Closed Bug 1888695 (CVE-2024-5691) Opened 1 year ago Closed 1 year ago

Iframe sandbox bypass via clickjacking on the native XFO error page.

Categories

(Core :: DOM: Security, defect, P2)

Product:
Core
Component:
DOM: Security
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
127 Branch
Tracking Flags:
Tracking Status
firefox-esr115 127+ verified
firefox124 --- wontfix
firefox125 --- wontfix
firefox126 --- wontfix
firefox127 + verified

People

(Reporter: luan.herrera, Assigned: tschuster)

References

(Regression,
URL
)

Details

(4 keywords, Whiteboard: [domsecurity-active][reporter-external] [client-bounty-form] [verif?][adv-main127+][adv-esr115.12+])

Attachments

(5 files, 3 obsolete files)

repro-video.mov
7.90 MB, video/quicktime
Details
sandboxed frames testcase
945 bytes, text/html
Details
Bug 1888695 - Add a pref for the iframe XFO/CSP Open In New Window button. r?dveditz
48 bytes, text/x-phabricator-request
Details | Review
Bug 1888695 - Add a pref for the iframe XFO/CSP Open In New Window button. r?dveditz
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-esr115+
Details | Review
advisory.txt
288 bytes, text/plain
Details
Attached video repro-video.mov

A sandboxed iframe is not supposed to be able to initiate downloads or open popups unless the "allow-downloads" or "allow-popups" flags are respectively set. However, it is possible to trick users into clicking on the "Open Site in New Window" button that is displayed in error pages that opt-out from being embedded through the usage of the X-Frame-Options header. This functionality currently does not check whether the page is sandboxed before opening the new window, effectively allowing a clickjacking attack to occur on it and thus bypass the iframe sandbox protections.

A simple fix for this issue would be to disable the "Open Site in New Window" button if the iframe is sandboxed without the proper flags being set (allow-popups and allow-downloads).

For the attack to work, it requires the victim to click once inside a malicious iframe. The PoC provided just places opacity over the iframe to demonstrate that it would be possible to completely overlay the native Firefox error page and display whatever the attacker wanted instead.

I have attached a video (repro-video) reproducing the attack.

VERSION
Version: 124.0.1 (64-bit).
Operating System: MacOS 14.1.1 (23B81).

REPRODUCTION CASE

  1. Access https://lbherrera.github.io/lab/firefox/iframe-sandbox/victim-0019884.html
  2. Click on the first "Open Site in New Window" button and a new window will open.
  3. Click on the second "Open Site in New Window" button and a download will start.

CREDIT INFORMATION
Reporter credit: Luan Herrera (@lbherrera_)

Flags: sec-bounty?

If anybody else is confused like me about what is going on here, bug 1461195 is what added the "Open Site in New Window" button when CSP or whatever blocks the loading of the iframe. There are some screen shots of what it looks like when it isn't so small.

Group: firefox-core-security → dom-core-security
Component: Security → DOM: Security
Product: Firefox → Core
See Also: → 1461195

What the button does is automate what people could do before, which was right-click on the blocked frame and choose "Open Frame in New Tab", which in turn was a shortcut for viewing the frame info, manually copying the url, and then pasting it into a new tab. You can do "Open Frame in New Tab" on the middle "attacker-0019884.html" frame and that's not considered a sandbox violation. But of course you can't trick a user into doing that with single a click like you can here; that's unexpected, and violates the sandbox.

I don't see any tests for my warning from bug 1461195 comment 5, but SameSite=Strict cookies are correctly suppressed. I think that's just a natural consequence of the fact that about:netError is not https://www.google.com and not because the error page is consciously aware of any security policies. Without using the correct triggering origin we can't propagate the correct sandbox or CSP policies. Unfortunately, about:netError is not a system-privileged context so it can't use the correct triggeringPrincipal if it wanted to.

Mccr8 suggested one quick fix would be to hide the button if the context is in a sandbox or should inherit a CSP. The error page itself can't even find out that it's in a sandboxed or CSP state unless those are passed in as parameters, but that could be done.

Another thing we could do is use an intersection observer to disable or hide the button if too little of the context is shown. That would not fix the problem of not using the right security policy, but at least the user would be opening the content on purpose.

Violating these two sandbox rules isn't very severe—these are more "anti-annoyance" features and so people don't blame the wrong site (the top-level) for what a 3rd party did. The download could be worse than the popup. But worse than the annoyance of a popup, the new tab launched from this button is no longer bound by the sandbox, as a popup would be in the "allow-popups" case. I suspect this could be a CSP escape, too, although CSP is propagated only in narrow circumstances (only srcdoc/about:blank and data: documents).

In contrast, Safari just shows a blank frame and Chrome shows a grey "sad-page" icon (if you hover over the frame they will add text saying "www.example.com refused to connect"). We should think of getting rid of the button entirely: why does it need to be easy to get to content that didn't want to be shown in that context? Why does the parent page frame this site that results in a broken experience on their page? Maybe it's an old unmaintained page, but more likely they're up to no good, like Luan's example here. Firefox is already more helpful than other browsers by supporting the "Open Frame in New Tab" context-menu item, and if you can't find that you might also not be aware of the risks of blindly clicking the button. The site could have just had a link to the content instead of trying to frame it.

Keywords: regression
Regressed by: 1461195

Note that in the proper sandbox=allow-popups cases the sandbox propagates to the new tab. Windy.com is non-functional without JavaScript, and Twitter has a cross-origin-opener-policy violation.

Set release status flags based on info from the regressing bug 1461195

status-firefox124: --- → affected
status-firefox125: --- → affected
status-firefox126: --- → affected
status-firefox-esr115: --- → affected
Flags: needinfo?(dveditz)
Assignee: nobody → tschuster
Severity: -- → S3
Flags: needinfo?(dveditz)
Priority: -- → P2
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [domsecurity-activity][reporter-external] [client-bounty-form] [verif?]
Attachment #9395552 - Attachment description: WIP: Bug 1888695 - Add a pref for the iframe XFO/CSP Open In New Window button → Bug 1888695 - Add a pref for the iframe XFO/CSP Open In New Window button. r?dveditz
Whiteboard: [domsecurity-activity][reporter-external] [client-bounty-form] [verif?] → [domsecurity-active][reporter-external] [client-bounty-form] [verif?]

Set release status flags based on info from the regressing bug 1461195

status-firefox127: --- → affected

I am currently having issues with the new test that I added. On the try test verification run, but not locally with ./mach test --verify, I get the following error:

[task 2024-04-24T10:32:41.050Z] 10:32:41     INFO - TEST-UNEXPECTED-FAIL | browser/base/content/test/about/browser_aboutNetError_csp_iframe_no_openinwindow.js | Uncaught exception in test bound test_csp - undefined - threw exception: AbortError: Actor 'SpecialPowers' destroyed before query 'Spawn' was resolved

https://treeherder.mozilla.org/logviewer?job_id=455654905&repo=try&lineNumber=17388

It sounds like awaiting SpecialPowers.spawn is somehow not working, but I can't see the issue and this is similar to the existing test.

Attached file WIP: Bug 1888695 - Add test (obsolete) —
Pushed by tschuster@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/3567557cdeb1 Add a pref for the iframe XFO/CSP Open In New Window button. r=dveditz

https://hg.mozilla.org/mozilla-central/rev/3567557cdeb1

Status: NEW → RESOLVED
Closed: 1 year ago
status-firefox127: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 127 Branch
Group: dom-core-security → core-security-release
status-firefox125: fix-optionalwontfix

I've landed this without the test for now, but I will try to figure out how to get the test past treeherder.

The patch landed in nightly and beta is affected.
:tschuster, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox126 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(tschuster)

Dan, do you think we should uplift this to beta? It does seem to apply cleanly, but I also don't think this a really critical issue.

Flags: needinfo?(tschuster) → needinfo?(dveditz)

Fx126 beta cycle has finished.
126.0 RC1 is being prepared.
Could this ride the train with Fx127 and get an uplift for the corresponding 115esr? (115.12esr)

Confirmed over slack that this can ride the train for Fx127.
Please add an ESR115 uplift request

status-firefox126: affectedwontfix
tracking-firefox127: --- → +
tracking-firefox-esr115: --- → 127+

I agree with Donal and Tom's slack decision.

Flags: needinfo?(dveditz)
Attachment #9400662 - Flags: approval-mozilla-esr115?
Attachment #9400663 - Flags: approval-mozilla-esr115?
Attachment #9400664 - Flags: approval-mozilla-esr115?
Attachment #9400663 - Attachment is obsolete: true
Attachment #9400663 - Flags: approval-mozilla-esr115?
Attachment #9400664 - Attachment is obsolete: true
Attachment #9400664 - Flags: approval-mozilla-esr115?

esr115 Uplift Approval Request

  • User impact if declined: Click jacking in a sandbox iframe allows opening a window
  • Code covered by automated testing: no
  • Fix verified in Nightly: yes
  • Needs manual QE test: yes
  • Steps to reproduce for manual QE testing: Open https://lbherrera.github.io/lab/firefox/iframe-sandbox/victim-0019884.html. Make sure there is no "Open Site in New Window" button.
  • Risk associated with taking this patch: low
  • Explanation of risk level: Disables an optional button that no other browser has.
  • String changes made/needed: none
  • Is Android affected?: yes
Flags: qe-verify+
QA Whiteboard: [qa-triaged]

I've reproduced this issue using an affected Nightly build (2024-03-29) on macOS 13.

The issue is verified as fixed on latest Nightly 127.0a1 under macOS 13, Ubuntu 20.04 and Win 11.

status-firefox127: fixedverified
Flags: qe-verify+
Flags: sec-bounty? → sec-bounty+
Attachment #9400662 - Flags: approval-mozilla-esr115? → approval-mozilla-esr115+

The patch failed to land on the esr115 branch, could you rebase your patch? Thanks
https://lando.services.mozilla.com/D209784/

Flags: needinfo?(tschuster)

I think this should work now. (Locally this rebase just worked)

Flags: needinfo?(tschuster)
Attachment #9399755 - Attachment is obsolete: true
Whiteboard: [domsecurity-active][reporter-external] [client-bounty-form] [verif?] → [domsecurity-active][reporter-external] [client-bounty-form] [verif?][adv-main127+]
Attached file advisory.txt
Whiteboard: [domsecurity-active][reporter-external] [client-bounty-form] [verif?][adv-main127+] → [domsecurity-active][reporter-external] [client-bounty-form] [verif?][adv-main127+][adv-esr115.12+]

This is also verified as fixed on 115.12.0 ESR with Win 11, macOS 14 and Ubuntu 22.04.

Status: RESOLVED → VERIFIED
status-firefox-esr115: fixedverified
Alias: CVE-2024-5691
See Also: → 1909396
Blocks: 1927109
See Also: → 1930102
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: