Closed Bug 1903187 (CVE-2024-7529) Opened 1 year ago Closed 1 year ago

Security bug Clickjacking to allow permission using datepicker

Categories

(Toolkit :: PopupNotifications and Notification Bars, defect)

Product:
Toolkit
Component:
PopupNotifications and Notification Bars
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
130 Branch
Tracking Flags:
Tracking Status
firefox-esr115 129+ verified
firefox-esr128 129+ verified
firefox128 --- wontfix
firefox129 + verified
firefox130 + verified

People

(Reporter: sas.kunz, Assigned: emz)

Details

(Keywords: csectype-clickjacking, reporter-external, sec-moderate, Whiteboard: [client-bounty-form][adv-main129+][adv-ESR115.14+][adv-ESR128.1+])

Attachments

(12 files, 1 obsolete file)

bandicam 2024-06-18 11-05-54-099.mp4
2.21 MB, video/mp4
Details
dtclickjacking.html
1.03 KB, text/html
Details
spec1.jpg
254.27 KB, image/jpeg
Details
spec12.jpg
260.52 KB, image/jpeg
Details
bandicam 2024-07-02 21-19-08-395.mp4
2.74 MB, video/mp4
Details
Bug 1903187, r=Gijs!
48 bytes, text/x-phabricator-request
dmeehan
: approval-mozilla-beta+
dmeehan
: approval-mozilla-esr115+
dmeehan
: approval-mozilla-esr128+
Details | Review
Bug 1903187 - ESR 115, r=Gijs!
48 bytes, text/x-phabricator-request
Details | Review
bandicam 2024-07-20 05-44-33-124.mp4
1.86 MB, video/mp4
Details
bandicam 2024-07-20 05-43-33-127.mp4
1.67 MB, video/mp4
Details
bandicam 2024-07-20 05-42-25-457.mp4
1.57 MB, video/mp4
Details
bandicam 2024-07-31 14-43-54-141.mp4
1.84 MB, video/mp4
Details
advisory.txt
207 bytes, text/plain
Details

when selecting a date on the datepicker and the datepicker closes because it changes focus to another input this causes clickjacking at the permission prompt

steps to reproduce:

  1. open dtclickjacking.html
    2.do many Click on "next month" button

Operating System : Windows 10
Firefox version : Firefox Developer version 128.0b4 (64-bit)

Flags: sec-bounty?
Attached file dtclickjacking.html

Talked about this with Gijs, we suspect that the timeShown property used for the clickjacking protection is set too early and not close enough to the actual panel show. If you look at https://searchfox.org/mozilla-central/rev/8011b6325f7ce05d228a3cdefd45d74fb98ee7b4/toolkit/modules/PopupNotifications.sys.mjs#1297,1369 you can see that in the first marked line we set timeShown. On the second marked line the actual panel show happens (popupshown). We should check if moving the timeShown assignment into that listener fixes the issue.

We weren't able to reproduce it ourselves, potentially because our hardware is faster and the panel opens up faster. There is also a transition / animation for the panel showing which may further slow down things.

Do we know the length of time for the animation? If so we should add that time to the default timeout. It's not fully visible during the transition so that bit shouldn't count against the delay value.

I couldn't reproduce either -- my initial clicks on the permission prompt were inactive and did nothing. Note: I had to play with the width of my window to get the click targets to line up. Obviously won't work in a real attack, but I assume you could probably calculate resolutions and screen geometries and platforms to get pretty close in the general case.

Flags: needinfo?(pbz)

Hafiish: what kind of system are you running the PoC on in the movie? Is it old/slow?

Flags: needinfo?(sas.kunz)
Keywords: csectype-clickjacking
Attached image spec1.jpg

i used HP elitebook 830 G6 with specification:
Processor: Intel(R) Core(TM) i7-8565U CPU @ 1.80GHz 1.99 GHz
Installed RAM : 16,0 GB (15,8 GB usable)
System type: 64-bit operating system, x64-based processor

Windows specifications:
Edition: Windows 10 Pro
Version: 22H2
OS build: 19045.4529
Experience: Windows Feature Experience Pack 1000.19058.1000.0

Flags: needinfo?(sas.kunz)
Attached image spec12.jpg

I don't know how long the animation takes or where that code lives. I'm not convinced that adding the animation time to the timeout is a good fix. It's also possible this animation takes longer on slow machines.

I'll check if we can move timeshown even close to actual panel now. I recall we tried something like this in the past and ran into issues with prompts / the timeout breaking, so we need to be careful.

Assignee: nobody → pbz
Status: NEW → ASSIGNED
Flags: needinfo?(pbz)

Could you test if you can still reproduce with this Firefox build: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/LwNmAd7uRXW2N6eHSj1Feg/runs/0/artifacts/public/build/target.zip
To run it just extract the zip and execute firefox.exe.

If the issue persists with this build we most likely need a more general solution for panels overlaying permission prompts. We should hide the datepicker once the permission prompt appears. Bug 1901685 is doing some groundwork for that.

Flags: needinfo?(sas.kunz)

i cannot reproduce it

Flags: needinfo?(sas.kunz)
Attached file Bug 1903187, r=Gijs!

Thanks Dan! I'll land this after the soft code freeze.

https://hg.mozilla.org/mozilla-central/rev/ebb04323fe33

Group: firefox-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox130: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 130 Branch

The patch landed in nightly and beta is affected.
:pbz, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox129 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(pbz)

Let's leave this in Nightly for a bit longer before uplifting. I want to mitigate the risk of regressions. I've set a reminder in 7 days.

Flags: needinfo?(pbz)
Component: Security → PopupNotifications and Notification Bars
Flags: sec-bounty? → sec-bounty+
Product: Firefox → Toolkit

Comment on attachment 9410842 [details]
Bug 1903187, r=Gijs!

Beta/Release Uplift Approval Request

  • User impact if declined: Clickjacking on permission prompts via datepicker
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: Yes
  • If yes, steps to reproduce: See comment 0
    Note that engineering couldn't reproduce the original issue, but it's worth trying again. Overall we should make sure that the patch didn't break permission prompts in any way - particularly:
  1. accepting a permission prompt during the first 500ms of it showing should not be possible
  2. After 500ms permission prompts should be acceptable / rejectable via the buttons.
  • List of other uplifts needed: None
  • Risk to taking this patch: Medium
  • Why is the change risky/not risky? (and alternatives if risky): Medium risk since we're changing how the PopupNotifications security delay is calculated. The delay disables the accept / reject buttons. Introducing a bug in that logic would mean the buttons can not be used and the prompt can not be closed / accepted properly and permission requests can't be granted.
  • String changes made/needed: none
  • Is Android affected?: No

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: It's a sec-medium. No special considerations.
  • User impact if declined: Clickjacking on permission prompts via datepicker
  • Fix Landed on Version: 30
  • Risk to taking this patch: Medium
  • Why is the change risky/not risky? (and alternatives if risky): Medium risk since we're changing how the PopupNotifications security delay is calculated. The delay disables the accept / reject buttons. Introducing a bug in that logic would mean the buttons can not be used and the prompt can not be closed / accepted properly and permission requests can't be granted.
Attachment #9410842 - Flags: approval-mozilla-esr128?
Attachment #9410842 - Flags: approval-mozilla-beta?
Flags: qe-verify+
Attachment #9410842 - Flags: approval-mozilla-esr115?

Comment on attachment 9410842 [details]
Bug 1903187, r=Gijs!

Approved for 129.0b6

Attachment #9410842 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
QA Whiteboard: [post-critsmash-triage]

Comment on attachment 9410842 [details]
Bug 1903187, r=Gijs!

Approved for 128.1esr.

Attachment #9410842 - Flags: approval-mozilla-esr128? → approval-mozilla-esr128+

:pbz, this doesn't graft cleanly to ESR115 due to Bug 1872993. Could you attach a rebased patch?

Flags: needinfo?(pbz)

I've attached a patch for ESR 115, just waiting for review.

Flags: needinfo?(pbz)

A patch has been attached on this bug, which was already closed. Filing a separate bug will ensure better tracking. If this was not by mistake and further action is needed, please alert the appropriate party. (Or: if the patch doesn't change behavior -- e.g. landing a test case, or fixing a typo -- then feel free to disregard this message)

I cannot reproduce this issue on may main system, in an "affected" build either: Tested in Beta v128.0b4 and Devedition v128.0b4, Release v128.0 or ESR v115.13.0esr. This being considered, I cannot verify the fix on my main system.
System specs:
Windows 10
AMD Ryzen 7 2700X
16.0 GB
AMD RX580

I've managed to reproduce on a lower-end PC, but the reproduction was inconsistent on both affected and fixed builds. I do not know how timing could influence this behavior, but it can still be reproduced on fixed builds at quite the same rate as on the unaffected builds.
System specs:
Windows 10
AMD FX(tm)-8320 Eight-Core Processor
16.0 GB
NVIDIA GT710

Hi Hafiizh! Thank you for the testing in the try build! Could you please take a few minutes to test this fix in the following builds?

  1. Nightly130 https://archive.mozilla.org/pub/firefox/nightly/2024/07/2024-07-18-21-47-49-mozilla-central/firefox-130.0a1.en-US.win64.zip
  2. Beta129 https://archive.mozilla.org/pub/firefox/candidates/129.0b6-candidates/build1/win64/en-US/firefox-129.0b6.zip
  3. ESR128 https://archive.mozilla.org/pub/firefox/candidates/128.0esr-candidates/build2/win64/en-US/firefox-128.0esr.zip

In my testing, the issue would still inconsistently reproduce in fixed builds and unfixed builds. Thanks!

Flags: needinfo?(sas.kunz)

i cannot reproduce in Nightly130 , Beta129 , ESR128

Flags: needinfo?(sas.kunz)

Thank you very much for the confirmation testing done on your system, Hafiizh!
Based on the reporter's confirmation I will close this issue as verified.

Status: RESOLVED → VERIFIED
status-firefox129: fixedverified
status-firefox130: fixedverified
status-firefox-esr128: fixedverified
Flags: qe-verify+
Flags: needinfo?(pbz)

This is ready to be uplifted to ESR 115.

I need to investigate why QA can still reproduce, but the patch strictly makes things better so we should uplift it anyway.

Flags: needinfo?(pbz) → needinfo?(dmeehan)
Flags: needinfo?(pbz)

Comment on attachment 9410842 [details]
Bug 1903187, r=Gijs!

Approved for 115.14esr

Flags: needinfo?(dmeehan)
Attachment #9410842 - Flags: approval-mozilla-esr115? → approval-mozilla-esr115+

Hi again, Hafiizh! Would you be kind enough to verify the same fix in the final channel? Thank you for your contribution!

Flags: needinfo?(sas.kunz)

i cannot reproduce poc in 115.14.0esr (64-bit)

Flags: needinfo?(sas.kunz)
Flags: needinfo?(pbz)

I am setting firefox-esr115 flag to verified. Thanks!

status-firefox-esr115: fixedverified
Whiteboard: [client-bounty-form] → [client-bounty-form][adv-main129+]
Whiteboard: [client-bounty-form][adv-main129+] → [client-bounty-form][adv-main129+][adv-ESR115.14+]
Whiteboard: [client-bounty-form][adv-main129+][adv-ESR115.14+] → [client-bounty-form][adv-main129+][adv-ESR115.14+][adv-ESR128.1+]
Attached file advisory.txt (obsolete) —
Attached file advisory.txt
Attachment #9417357 - Attachment is obsolete: true
Alias: CVE-2024-7529
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: