Closed Bug 1877879 (CVE-2024-1547) Opened 8 months ago Closed 8 months ago

Show alert/confirm/prompt dialog on another website with secure padlock displayed with iframe

Categories

(Core :: DOM: Navigation, defect)

Product:
Core
Component:
DOM: Navigation
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
124 Branch
Tracking Flags:
Tracking Status
firefox-esr115 123+ verified
firefox122 --- wontfix
firefox123 + verified
firefox124 + verified

People

(Reporter: mccr8, Assigned: mccr8)

References

(Regressed 1 open bug)

Details

(Keywords: csectype-spoof, reporter-external, sec-high, Whiteboard: [adv-main123+][adv-esr115.8+])

Attachments

(7 files)

Bug 1877879 - Implement isActiveInTab and use it for PromptParent.
48 bytes, text/x-phabricator-request
tjr
: sec-approval+
Details | Review
Bug 1877879 - Add tests for for isActiveInTab.
48 bytes, text/x-phabricator-request
Details | Review
testcase.simplified.html
13.33 KB, text/html
Details
testcase2.bundle.html
18.35 KB, text/html
Details
Bug 1877879 - Implement isActiveInTab and use it for PromptParent.
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-beta+
Details | Review
Bug 1877879 - Implement isActiveInTab and use it for PromptParent.
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-esr115+
Details | Review
advisory.txt
230 bytes, text/plain
Details

This is my second attempt at a spot fix for bug 1791283. My previous one, bug 1863852, dealt with the second test case but not the first one. In the second test case, the page with the stale alert is in the BFCache. In the first test case, I think the issue is that the window actually trying to create the alert is itself a current window global, it has a parent window that is not, so it is still not being displayed. My fix is to add a new function WindowGlobalParent::IsActiveInTab() that is like WindowGlobalParent::IsCurrentGlobal(), but it also checks AncestorsAreCurrent to avoid this situation. It also checks the BFCache status on the top BC instead of the current BC, because Nika thought there might be issues with races (it is possible this is why my previous fix didn't work for the test case but I didn't investigate it). Hopefully this new function will do a better job at checking if a window is actually visible currently.

I wrote this based on talking with DOM: Navigation people. They said the name would more correctly be something like "isActiveInRootNavigable", but that's probably not a useful name to people writing Firefox JS code would might need this function. I did add a comment about that.

Before landing, I need to copy over the first (and maybe second?) test case along with some instructions so that it can be verified.

There are two things to verify for this patch.

The first is that the patch did not regress bug 1863852, by checking the behavior with testcase.simplified.html.

Steps to reproduce for testcase.simplified.html:

  1. Visit https://www.example.com to add site to the cache.
  2. In a new tab, open the attached testcase.simplified.html
  3. Click the "Spoof" button.

Expected results: The browser has navigated to https://www.example.com (as seen in the address bar), and there is no alert message dialog (the text of the alert dialog starts with "We've migrated our login page to a new URL address"). It is okay if the alert appears while the address bar has testcase.simplified.html. This was already fixed by bug 1863852, so this is expected to pass before and after my patch here.

Attached file testcase2.bundle.html

The second thing to verify is that this patch fixes the behavior for testcase2.bundle.html. (This is the same as testcase.bundle.html from bug 1791283, except that I removed the part where it redirects to Google at the end because I think that will make it more annoying to verify. It doesn't affect the spoof we're fixing here.)

Steps to reproduce for testcase2.bundle.html:

  1. Visit https://www.example.com to add site to the cache.
  2. In a new tab, open the attached testcase2.bundle.html.
  3. Click the "Launch" button. This will open a new tab and switch to it.
  4. In the new tab, click on "Spoof".

Expected results: The browser has navigated to https://www.example.com (as seen in the address bar), and there is no alert message dialog (the text of the alert dialog starts with "We've migrated our login page to a new URL address"). It is okay if the alert appears while the address bar has testcase2.bundle.html.

Unpatched, the browser will have https://www.example.com in the address bar and there will be an alert (as described under expected results).

Comment on attachment 9377548 [details]
Bug 1877879 - Implement isActiveInTab and use it for PromptParent.

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: Probably not super hard. It is making a check stronger and you could compare the old and new behavior. I have a second patch in this bug with tests, but I won't land that until later.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?: all
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: No
  • If not, how different, hard to create, and risky will they be?: It shouldn't be a problem. This adds a new function that strengthens a check.
  • How likely is this patch to cause regressions; how much testing does it need?: I don't think it is too worrying, but we're dealing with a lot of edge cases here, and Android works differently, so there could be some issues.
  • Is Android affected?: Yes
Attachment #9377548 - Flags: sec-approval?

sec-bounty: this was originally submitted by sourc7 in bug 1791283. Hopefully this attempt will actually fix everything reported there (thanks Dan for catching that in the other spot fix...) and then we could move the bounty to this bug or something.

Flags: sec-bounty?

Comment on attachment 9377548 [details]
Bug 1877879 - Implement isActiveInTab and use it for PromptParent.

approved to land and request uplift

Attachment #9377548 - Flags: sec-approval? → sec-approval+
Whiteboard: [reminder-test 2024-04-02]
Pushed by amccreight@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/9f853c322b4b Implement isActiveInTab and use it for PromptParent. r=smaug,Gijs

https://hg.mozilla.org/mozilla-central/rev/9f853c322b4b

Group: dom-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 8 months ago
status-firefox124: affectedfixed
tracking-firefox123: --- → +
tracking-firefox124: --- → +
tracking-firefox-esr115: --- → 123+
Resolution: --- → FIXED
Target Milestone: --- → 124 Branch

The patch landed in nightly and beta is affected.
:mccr8, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox123 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(continuation)
Attachment #9378537 - Flags: approval-mozilla-beta?

Uplift Approval Request

  • Needs manual QE test: yes
  • Explanation of risk level: the patch might make us not open window dialogs when we should if I did something wrong
  • String changes made/needed: none
  • Is Android affected?: no
  • Steps to reproduce for manual QE testing: see comment 4 and 5
  • Fix verified in Nightly: no
  • Risk associated with taking this patch: low
  • Code covered by automated testing: yes
  • User impact if declined: sec-high
Flags: qe-verify+
Attachment #9378538 - Flags: approval-mozilla-esr115?

Uplift Approval Request

  • User impact if declined: sec-high
  • Code covered by automated testing: yes
  • Risk associated with taking this patch: low
  • Fix verified in Nightly: no
  • Is Android affected?: no
  • Steps to reproduce for manual QE testing: see comment 4 and comment 5
  • String changes made/needed: none
  • Explanation of risk level: the patch might make us not open window dialogs when we should if I did something wrong
  • Needs manual QE test: yes
Flags: needinfo?(continuation)
Attachment #9378537 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Attachment #9378538 - Flags: approval-mozilla-esr115? → approval-mozilla-esr115+

As with bug 1863852 comment 17 we are not paying the bounty here in this fix because we already are tracking and awarded a bounty to the reporter's original issue in bug 1791283

Flags: sec-bounty? → sec-bounty-

Ah, sorry, I didn't notice that the bounty had actually been paid in that bug.

QA Whiteboard: [post-critsmash-triage]
QA Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][qa-triaged]

I have reproduced this issue with Firefox 119.0.1, under macOS 13, using STR from comment 4 and comment 5.

The both scenarios are verified as fixed on the latest builds, Esr 115.8.0, Beta 123.0b8 and Nightly 124.0a1. Tested with Win 11, Ubuntu 20.04 x64 and macOS 13.

Status: RESOLVED → VERIFIED
status-firefox123: fixedverified
status-firefox124: fixedverified
status-firefox-esr115: fixedverified
Flags: qe-verify+
Whiteboard: [reminder-test 2024-04-02] → [reminder-test 2024-04-02][adv-main123+]
Whiteboard: [reminder-test 2024-04-02][adv-main123+] → [reminder-test 2024-04-02][adv-main123+][adv-esr115.8+]
Attached file advisory.txt
Alias: CVE-2024-1547
See Also: → 1883557

a month ago, tjr placed a reminder on the bug using the whiteboard tag [reminder-test 2024-04-02] .

mccr8, please refer to the original comment to better understand the reason for the reminder.

Flags: needinfo?(continuation)
Whiteboard: [reminder-test 2024-04-02][adv-main123+][adv-esr115.8+] → [adv-main123+][adv-esr115.8+]
Pushed by amccreight@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/795c576c93f8 Add tests for for isActiveInTab. r=smaug
Flags: needinfo?(continuation)
Flags: sec-bounty-hof+
Regressions: 1890386
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: