Closed Bug 1929156 (CVE-2025-0239) Opened 11 months ago Closed 10 months ago

Only the first Alt-Svc ALPN negotiation is verified

Tracking

()

Status:

VERIFIED FIXED

Milestone:

135 Branch

Tracking Flags:

Tracking

Status

firefox-esr115

wontfix

firefox-esr128

134+

verified

firefox133

---

wontfix

firefox134

verified

firefox135

verified

People

(Reporter: pspaul95+bugzilla, Assigned: valentin)

References

Details

(Keywords: csectype-sop, reporter-external, sec-moderate, Whiteboard: [client-bounty-form][necko-triaged][necko-priority-queue][adv-main134+][adv-ESR128.6+])

Attachments

(7 files)

alt-svc-reproducer.zip 11 months ago Frederik Braun [:freddy] 7.78 KB, application/zip		Details
Bug 1929156 - Check negotiated ALPN matches altSvc protocol r=#necko 11 months ago Valentin Gosu [:valentin] (he/him) 48 bytes, text/x-phabricator-request	tjr : sec-approval+	Details \| Review
Bug 1929156 - Test that ALPN token is checked r=#necko 11 months ago Valentin Gosu [:valentin] (he/him) 48 bytes, text/x-phabricator-request		Details \| Review
Bug 1929156 - Check negotiated ALPN matches altSvc protocol r=#necko 10 months ago Valentin Gosu [:valentin] (he/him) 48 bytes, text/x-phabricator-request	phab-bot : approval-mozilla-beta+	Details \| Review
Terminal output Win11, macOS13, Ubuntu22.04.txt 10 months ago Bianca Hidecuti, Desktop Test Engineering [:bhidecuti] 1.86 KB, text/plain		Details
Bug 1929156 - Check negotiated ALPN matches altSvc protocol r=#necko 10 months ago Valentin Gosu [:valentin] (he/him) 48 bytes, text/x-phabricator-request	phab-bot : approval-mozilla-esr128+	Details \| Review
advisory.txt 9 months ago Frederik Braun [:freddy] 187 bytes, text/plain		Details

pspaul

Reporter

Description

•

11 months ago

Version: Firefox 131.0.3 (64-bit)
OS: Manjaro Linux 24.1.1

How was this issue discovered?
Manual testing. I was researching cross-protocol attacks using the Alt-Svc header when I found this bypass.

General Description:

The Alt-Svc spec's section 2.4 (https://httpwg.org/specs/rfc7838.html#switching) mandates that the browser verifies that the alternative service negotiates the correct protocol, for example via ALPN:

If the connection to the alternative service does not negotiate the expected protocol (for example, ALPN fails to negotiate h2, or an Upgrade request to h2c is not accepted), the connection to the alternative service MUST be considered to have failed.

Firefox only verifies this for the first connection but not for subsequent ones. Therefore, a Man-in-the-Middle attacker can bypass the ALPN check by forwarding the first connection to a valid server, closing the connection after some time, and forwarding all subsequent requests to a different server.

The PoC demonstrates this by running three TLS servers, all using the same certificate:

HTTP/1.1 on port :8443 (ALPN offers http1.1)
HTTP/2 on port :8444 (ALPN offers h2)
Plain TLS on port :8445 (ALPN list is empty)

Firefox should never use the alternative service h2=":8445" because ALPN will not negotiate h2. However, by forwarding the first request to :8444, which correctly negotiates h2, Firefox can be tricked into trusting all later connections.

Steps to reproduce:

Start the PoC: node server.js
Add 127.0.0.1 foo.example.com to your /etc/hosts file
Visit https://foo.example.com:8443/?alt-svc=:1337 in Firefox
Accept the self-signed certificate warning (or replace privkey.pem and fullchain.pem with valid certificates before step 1)
Now the following should happen:
1. The page will first be served via HTTP/1.1 over TLS from :8443, delivering the Alt-Svc: h2=":1337" header
2. After 1 second, the page refreshes, causing the browser to make the first connection to the attacker's alternative service on :1337
3. The attacker forwards this first request to the legitimate HTTP/2 server on :8444
4. The new page loads, showing that it was loaded via HTTP/2
5. The attacker now closes the forwarded connection between the browser and the HTTP/2 server
6. The page then refreshes again, causing the browser to open a new connection to the attacker on :1337
7. The attacker now forwards the request to the invalid TLS server at :8445
8. The page loads, showing that it was loaded from :8445, which shouldn't happen

The PoC script's output should demonstrate the same:

[h1] GET /?alt-svc=:1337
[attacker] Forwarding to h2 (:8444)
[h1] GET /favicon.ico
[h2] GET /?refresh
[attacker] Terminating first connection
[attacker] Forwarding to plain (:8445)
[plain] Got connection
[plain] Got data: GET / HTTP/1.1
[plain] Got data: Host: foo.example.com:8443
[plain] Got data: User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:131.0) Gecko/20100101 Firefox/131.0
...

I also recorded a demo of the PoC, I hope you enjoy it ;)

Root cause analysis:

I'm not very familiar with the Firefox code base, but it looks like TRRServiceChannel::BeginConnect() is consulting the Alt-Svc cache here: https://searchfox.org/mozilla-central/rev/387f3edbef37d31b2e91fb0812c74b54729e86ff/netwerk/protocol/http/TRRServiceChannel.cpp#405-407

If there's a matching entry, it means that the alternative service was previously validated, and Firefox connects to the mConnectionInfo from the cache entry instead of the original one.

I think the problem here is that the Alt-Svc cache holds the validation state. To me, the spec sounds like each new TLS connection needs to do the validation individually to prevent a Man-in-the-Middle attacker from switching the destination server at some point.

Flags: sec-bounty?

Frederik Braun [:freddy]

Comment 1

•

11 months ago

Attached file alt-svc-reproducer.zip — Details

Looks like the attachment did not make it through yet. Submitting for pspaul.

Frederik Braun [:freddy]

Comment 2

•

11 months ago

Only the first Alt-Svc ALPN negotiation is verified

Security Approval Request

beta Uplift Approval Request

esr128 Uplift Approval Request