Closed Bug 1915280 Opened 1 year ago Closed 11 months ago

UITours does permission checking in the child process

Categories

(Firefox :: Tours, defect, P3)

Product:
Firefox
Component:
Tours
Platform:
Desktop
All
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
139 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- wontfix
firefox-esr128 --- wontfix
firefox137 --- wontfix
firefox138 --- fixed
firefox139 --- fixed

People

(Reporter: mccr8, Assigned: Gijs)

References

Details

(Keywords: csectype-priv-escalation, sec-moderate, Whiteboard: [adv-main138+])

Attachments

(3 files, 1 obsolete file)

Bug 1915280 - improve UITour origin checks, r?Mardak
48 bytes, text/x-phabricator-request
Details | Review
Bug 1915280 - improve UITour origin checks, r?Mardak
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-beta+
Details | Review
advisory.txt
261 bytes, text/plain
Details

Gijs mentioned UITours to me as an actor that is supposed to run in only a handful of specific Mozilla domains, with powerful capabilities. Unfortunately, it looks like the permission check is done in the child process which means that if an attacker takes over the content process it could bypass those checks.

Scanning through UITour.sys.mjs, I'm not sure how bad this would be. The setDefaultSearchEngine case looks like they could set the default search engine which honestly is probably more valuable than most things you could do with control over somebody's machine, though at least it would be relatively easy to fix. There's the resetFirefox which pops up a window to confirm that somebody wants to reset their Firefox profile. That doesn't seem too useful except to try to trick somebody into removing their addons. There's a few accounts related things like showFirefoxAccounts and showConnectAnotherDevice but those look benign.

What this really kind of wants is a way to register an actor like "matches", except it is based on permissions and not the domain name. Getting that right would be a little tricky (permissions can change over time) but maybe that's even more of an argument for doing it in one place.

The severity field is not set for this bug.
:Mardak, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(edilee)
Depends on: 1954435
Assignee: nobody → gijskruitbosch+bugs
Status: NEW → ASSIGNED
Severity: -- → S3
Flags: needinfo?(edilee)
OS: Unspecified → All
Priority: -- → P3
Hardware: Unspecified → Desktop
Version: unspecified → Trunk
Pushed by gijskruitbosch@gmail.com: https://hg.mozilla.org/integration/autoland/rev/dedd7e191458 improve UITour origin checks, r=Mardak,nika

https://hg.mozilla.org/mozilla-central/rev/dedd7e191458

Group: firefox-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 11 months ago
status-firefox139: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 139 Branch

Should we uplift to 138? backport to ESR-128?

status-firefox137: --- → wontfix
status-firefox138: --- → affected
status-firefox-esr115: --- → wontfix
status-firefox-esr128: --- → affected
Flags: needinfo?(gijskruitbosch+bugs)

(In reply to Daniel Veditz [:dveditz] from comment #6)

Should we uplift to 138? backport to ESR-128?

This is defense-in-depth so tentatively I don't think so, at least for ESR? Backporting to ESR would be a bit annoying because I'm using moz-src which isn't available there. I didn't think that at this point we were aware of any active issues around UITour so I had not considered backporting this.

138 I could be convinced about, though I'd like to get confirmation from the web team that I unbroke their local dev setup with this change (by allowing on localhost iff that is set up in the testing origins pref).

Flags: needinfo?(gijskruitbosch+bugs) → needinfo?(dveditz)

The patch landed in nightly and beta is affected.
:Gijs, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox138 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(gijskruitbosch+bugs)

(In reply to :Gijs (he/him) from comment #7)

138 I could be convinced about, though I'd like to get confirmation from the web team that I unbroke their local dev setup with this change (by allowing on localhost iff that is set up in the testing origins pref).

Got this from Alex so going to request beta uplift.

Flags: needinfo?(gijskruitbosch+bugs)
Attachment #9478010 - Flags: approval-mozilla-beta?

beta Uplift Approval Request

  • User impact if declined: Brokenness for webdev + security defense in depth improvement
  • Code covered by automated testing: yes
  • Fix verified in Nightly: no
  • Needs manual QE test: no
  • Steps to reproduce for manual QE testing: N/A
  • Risk associated with taking this patch: low-ish
  • Explanation of risk level: Relatively small change to UITour which wouldn't affect core product (so could potentially mitigate breakage on the web-side), still decent beta runway left
  • String changes made/needed: No
  • Is Android affected?: no
Attachment #9478010 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

It's fine to skip this for ESR-128.

status-firefox-esr128: affectedwontfix
Flags: needinfo?(dveditz)
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
QA Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main138+]
QA Whiteboard: [post-critsmash-triage][adv-main138+] → [post-critsmash-triage]
Whiteboard: [adv-main138+]
Attached file advisory.txt (obsolete) —
Attached file advisory.txt
Attachment #9480677 - Attachment is obsolete: true
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: