Closed Bug 1921818 Opened 10 months ago Closed 9 months ago

Camera, Microphone, Geolocation etc permission takeover of trusted Top Origin Site through embedded ad banner with XSLT transform content, with no user interaction on Windows Firefox Nightly

Categories

(Core :: DOM: Security, defect, P2)

Product:
Core
Component:
DOM: Security
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1921733

People

(Reporter: proof131072, Assigned: peterv)

References

Details

(Keywords: csectype-priv-escalation, reporter-external, sec-high, Whiteboard: [fixed by 1921733][client-bounty-form][domsecurity-active])

Attachments

(3 files, 1 obsolete file)

HTML_Mic_Unknown_origin.png
60.30 KB, image/png
Details
HTML_Mic_Unknown_origin.mp4
397.01 KB, video/mp4
Details
XSLT_Mic_Takeover.mp4
426.04 KB, video/mp4
Details

We're able to takeover permissions of trusted Top Origin Sites like legitimate webcam site with XSLT transform attack page embedded ad banner content.

We could check the difference by testing on https://codepen.io assuming https://codepen.io as a legitimate webcam site, where when we test with normal site with just an HTML document, Firefox will actually recognise its origin difference, that the embedded content is from "Unknown origin" resulting to not allowing permissions.

This can be tested with either clicking on Microphone permission on embedded https://permission.site or https://pwning.geniuscoolcat.com/Normal_HTML_Mic.html

(Check the attached HTML_Mic_Unknown_origin.png below)

However, when we use XSLT Transform content, Firefox does not recognise its origin difference and end up allowing permissions, with no user interaction.

Step to reproduce:

  1. Go to https://codepen.io and paste following code on JS coding on the right to allow Microphone access from https://codepen.io which we're assumming it as a legitimate voicechat site in this example.
navigator.mediaDevices ?
        navigator.mediaDevices.getUserMedia(
          {audio: true}).then(
            
        ) :
        navigator.getUserMedia(
          {audio: true},
        
        );
  1. Check Firefox recognises embedded https://pwning.geniuscoolcat.com/Normal_HTML_Mic.html as a different origin "Unknown origin" and not allowing the Microphone permission.

(Demo video has been attached below.)

  1. Confirm that embedded XSLT transform https://pwning.geniuscoolcat.com/XSLT_Mic.xml allows to takeover Microphone permission with no user interaction.

(Demo video has been attached below.)

Flags: sec-bounty?
Attached video XSLT_Mic_Takeover.mp4

Thanks for the report! Possibly a duplicate of Bug 1921733.
That we're showing "unknown origin" seems like a separate bug though.

See Also: → CVE-2024-10458

Thanks for your reply, this does not seem to be duplicate of that issue due to the difference in the behaviour for .xml XSLT vs HTML.

Assignee: nobody → continuation
Status: NEW → ASSIGNED
Assignee: continuation → nobody
Status: ASSIGNED → NEW
Group: firefox-core-security → dom-core-security
Component: Security → DOM: Security
Product: Firefox → Core

Peter, do you know what's going on with the XSLT side of this?

Flags: needinfo?(peterv)

(In reply to James Lee from comment #4)

Thanks for your reply, this does not seem to be duplicate of that issue due to the difference in the behaviour for .xml XSLT vs HTML.

Could you please elaborate a bit on the difference of behavior? I wasn't able to reproduce the "unknown origin" issue myself. For me it shows the requesting site and the top site in the permission prompt.

It's in the description 2 vs 3 as you know, but you need to test with either Microphone or Camera permission due to the difference I explained on https://bugzilla.mozilla.org/show_bug.cgi?id=1921847#c7 for that "Unknown origin" issue.

It sounds like you tested with Geolocation permission which is why you're seeing the permission prompt showing the requesting site and the top site.

Please let me know if that's not the case and the video of reproducing it would be helpful to understand if you followed steps on https://codepen.io in the description.

(In reply to :Gijs (he/him) from comment #7)

Peter, do you know what's going on with the XSLT side of this?

The difference seems to be that because the XSLT creates an XML document (no output mode set and no HTML root element), this check in FeaturePolicyUtils::IsFeatureUnsafeAllowedAll causes an early return: https://searchfox.org/mozilla-central/rev/1b90936792b2c71ef931cb1b8d6baff9d825592e/dom/security/featurepolicy/FeaturePolicyUtils.cpp#166-168. That then causes us to have a secondOrigin with value undefined in the prompt function here: https://searchfox.org/mozilla-central/rev/1b90936792b2c71ef931cb1b8d6baff9d825592e/browser/actors/WebRTCChild.sys.mjs#395-400. Removing the early return in FeaturePolicyUtils::IsFeatureUnsafeAllowedAll fixes things, but not sure that that would be the right fix yet.

Assignee: nobody → peterv
Status: NEW → ASSIGNED
Flags: needinfo?(peterv)
Whiteboard: [client-bounty-form] → [client-bounty-form][domsecurity-active]
Severity: -- → S2
Priority: -- → P2
Blocks: 1921847

I confirmed the fix for bug 1921733 fixed this XSLT issue and spoofing bug 1921847 too for both <embed> and <object>, where bug 1921847 could be used for spoofing the request "Unknown origin" as a Top Origin site while it's not really from the Top Origin site, resulting to asking for "Unknown origin" permission for trusted Top Origin site.

This issue with XSLT allowed this to work from not just <embed> and <object> but from <iframe> border for cdpn.io contained in https://codepen.io which means <iframe> ad banner in any legitimate webcam site containing malicious camera takeover page with <embed> or <object> which is prepared from attacker's side could've taken over camera to live record and screenshot. Of course, Microphone record on legitimate voicechat site was possible too.

(In reply to James Lee from comment #11)

I confirmed the fix for bug 1921733 fixed this XSLT issue and spoofing bug 1921847 too for both <embed> and <object>, where bug 1921847 could be used for spoofing the request "Unknown origin" as a Top Origin site while it's not really from the Top Origin site, resulting to asking for "Unknown origin" permission for trusted Top Origin site.

Looks like this can be closed as fixed then as long as we keep bug 1921847 open?

Has STR: --- → yes
Depends on: CVE-2024-10458
Flags: needinfo?(proof131072)
Keywords: keep-hidden
Whiteboard: [client-bounty-form][domsecurity-active] → [fixed by 1921733][keep hidden while 1921847 is][client-bounty-form][domsecurity-active]

There is a difference in impact since when we run with XSLT .xml file like in this report, we could've take over Camera, Microphone of Top Origin legitimate webcam site from <iframe> border too (PoC demo video: https://bugzilla.mozilla.org/attachment.cgi?id=9428129) unlike bug 1921733 where if we try same thing with html we ended up asking permission for Unknown origin instead which is shown in https://bugzilla.mozilla.org/attachment.cgi?id=9428127 and has been explained in bug 1921847 .

But in the end, the fix for bug 1921733 resolved both this and bug 1921847 .

Flags: needinfo?(proof131072)

Thank you, James. Marking as a duplicate (because of a shard root cause, not because of a shared exploit).

Status: ASSIGNED → RESOLVED
Closed: 9 months ago
Duplicate of bug: CVE-2024-10458
Flags: sec-bounty? → sec-bounty-
Resolution: --- → DUPLICATE
No longer blocks: 1921847
Keywords: keep-hidden
Whiteboard: [fixed by 1921733][keep hidden while 1921847 is][client-bounty-form][domsecurity-active] → [fixed by 1921733][client-bounty-form][domsecurity-active]
Group: dom-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: