Closed Bug 1874964 (CVE-2024-43113) Opened 2 years ago Closed 1 year ago

The Context Menu for iOS Firefox can over ride on any origin allowing UXSS everywhere with bug id 1874910

Categories

(Firefox for iOS :: General, defect)

defect

Tracking

()

RESOLVED FIXED
Tracking Status
fxios 129 ---

People

(Reporter: proof131072, Unassigned)

References

Details

(Keywords: csectype-sop, reporter-external, sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(5 files)

We are able to over ride the context menu on target site resulting to UXSS with bug id 1874910.

I believe due to over ride on other origin part, the fix need to be separated and there are several scenarios without this UXSS we could abuse so I opened this new report.

Flags: sec-bounty?
Attached file 1874964.html
Group: firefox-core-security → mobile-core-security
Component: Security → General
Product: Firefox → Firefox for iOS

This doesn't work on bugzilla attachment since it opens Facebook app instead of navigating to https://facebook.com for some reason.

Please test on https://pwning.click/ffdownuxss.php

See bug 1874910 comment 5 for the testcase description, except that in this bug there is a navigation to a target site. The timing is tricky, but the idea is that it has to be long enough for the user to longpress on the link, but fast enough that it navigates to the target site before the user chooses to download (and somehow not notice that the site changed underneath them. This is an attempt to work around one of the two mitigations I mentioned in 1874910.

Although the results are "worse" given the targeting, I don't think this is actually a separate bug. The bug is 1874907 ("downloading" a non-"web" URL) plus bug 1874910 (injecting javascript into an origin different from where it came from)

Yeah, please download the link as soon as opening the PoC demo site.

On UXSS part I agree this can be merged to bug 1874910, but context menu overriding on any legitimate site allows to do other malicious things like Open a new tab with already existing other issues like bug 1874573 and opening dangerous URIs like file:/ and about:// (AFAIR, I didn't report firefox version of this yet).

And separately to that, when the next navigation occurs, iOS Firefox will download the html of that site and problem is we are able to manipulate the navigation that allowing to make users download our desired attack html page which allows to bad things like pwn camera via legitimate permission request etc. This works without javascript: URI as well so I'll report it soon.

Btw, I'm pretty srue bug 1874910 and this should be sec-high like bug 1653827 CVE-2020-15662.

I just tested this on latest 123 too.

This has been fixed together with the fix for bug 1874907

From the view of the impact, this report is nearly identical to this sec-high UXSS https://bugzilla.mozilla.org/show_bug.cgi?id=1465160 almost as if this iOS version of that exact impact, where context menu will remain on any site redirected where we'd like to UXSS and selecting it will successfully reproduce it.

Thus, we could grant low-end sec high severity rating for this report.

Flags: needinfo?(dveditz)

Please check the demo video for https://bugzilla.mozilla.org/show_bug.cgi?id=1465160 on https://leucosite.com/Firefox-uXSS-and-CSS-XSS/ to check the impact is very similar where the only difference is what we select for the context menu: View Background Image vs Download Link

Could we close this report since the fix for https://bugzilla.mozilla.org/show_bug.cgi?id=1874907 also resolved this?

Flags: needinfo?(dveditz)

Closing as fixed per but the above comments, however if anyone has further concerns please let me know. Thank you

Thanks!

Flags: needinfo?(dveditz)
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Attached file advisory.txt

use CVE-2024-43113 for this issue.

Thus, we could grant low-end sec high severity rating for this report.

We'll consider that when we next look at bounty awards. We've got a lot of people out on vacation or sick right now so it's unclear if we'll have a quorum tomorrow.

Alias: CVE-2024-43113
See Also: → 1465160

Sure :) this could be checked later since it's not really important, thanks for letting me know!

We're sticking with "moderate" as a rating. The impact of a UXSS is serious, but this is a weird thing to ask someone to do.

On UXSS part I agree this can be merged to bug 1874910, but context menu overriding on any legitimate site allows to do other malicious things like Open a new tab with already existing other issues like bug 1874573

We fixed bug 1874910 and paid a bounty for that. As far as I can tell we did not fix the context menu floating to a new site. Not sure what the rating for that should be. This bug probably shouldn't have gotten a CVE since there wasn't a separate fix for it, but that's done and published now so there's no sense reopening this bug. You should opena new bug on the context menu and we can consider a bounty there.

Flags: sec-bounty?
Flags: sec-bounty-
Flags: needinfo?(dveditz)
Group: mobile-core-security → core-security-release
Flags: sec-bounty-hof+
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: