1868005 - (CVE-2024-26281) iOS Firefox QR Code Scanner allows to run firefox URI with javascript URI for related exploit

Status: RESOLVED FIXED

(Firefox for iOS :: General, defect)

Description

[James Lee]

Attachment: QRCode_Firefox_URI.png

We are able to run javascript URI through QR Code Scanner for iOS Firefox with Firefox URI.

Please scan following QR Code with iOS Firefox to reproduce this issue.

Comment 1

[Tyson Smith [:tsmith]]

The qr code contains firefox://open-url?url=javascript:window.close();alert(1337)

Comment 2

[Andrew McCreight [:mccr8]]

We had some similar issues reported years ago in Firefox for iOS, in bug 1567118, which was supposedly fixed by removing redirects using javascript URLs, in bug 1588928. I'm not sure if this is a regression or a slightly different attack.

Comment 3

[lmarceau]

The cause for this is the same as 1850158, although symptoms are a bit different. The deep links are using a different code path than if you write down a URL in the URL bar specifically. This code path needs to be protected as well.

Comment 4

[James Lee]

I presumed running javascript URI with firefox URI could be duplicate https://bugzilla.mozilla.org/show_bug.cgi?id=1863831#c3

this is about closing window resulting javascript dialog injection on normal mode legitimate site and read mode.

Comment 5

[James Lee]

QR Code scanning is used here to abuse that issue, where QR Code scanner should only allow http/https and deny other URIs; especially running something like javascript: URI should be prevented.

Comment 6

[Daniel Veditz [:dveditz]]

(In reply to lmarceau from comment #3)

The cause for this is the same as 1850158, although symptoms are a bit different. The deep links are using a different code path than if you write down a URL in the URL bar specifically. This code path needs to be protected as well.

Why are we supporting arbitrary QR code schemes? An allow-list of http/https is safe. Any additional scheme needs to be justified. This is basically the same as URLs coming in from the OS or other apps.

Comment 7

[Daniel Veditz [:dveditz]]

I don't have a phone to test and there's no movie (the one time in my life I wanted a movie of a bug POC). If this opens a new tab/window then it's not all that dangerous. If it opens on top of your most recent tab then it's a pretty bad XSS problem.

The cause for this is the same as bug 1850158

So that bug will fix this one (a dupe)? or they are different enough that an extra check will be needed?

Comment 8

[lmarceau]

We can keep this bug open to ensure this use case is fixed as well

Comment 9

[lmarceau]

Ok so after investigating, this isn't using the same path as the deeplink as I had thoughts, but rather through a delegate pattern to navigate. There's some scheme checks done on that path already, but I will enforce it so it's only possible to navigate directly to http/https URLs from QR Codes. All other schemes will open a search text instead.

FYI This will be tracked with JIRA ticket https://mozilla-hub.atlassian.net/browse/FXIOS-7993

Comment 10

[lmarceau]

Attachment: GitHub Pull Request

Comment 11

[lmarceau]

I am opening a bugfix for this, but javascript wasn't even running before from that QR code scan. The URL opened is http://firefox//open-url?url=javascript:window.close();alert(1337), which results in an error page being shown as this can't be navigated. The firefox://open-url?url=javascript:window.close();alert(1337) is converted to that URL on the URIFixUp.getURL function in here.

So unless I'm mistaken, I don't see any exploits (see screenshot). But this part of the code still benefit from hardening.

Comment 12

[lmarceau]

Attachment: QR code result, no javascript ran

Comment 13

[lmarceau]

To further explain why I don't see this as an exploit. The part to javascript:window.close();alert(1337) is never opened as a URL directly, and so we're not trying to open a javascript URL from QR code. Although firefox://open-url? is a deeplink scheme when opened from an external app, from our QR code scanner code, this isn't recognized as such. Hence, why when scanning the linked QR code to this Bugzilla, the URL we try to navigate to is http://firefox//open-url?url=javascript:window.close();alert(1337). Firefox QR code doesn't recognize this format and try to navigate to it as http which is not a navigable URL, resulting in an error page.

Comment 14

[Daniel Veditz [:dveditz]]

re-rating this one sec-other since the javascript doesn't seem to execute when run through the QR code path

Comment 15

[James Lee]

That's weird, scanning QR Code with firefox URI did work although it was 119 iirc, I'll get back to this and let you know.

Comment 16

[James Lee]

I forgot to encode the dot (%2e) so please try to reproduce it with below.

firefox://open-url?url=javascript:window%2eclose();alert(1337)

Comment 17

[James Lee]

Attachment: qrcode (4).png

Comment 18

[James Lee]

https://pwning.click/RPReplay_Final1703554936.mp4

Comment 19

[lmarceau]

Ok thank you! I tested with the new provided QR code and with the bugfix PR I linked this will be fixed, there was indeed a problem, I'll make sure our QA will test this flow to confirm the problem is resolved (the fix will be included in release v123, JIRA ticket to follow progress is FXIOS-7993).

Comment 21

[James Lee]

This need to be sec-moderate since the PoC was confirmed.

Comment 23

[lmarceau]

:dveditz will be able to determine the security severity rating of this issue, thank you.

Comment 24

[Daniel Veditz [:dveditz]]

restoring severity given a working testcase. This is indeed an independent problem from bug 1850158. Of course if that firefox: deep-links fix had gone in first then this specific javascript: QR code POC wouldn't have been possible. But then bug 1870308 would have pointed to the independent QR code reader bug instead of being a dupe of this one.

Comment 25

[Daniel Veditz [:dveditz]]

Although similar to bug 1850158, this was the same flaw in a different chunk of code.

Comment 26

[lmarceau]

Attachment: advisory.txt