Mozilla has addressed a vulnerability that can be abused by attackers to hijack all the Firefox for Android browsers on the same WiFi network and force them to visit malicious sites, such as pages delivering malware and phishing pages.
The vulnerability resides in the implementation of Simple Service Discovery Protocol in Firefox. The SSDP protocol is based on the Internet protocol suite for advertisement and discovery of network services and presence information.
The flaw was discovered the security researcher by Chris Moberly from GitLab.
Once a device is discovered, the Firefox SSDP component gets the location of an XML file that includes its configuration.
“The SSDP engine in Firefox for Android (68.11.0 and below) can be tricked into triggering Android intent URIs with zero user interaction. This attack can be leveraged by attackers on the same WiFi network and manifests as applications on the target device suddenly launching, without the users’ permission, and conducting activities allowed by the intent.” wrote the Moberly.
“The target simply has to have the Firefox application running on their phone. They do not need to access any malicious websites or click any malicious links. No attacker-in-the-middle or malicious app installation is required. They can simply be sipping coffee while on a cafe’s WiFi, and their device will start launching application URIs under the attacker’s control.”
Moberly discovered that in older versions of Firefox it is possible to hide Android “intent” commands in this XML, tricking the Firefox browser in executing the “intent.” The intent could be a regular command that instructs the browser in visiting a specific link.
An attacker connecting to the WiFi network could launch a script on their laptop that sends out malformed SSDP packets.
Any Android owner connected to the same WiFi that is using a Firefox browser to navigate the web would have his browser hijacked to a malicious site.
“Any device on the local network can respond to these broadcasts and provide a location to obtain detailed information on a UPnP device. Firefox will then attempt to access that location, expecting to find an XML file conforming to the UPnP specifications.” added the expert.
“This is where the vulnerability comes in. Instead of providing the location of an XML file describing a UPnP device, an attacker can run a malicious SSDP server that responds with a specially crafted message pointing to an Android intent URI. Then, that intent will be invoked by the Firefox application itself.”
Below an example of a message that would force any Android phones on the local network with Firefox running to visit the http://example.com page:
HTTP/1.1 200 OK CACHE-CONTROL: max-age=1800 DATE: Tue, 16 Oct 2018 20:17:12 GMT EXT: LOCATION: intent://example.com/#Intent;scheme=http;package=org.mozilla.firefox;end OPT: "http://schemas.upnp.org/upnp/1/0/"; ns=01 01-NLS: uuid:7f7cc7e1-b631-86f0-ebb2-3f4504b58f5c SERVER: UPnP/1.0 ST: roku:ecp USN: uuid:7f7cc7e1-b631-86f0-ebb2-3f4504b58f5c::upnp:rootdevice BOOTID.UPNP.ORG: 0 CONFIGID.UPNP.ORG: 1
Moberly also published proof-of-concept code that could be used to exploit the bug along with two video-poc of Moberly and the popular ESET security researcher Lukas Stefanko.
Moberly reported the vulnerability to Mozilla earlier this summer, the company addressed the flaw with the release of Firefox 79.
The expert pointed out that Firefox for desktop versions were not impacted.
(SecurityAffairs – hacking, Mozilla)