Closed Bug 1876675 (CVE-2024-2611) Opened 1 year ago Closed 1 year ago

Clickjacking to allow permission (bypass of 1863083)

Categories

(Toolkit :: PopupNotifications and Notification Bars, defect)

Product:
Toolkit
Component:
PopupNotifications and Notification Bars
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
125 Branch
Tracking Flags:
Tracking Status
firefox-esr115 124+ verified
firefox123 --- wontfix
firefox124 + verified
firefox125 + verified

People

(Reporter: sas.kunz, Assigned: emz)

References

Details

(4 keywords, Whiteboard: [reporter-external] [client-bounty-form] [verif?][adv-main124+][adv-esr115.9+])

Attachments

(12 files, 2 obsolete files)

bypassclickjacking.html
2.51 KB, text/html
Details
bandicam 2024-01-26 13-17-56-562.mp4
4.34 MB, video/mp4
Details
bandicam 2024-01-26 21-46-22-519.mp4
7.26 MB, video/mp4
Details
bandicam 2024-02-01 06-34-56-644.mp4
3.10 MB, video/mp4
Details
1876675-no-repro.m4v
298.05 KB, video/x-m4v
Details
bandicam 2024-02-24 02-58-25-028.mp4
6.93 MB, video/mp4
Details
bandicam 2024-02-24 02-54-46-902.mp4
6.48 MB, video/mp4
Details
Bug 1876675, r=Gijs!
48 bytes, text/x-phabricator-request
Details | Review
bandicam 2024-02-28 20-50-09-969.mp4
2.26 MB, video/mp4
Details
Bug 1876675, r=Gijs!
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-beta+
Details | Review
Bug 1876675, r=Gijs!
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-esr115+
Details | Review
advisory.txt
206 bytes, text/plain
Details

I found a clickjacking vulnerability , bypass on https://bugzilla.mozilla.org/show_bug.cgi?id=1863083. in 1863083 it has been fixed, namely that when the cursor and permissions are in the same coordinates, the cursor cannot be clicked until the cursor is moved. I bypassed it by using pointerlock before the permission prompt appeared for a moment then did pointerlock (cursor disappeared) then it appeared again then clickjacking occurred.

I tested on Firefox version 120.0b4 (64-bit)

steps to reproduce:

  1. open bypassclickjacking.html
  2. do many clicks on "click here" button with more 200ms delay

Operating System : Windows 10
Firefox version : Firefox developer version 123.0b2 (64-bit)

Flags: sec-bounty?
Attached video bandicam 2024-01-26 13-03-36-944.mp4 (obsolete) —
Attachment #9376575 - Attachment is obsolete: true

i also succesfully tested with delay <200ms

Component: Security → PopupNotifications and Notification Bars
Flags: needinfo?(pbz)
Product: Firefox → Toolkit

(In reply to Hafiizh from comment #0)

I found a clickjacking vulnerability , bypass on https://bugzilla.mozilla.org/show_bug.cgi?id=1863083. in 1863083 it has been fixed, [...]

I tested on Firefox version 120.0b4 (64-bit)

Your older bug was fixed in Firefox 122; a Beta version of 120.0 won't have the fix. Can you confirm that you can still reproduce when you run a Release version of Firefox 122?

Flags: needinfo?(pbz) → needinfo?(sas.kunz)

sorry, I typed the wrong version, the version I tried was 123.0b5 (64-bit) firefox developer

Flags: needinfo?(sas.kunz)
See Also: → CVE-2024-0750
Flags: needinfo?(pbz)
Flags: needinfo?(pbz)

I didn't mean to drop the NI here, sorry. I'll take a look.

Flags: needinfo?(pbz)
Attached video 1876675-no-repro.m4v

I can't reproduce this so far. Tested with Nightly 125.0a1 (2024-02-23) (64-bit) on Windows 11. Curious if that's related to reduced motion, which is automatically enabled when using RDP.

Hmm.. I can't reproduce with reduced motion disabled either. I've also tested it on ESR 115.8.0.
Gijs if you can spare some time, could you please also try to repro?

Flags: needinfo?(pbz) → needinfo?(gijskruitbosch+bugs)

i tested on 125.0a1 (2024-02-23) (64-bit) nightly version

also testd on 124.0b3 (64-bit) firefox developer edition

I haven't tried to repro, but it somewhat makes sense that if the delay on the popup is 500ms and the repeated clicks happen during the pointer lock time, they don't end up extending the click delay on the button, so after 500ms the popup is accepted. Maybe the timings need changing on a machine performance basis.

Assuming I'm right, this means that changing security.notification_enable_delay would require changes in the testcase in order to keep the pointer locked for a bit longer. Honestly, I'm... not convinced this is a particularly convincing clickjack given all the screen movement and the 500ms delay which isn't being bypassed as such (AFAICT), we're just causing clicks to go elsewhere while the popup is visible the whole time. So sec-moderate seems generous to me.

If we wanted to do something we would probably extend the delay for pointer lock in the same way we did for fullscreen, or close the permission prompt when pointer lock is entered? Paul, is there any reason that wouldn't work?

Flags: needinfo?(gijskruitbosch+bugs) → needinfo?(pbz)
See Also: → 1881846
Attached file Bug 1876675, r=Gijs!
Assignee: nobody → pbz
Status: NEW → ASSIGNED

Thanks for taking a look Gijs!

(In reply to :Gijs (he/him) from comment #12)

I'm... not convinced this is a particularly convincing clickjack given all the screen movement and the 500ms delay which isn't being bypassed as such (AFAICT), we're just causing clicks to go elsewhere while the popup is visible the whole time. So sec-moderate seems generous to me.

Agreed. We did introduce the extension of the delay for clicks made during the delay. So that part is being bypassed. But that's a fairly recent addition.

If we wanted to do something we would probably extend the delay for pointer lock in the same way we did for fullscreen, or close the permission prompt when pointer lock is entered? Paul, is there any reason that wouldn't work?

I've attached a patch that does this. Just like for the full screen transition, it needs to account for both pointer lock entered while the panel is open and the panel opening during pointer lock. Still need to work on a test. Probably won't be able to replicate the PoC in CI, given that I can't even reproduce the issue locally.

Edit: we could consider duping Bug 1881846 since it uses the same mechanism.

Flags: needinfo?(pbz)

Reporter, could you see if you can still reproduce the issue with this test build:
https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/E-zReDmmRXmgniXPspQDRA/runs/0/artifacts/public/build/install/sea/target.installer.exe
Note that this behaves like a Nightly installer and will by default overwrite your Nightly installation (if you have one).

If you don't want to use an installer you can also download the archive here: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/E-zReDmmRXmgniXPspQDRA/runs/0/artifacts/public/build/target.zip

Flags: needinfo?(sas.kunz)

i confirmed i cannot reproduced the poc using new installer

Flags: needinfo?(sas.kunz)
Attached file Bug 1876675 - Test, r=Gijs! (obsolete) —

https://hg.mozilla.org/mozilla-central/rev/3c9e4f296086

Group: firefox-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox123: --- → wontfix
status-firefox124: --- → affected
status-firefox125: --- → fixed
status-firefox-esr115: --- → affected
tracking-firefox124: --- → +
tracking-firefox125: --- → +
tracking-firefox-esr115: --- → 124+
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → 125 Branch
Duplicate of this bug: 1881846

The patch landed in nightly and beta is affected.
:pbz, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox124 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(pbz)
Attachment #9388673 - Flags: approval-mozilla-beta?
Flags: needinfo?(pbz)

Uplift Approval Request

  • Code covered by automated testing: yes
  • Steps to reproduce for manual QE testing: Please see if you can reproduce the issue using the reporters test page. It may be necessary to change the button coordinates so that it lines up with the mouse position.
  • Is Android affected?: no
  • User impact if declined: clickjacking issue with permission prompts (see bug POC / video)
  • Risk associated with taking this patch: low
  • Needs manual QE test: yes
  • Fix verified in Nightly: no
  • Explanation of risk level: The code change is rather simple, but we risk making permission prompt buttons inoperable for a while when a sites pointer lock requests overlaps with a permission prompt.
  • String changes made/needed: none
Flags: qe-verify+
Attachment #9388673 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
QA Whiteboard: [qa-triaged]

Please nominate this for ESR115 uplift also when you get a chance.

Flags: needinfo?(pbz)
Attachment #9389425 - Flags: approval-mozilla-esr115?
Flags: needinfo?(pbz)

Uplift Approval Request

  • String changes made/needed: none
  • Explanation of risk level: The code change is rather simple, but we risk making permission prompt buttons inoperable for a while when a sites pointer lock requests overlaps with a permission prompt.
  • Steps to reproduce for manual QE testing: Please see if you can reproduce the issue using the reporters test page. It may be necessary to change the button coordinates so that it lines up with the mouse position.
  • Needs manual QE test: yes
  • Code covered by automated testing: yes
  • User impact if declined: clickjacking issue with permission prompts (see bug POC / video)
  • Fix verified in Nightly: no
  • Risk associated with taking this patch: low
  • Is Android affected?: no
Flags: sec-bounty? → sec-bounty+
Attachment #9389425 - Flags: approval-mozilla-esr115? → approval-mozilla-esr115+

Hello! I managed to reproduce this with Firefox 123.0.1 and Firefox 124.0a1 (2024-01-25) on Windows 10x64 using steps from comment 0, but the reproducing rate is not consistent. I could not reproduce the issue in Ubuntu 23.10 but I could reproduce it on macOS 14 arm with 124.0b6.
I no longer managed to reproduce the issue not even once with different time clicks (above and below 200ms) after trying at least 30 times on each build with Firefox 125.0a1 (2024-03-05), 124.0b7, 115.9.0esr from comment 28 on Windows 10x64. I have also tried some times to reproduce it on macOS 14 arm and Ubuntu 23.10 but without any luck.

However, I have a question: is it expected that the buttons to not be clickable for some time after the Click Here button has been clicked once? Thank you!

Flags: needinfo?(pbz)

Thanks! Yes, that's expected. We block the buttons for a few seconds to prevent clickjacking. They should work after waiting (and not clicking) for a few seconds.

Flags: needinfo?(pbz)

(In reply to Paul Zühlcke [:pbz] from comment #30)

Thanks! Yes, that's expected. We block the buttons for a few seconds to prevent clickjacking. They should work after waiting (and not clicking) for a few seconds.

That is correct, they work after some time. Thank you! I think it's safe to close this as verified, as I couldn't reproduce the issue even once while following the steps mentioned in comment 0, despite numerous attempts.

Status: RESOLVED → VERIFIED
Has STR: --- → yes
status-firefox124: fixedverified
status-firefox125: fixedverified
status-firefox-esr115: fixedverified
Flags: qe-verify+
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][adv-main124+][adv-esr124+]
Whiteboard: [reporter-external] [client-bounty-form] [verif?][adv-main124+][adv-esr124+] → [reporter-external] [client-bounty-form] [verif?][adv-main124+][adv-esr115.9+]
Attached file advisory.txt
Alias: CVE-2024-2611

Comment on attachment 9388071 [details]
Bug 1876675 - Test, r=Gijs!

Revision D202941 was moved to bug 1894203. Setting attachment 9388071 [details] to obsolete.

Attachment #9388071 - Attachment is obsolete: true
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: