicking on the three dots it will show a fake menu bar (using an image or something to spoof)

Flags: needinfo?(sas.kunz)

I attached a poc but this happens in the duckduckgo browser this poc is the same as in firefox which creates a fake menu with images

(In reply to Daniel Holbert [:dholbert] from comment #7)

One hypothetical improvement here would be to prevent the cursor from overdrawing above the UI, I guess, e.g. by clipping the custom-cursor drawable area to prevent it from overdrawing browser UI components.

(I'm not sure how straightforward that would be to implement, or to what extent that would break real-world use cases. Obviously a "crosshair"-type cursor (or anything else with some drawing on all sides of the click target) would then get clipped at the top of the viewport which would probably be undesirable.)

Ah I misread this. We stop showing a custom cursor when it'd overdraw but not clip it. Clipping it seems pretty hard since the cursor is the native OS cursor

Keywords: sec-low

The severity field is not set for this bug.
:emilio, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(emilio)
Status: NEW → RESOLVED
Closed: 1 year ago
Duplicate of bug: 1866300
Flags: needinfo?(emilio)
Resolution: --- → DUPLICATE

i reported before on https://bugzilla.mozilla.org/show_bug.cgi?id=1804816 but you set it wont fix, can you check it again?

Flags: needinfo?(emilio)

I still think the same. If we want to shrink the custom cursor size we can, though that's not my decision.

Flags: needinfo?(emilio) → needinfo?(dveditz)

(In reply to Hafiizh from comment #14)

i reported before on https://bugzilla.mozilla.org/show_bug.cgi?id=1804816 but you set it wont fix, can you check it again?

What do you want us to do with it? That's a dupe of this; we don't need two different bugs open and I don't think it makes any sense to reopen that one and duplicate this one to that one.

Group: layout-core-security
Duplicate of bug: 1804816
No longer duplicate of bug: 1866300
Flags: sec-bounty?
Flags: sec-bounty-
Flags: needinfo?(dveditz)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: