Closed Bug 1929478 Opened 11 months ago Closed 7 months ago

File name encryption leak via logcat in gecko-dev

Categories

(Firefox for Android :: Privacy, defect, P2)

Product:
Firefox for Android
Component:
Privacy
Platform:
All
Android
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
138 Branch
Tracking Flags:
Tracking Status
firefox137 --- wontfix
firefox138 --- fixed

People

(Reporter: jsy01311, Assigned: Gela)

References

Details

(Keywords: csectype-disclosure, reporter-external, sec-low, Whiteboard: [fxdroid][adv-main138+])

Attachments

(2 files)

Bug 1929478 - Update log statement
48 bytes, text/x-phabricator-request
Details | Review
advisory.txt
180 bytes, text/plain
Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36

Steps to reproduce:

In gecko-dev repo, mobile/android/geckoview/src/main/java/org/mozilla/gecko/mozglue/GeckoLoader.java contain getLibraryBase() function.
Below is current getLibraryBase() function implementation.

private static String getLibraryBase() {
    final String mozglue = getLibraryPath("mozglue");
    final int lastSlash = mozglue.lastIndexOf('/');
    if (lastSlash < 0) {
      throw new IllegalStateException("Invalid library path for libmozglue.so: " + mozglue);
    }
    final String base = mozglue.substring(0, lastSlash);
    Log.i(LOGTAG, "Library base=" + base);
    return base;
  }

getLibraryBase() function invokes when load "libmozglue.so", and if program found proper "libmozglue.so" path, then it log library base path via logcat.

Actual leaked library path is follow:
[GeckoLoader] : Library base=/data/app/~~qkAeVJGOlZ0Apq_PpQdTIg==/org.mozilla.firefox-8PIGPChA_OTpafn560fZwQ==/lib/arm64

Actual results:

Attacker can read encrypted library path and access application installation path.

  1. log Info Disclosure

Log Info Disclosure is a type of vulnerability where apps print sensitive data into the device log.
As mentioned in official privacy-and-security document, logging sensitive information to logcat is dangerous. Although read other application’s logcat information needs READ_LOGS permission which can be granted in privileged system apps, Android supports an incredibly diverse set of devices whose pre-loaded applications sometimes declare the READ_LOGS privilege, which can read other application’s logcat information. So, logcat should contains general informations that other apps can acess without any additional permission.

  1. File name encryption leak

Android 7.0 and higher supports file-based encryption (FBE) (https://source.android.com/docs/security/features/encryption/file-based). FBE contains not only file content encryption, but also file name encryption. For example in AOSP, they encrypt file names with AES-256 in CBC-CTS mode.

By using file name encryption, android can protect application access other application’s data. More preciesly, even if malware know current device has firefox application, malware cannot access firefox installation path because of file name encryption. Without file name encryption, because all application except system application is stored in /data/app path, and firefox package name is org.mozilla.firefox, malware can guess app installation path and access. But file name encryption like “/data/app/~~qkAeVJGOlZ0Apq_PpQdTIg==/org.mozilla.firefox-8PIGPChA_OTpafn560fZwQ==/”, attacker cannot guess app installation path and cannot access.

Expected results:

  1. Set logging level to "DEBUG" mode
    Library base path that leaked above function is information that is needed in debugging steps.
    But, getLibraryBase() function uses Log.i logging function that logging out even in the release mode.
    Best option is generating wrapper logging function to manipulate logging level.
    For example, androidx implement wrapper logging function, and set logging level according to current application status.
    Second option is use Log.d function instead Log.i function.
    Log.d function is optimized when they use ProGuard or R8, so Log.d information doesn't leak in release mode.

The severity field is not set for this bug.
:Gela, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(gmalekpour)
Group: mobile-core-security
Assignee: nobody → gmalekpour
Flags: needinfo?(gmalekpour)
Whiteboard: [fxdroid]

The risk to the average user of setting the log level to DEBUG is pretty small

Keywords: csectype-disclosure, sec-low
Severity: -- → S3
Priority: -- → P2
Attachment #9472882 - Attachment description: WIP: Bug 1929478 - Update log statement → Bug 1929478 - Update log statement

https://hg.mozilla.org/mozilla-central/rev/5a1ff47c491c

Group: mobile-core-security → core-security-release
Status: UNCONFIRMED → RESOLVED
Closed: 7 months ago
status-firefox138: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 138 Branch
Whiteboard: [fxdroid] → [fxdroid][adv-main138+]
Attached file advisory.txt
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: