Thursday, May 24, 2018

CVE-2018-5175: Universal CSP strict-dynamic bypass in Firefox

In this blogpost, I'd like to write about a CSP strict-dynamic bypass vulnerability which is fixed in Firefox 60.

https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5175
A mechanism to bypass Content Security Policy (CSP) protections on sites that have a script-src policy of 'strict-dynamic'. If a target website contains an HTML injection flaw an attacker could inject a reference to a copy of the require.js library that is part of Firefox’s Developer Tools, and then use a known technique using that library to bypass the CSP restrictions on executing injected scripts.

What is the "strict-dynamic"?


maybe you should read CSP spec :) https://www.w3.org/TR/CSP3/#strict-dynamic-usage
But for practicing writing in English, I'll explain about strict-dynamic. If you know about strict-dynamic, you don't have to read this section.

The well-known CSP restricts the loading of resources by whitelisting domains.
For example, the following CSP setting allows to load JavaScript only from its own origin and trusted.example.com:
Content-Security-Policy: script-src 'self' trusted.example.com
Thanks to this CSP, even if the page has an XSS vulnerability, the page is prevented to execute JavaScript from the inline scripts or JavaScript file of evil.example.org. It looks safe enough, however, if trusted.example.com has any scripts for bypassing CSP, it is still possible to execute JavaScript. More specifically, if trusted.example.com has a JSONP endpoint, it might be bypassed, like this:
<script src="//trusted.example.com/jsonp?callback=alert(1)//"></script>
If this endpoint reflects the user input passed to the callback parameter to the callback function name directly, it can be used as an arbitrary script as follows:
alert(1)//({});
In additon, it is known that AngularJS also can be used for bypassing CSP. This bypass possibility becomes more realistic, especially if domains hosting many JavaScript files, such as CDN, are allowed.

That way, in the whitelist, it is sometimes difficult to operate the CSP safely. To resolve this problem, strict-dynamic was designed. This is the example of usage:
Content-Security-Policy: script-src 'nonce-secret' 'strict-dynamic'
This CSP means that the whitelist will be disabled and only scripts having the "secret" string in the nonce attribute will load.
<!-- This will load -->
<script src="//example.com/assets/A.js" nonce="secret"></script>

<!-- This will not load -->
<script src="//example.com/assets/B.js"></script>
The A.js might want to load and use another JavaScript. To allow this, the CSP spec permits to load without the proper nonce attribute if the js having the proper nonce loads an another js in specific conditions.  With the word written in the spec, the non-"parser-inserted" script element can be allowed to execute JavaScript.

Below are concrete examples of what type of JavaScript are permitted:
/* A.js */

//This will load
var script=document.createElement('script');
script.src='//example.org/dependency.js';
document.body.appendChild(script);

//This will not load
document.write("<scr"+"ipt src='//example.org/dependency.js'></scr"+"ipt>");
When loading using createElement(), it's a non-"parser-inserted" script element and the loading is allowed. On the other hand, when loading using document.write(), it is a "parser-inserted" script element and it is not loaded.

Up to this point, I explained about strict-dynamic roughly.

By the way, the strcit-dynamic is bypassable in some cases. In the next, I'll introduce about a known strict-dynamic bypass.

Known strict-dynamic bypass


It is known that strict-dynamic also can be bypassed if a specific library is used in the target page.

By Google's Sebastian Lekies, Eduardo Vela Nava, and Krzysztof Kotowicz, affected libraries are listed here:

Let's look into the strict-dynamic bypass of require.js on this list.
Let's say the target page uses CSP with strict-dynamic, loads require.js and has a simple XSS. In this situation, if the following script element is inserted, an attacker can execute arbitrary JavaScript without the proper nonce.
<meta http-equiv="Content-Security-Policy" content="default-src 'none';script-src 'nonce-secret' 'strict-dynamic'">
<!-- XSS START -->
<script data-main="data:,alert(1)"></script>
<!-- XSS END -->
<script nonce="secret" src="require.js"></script>
When the require.js finds a script element with a data-main attribute, it loads a script specified in the data-main attribute from the equivalent code as below:
var node = document.createElement('script');
node.src = 'data:,alert(1)';
document.head.appendChild(node);
As described before, the strict-dynamic is allowed to load JavaScript from createElement() without the proper nonce.

That way, you can bypass the CSP strict-dynamic in some cases using the behavior of already loaded JavaScript code.

Firefox's vulnerability was caused by this behavior of require.js.
In the next section, I'll explain the vulnerability.

Universal strict-dynamic bypass(CVE-2018-5175)


Firefox implements some browser features using legacy extensions. The legacy extensions means XUL/XPCOM-based extensions that was removed in Firefox 57, not WebExtensions. Even on the latest Firefox 60, the browser internals still uses this mechanism.

In this bypass, we use a resource of the legacy extension which is used in browser internals. In WebExtensions, by setting a web_accessible_resources key in the manifest, the listed resources become accessible from any web pages. The legacy extension has a similar option named contentaccessible flag. In this bypass, it could be used for bypassing CSP because a require.js of browser's internal resource was accessible from any web pages due to the contentaccessible=yes flag.

Let's look into the manifest. If you are using 64bit Firefox on Windows, you can see the manifest from the following URL:

jar:file:///C:/Program%20Files%20(x86)/Mozilla%20Firefox/browser/omni.ja!/chrome/chrome.manifest
content branding browser/content/branding/ contentaccessible=yes
content browser browser/content/browser/ contentaccessible=yes
skin browser classic/1.0 browser/skin/classic/browser/
skin communicator classic/1.0 browser/skin/classic/communicator/
content webide webide/content/
skin webide classic/1.0 webide/skin/
content devtools-shim devtools-shim/content/
content devtools devtools/content/
skin devtools classic/1.0 devtools/skin/
locale branding ja ja/locale/branding/
locale browser ja ja/locale/browser/
locale browser-region ja ja/locale/browser-region/
locale devtools ja ja/locale/ja/devtools/client/
locale devtools-shared ja ja/locale/ja/devtools/shared/
locale devtools-shim ja ja/locale/ja/devtools/shim/
locale pdf.js ja ja/locale/pdfviewer/
overlay chrome://browser/content/browser.xul chrome://browser/content/report-phishing-overlay.xul
overlay chrome://browser/content/places/places.xul chrome://browser/content/places/downloadsViewOverlay.xul
overlay chrome://global/content/viewPartialSource.xul chrome://browser/content/viewSourceOverlay.xul
overlay chrome://global/content/viewSource.xul chrome://browser/content/viewSourceOverlay.xul
override chrome://global/content/license.html chrome://browser/content/license.html
override chrome://global/content/netError.xhtml chrome://browser/content/aboutNetError.xhtml
override chrome://global/locale/appstrings.properties chrome://browser/locale/appstrings.properties
override chrome://global/locale/netError.dtd chrome://browser/locale/netError.dtd
override chrome://mozapps/locale/downloads/settingsChange.dtd chrome://browser/locale/downloads/settingsChange.dtd
resource search-plugins chrome://browser/locale/searchplugins/
resource usercontext-content browser/content/ contentaccessible=yes
resource pdf.js pdfjs/content/
resource devtools devtools/modules/devtools/
resource devtools-client-jsonview resource://devtools/client/jsonview/ contentaccessible=yes

resource devtools-client-shared resource://devtools/client/shared/ contentaccessible=yes
The yellow part is the part that makes the file accessible from any web sites. These two lines are for creating a resource: URI. The resource devtools devtools/modules/devtools/ of first line is mapping devtools/modules/devtools/ directory ( It exists on jar:file:///C:/Program%20Files%20(x86)/Mozilla%20Firefox/browser/omni.ja!/chrome/devtools/modules/devtools/ )  to resource://devtools/ .
We can now access files under the directory by opening resource://devtools/ using Firefox. Likewise, the next line is mapping to resource://devtools-client-jsonview/. This URL becomes web-accessible by the contentaccessible=yes flag and we can now load the files placed under this directory from any web pages.
This directory has a require.js which is used for bypassing CSP. Just loading this require.js to the page where the CSP strict-dynamic is used, you can bypass strict-dynamic.
<meta http-equiv="Content-Security-Policy" content="default-src 'none';script-src 'nonce-secret' 'strict-dynamic'">
<!-- XSS START -->
<script data-main="data:,alert(1)"></script>
<script  src="resource://devtools-client-jsonview/lib/require.js"></script>
<!-- XSS END -->
From this code, data: URL will be loaded as a JavaScript resource and it will pop up an alert dialog. 

You might think, "Hmm, why is the require.js loaded? It should be blocked by CSP because the script element does not have the proper nonce."

Actually, no matter how strictly you set CSP rules, the web-accessible resources of the extension is loaded ignoring the CSP. This behavior is mentioned in the CSP spec:

Policy enforced on a resource SHOULD NOT interfere with the operation of user-agent features like addons, extensions, or bookmarklets. These kinds of features generally advance the user’s priority over page authors, as espoused in [HTML-DESIGN].
Firefox's resource: URI also had this rule. Thanks to this, users can use the extension's features as expected even on the page where the CSP is set, but on the other hand, this privilege sometimes can be used for bypassing the CSP, like this bug's case.
Of course, this issue is not limited to browser internal resources. Even on general browser extensions, the same thing happens if there are web-accessible resources that can be used for bypassing CSP.

It seems that Firefox folks fixed this bug by applying page's CSP to the resource: URI.

In the end of article


I wrote about a CSP strict-dynamic bypass vulnerability of Firefox.

FYI, I found this issue when I was looking for another solution of Cure53 CNY XSS Challenge 2018's third level which I made. In this challenge, I used another trick to bypass strict-dynamic. Please check it if you are interested.

Also, I created a different version of this XSS Challenge and I'm still waiting your answer :)

Lastly, I'd like to thank Google's research which made me notice this bug. Thank you!

41 comments:

  1. Outstanding post, your writing style and way of presentation made me impressed every time I read your articles. Thank you for sharing. computer network assignment help

    ReplyDelete
  2. Hi! I'm Mason Ethan, working as a senior academic writer. I have four years of expertise assisting students with agroforestry assignment help. I've successfully finished a number of academic projects and am knowledgeable in all aspects of the agroforestry curriculum. If you require support or are having difficulties, please do not hesitate to contact me. We will assist you.

    ReplyDelete
  3. Thanks for sharing this best stuff with us! Keep sharing! I am new in the blog writing. All types blogs and posts are not helpful for the readers. Here the author is giving good thoughts and suggestions to each and every reader through this article. Quality of the content is the main element of the essay writing help blog and this is the way of writing and presenting.

    ReplyDelete
  4. Thank you so much; it was a very wonderful piece of work. A Professional proofreading service or a Paper writer can help you build such good writing skills. Students, on the other hand, frequently struggle to generate such writing in their coursework and want Coursework Help . I hope that readers and students find this writing instructive and that they take a close look at the writing process in order to improve their skills.

    ReplyDelete
  5. Wow, this is really interesting reading. I am glad I found this and got to read it. Great job on this content.I like it.
    토토사이트링크

    ReplyDelete
  6. Very nice guys! This is so tasty and look good! I would lie to try it, but maybe you also can try something new! Check this https://topswriting.com/review/essaypro cool service for essay writing and homework! You can say, save your time and money! Just write to them online paper writer and be happy! They really know how to do it!

    ReplyDelete
  7. Students can use auditing assignments to assist them with various research and studies linked to the subject or branch. It undoubtedly also includes information on the auditing branch or field. The auditing assignment help online students in focusing and concentrating on a range of ideas.

    ReplyDelete
  8. Your blogs are great.Are you also searching for Cheap Nursing Writing Services? we are the best solution for you. We are best known for delivering nursing writing services to students without having to break the bank.whatsapp us:+1-(951)-468-9855

    ReplyDelete
  9. This post sounds better for subject knowledge exploration. Hence, it would be great to access Assignment Help Canada as you do not have any idea how to create it. They offer you all services at a reasonable price.

    ReplyDelete
  10. Wow! Awesome blog you posted here. Really informative and easy to read. I visited your blog for the first time but I must say great words you choose in your blog. Like you I am also here to promote my Assignment help online website organically. So kindly visit my blog and give me suggestions on how I can improve my website more.

    ReplyDelete
  11. Finding & pay someone to write a paper for a reasonable fee is a difficult endeavor. People frequently search the internet for expert writers to complete papers and discover that many organizations claim to be able to produce high-quality essays for a low price. It's simple to find low-cost paper writers that are both convenient and safe. It is necessary to ensure that each paper helper satisfies high-quality requirements and follows a precise writing method in order to provide skilled paper assistance.

    ReplyDelete
  12. Thanks for the best blog. it was very useful for me.keep sharing such ideas in the future as well. thesis writing services

    ReplyDelete


  13. Nice Information For irish Student. Assignment Help is ideal for you if you are under a time constraint and need 100% accurate solutions within the given time frame. Get quick, precise, detailed, and high-quality assignment solutions on any complicated topic and subject. You can easily boost your grades with assignment help from professional academic experts.

    ReplyDelete
  14. Stunning site! Do you have any accommodating clues for trying essayists? I’m wanting to begin my own site soon yet I’m somewhat lost on everything. Would you prompt beginning with will smith blue Cotton Jacket a free stage like or go for a paid alternative? There are such a large number of alternatives out there that I’m totally overpowered .. Any thoughts? Welcome it!

    ReplyDelete
  15. All students easy to get with us. We have a professional team of academic writers that is well expert in the writing work and they can write all projects. We know, writing work a very difficult, and all students is not prepared for this work so this is why we are helping them and providing online academic help services. Narrative Essay Topics.

    ReplyDelete
  16. Good day! This post couldn’t be written any better! Reading this post reminds me of my good old room mate! help with essay uk He always kept talking about this. I will forward this page to him. Pretty sure he will have a good read. Thank you for sharing!

    ReplyDelete
  17. Great blog thank you for sharing also check out Nursing Essay Writing Service Australia contact us for more information.

    ReplyDelete
  18. I want to always read your blogs. I love them Are you also searching for Nursing case study writing services? we are the best solution for you. We are best known for delivering Nursing case study writing services to students without having to break the bank

    ReplyDelete
  19. Round-the-clock Assignment Help is available to students who are seeking instant paper solutions. We have Ph.D. scholars in every academic field and every one of them is highly experienced in writing assignment papers. Students can sort out every paper query and secure high-quality grades with customize answers.

    ReplyDelete
  20. We possess a team of experienced, professional and well-trained academic authors who can write my dissertation for you. All the dissertations written with our help have been carefully evaluated by a team of specialists in psychology, sociology, economics and other disciplines.

    ReplyDelete
  21. I prefer this blog because it has much more informative stuff.
    Bridgerton Velvet Black Tailcoat

    ReplyDelete
  22. Very interesting. I Wish to see much more like this. The Ballad of Ricky Bobby Faux Leather Jacket Thanks for sharing your information!

    ReplyDelete
  23. This blog is a complete all you want to know.
    Dauntless Black Jacket

    ReplyDelete
  24. This comment has been removed by the author.

    ReplyDelete
  25. Very helpful post. I read this article from start to end and found this very interesting. Fur Jackets

    ReplyDelete
  26. College is an important phase in your life. If you are serious about your studies, you should be ready to work hard. College is a time to develop yourself, to learn new things, and to grow. College life is always full of pressure. There are homework help services, tests, presentations, and lots of studying to do. In fact, it can be a little overwhelming for anyone, especially for the college students who are in the midst of their college years.

    ReplyDelete
  27. Muy buena 안전토토사이트 publicación de artículo. Realmente espero leer más. Excelente.

    ReplyDelete
  28. This post is very informative.yellowstone tv series jacketsI like this post.

    ReplyDelete
  29. Great post. Articles that have meaningful and insightful comments are more enjoyable, at least to me. It’s interesting to read what other people thought and how it relates to them or their clients, as their perspective could possibly help you in the future. Creepshow Halloween Jacket

    ReplyDelete
  30. Initially everyone feels doubt regarding the online assignment service but after taking help from them they get to know that Nursing assignment help are the best thing to opt for.

    ReplyDelete
  31. Nice article, it was really good and I got more knowledge from this post. I hope you more interesting post will update here, keep doing...
    Abogado De Trafico En Virginia
    online solicitation of a minor

    ReplyDelete
  32. Your efforts in building this site, which has lovely aesthetics and great content is worthy of commendation, Many thanks for sharing salem university post utme form out

    ReplyDelete