系统安全漏洞分析

1、Through the Competitive World of Bug Bounty系统安全漏洞分析Found 30 Bugs in Firefox Received Reward of $70,000+ from MozillaBug 1065909Bug 1109276Bug 1162018Bug 1196740Bug 1223743Bug 1069762Bug 1148328Bug 1162411Bug 1198078Bug 1224529Bug 1080987Bug 1149094Bug 1164397Bug 1207556Bug 1224906Bug 1101158Bug 1157

2、216Bug 1190038Bug 1208520Bug 1224910Bug 1102204Bug 1158715Bug 1190139Bug 1208525Bug 1227462Bug 1106713Bug 1160069Bug 1192595Bug 1208956Bug 1258188Bug Bounty Programs are CompetitiveRequired a lot of time and techniques to avoid duplicates1084981 - Poodlebleed/show_bug.cgi?id=1084981WeekdaysWeekend4:

3、007:00HuntHunt4:007:00Hunting Time is Limited (4:00-7:00 AM)Give you some tips from my experience of Firefox bug bounty programFind and Create Uncontested Bounty Targets”Fox-keh (C) 2006 Mozilla JapanTip #1Find Bugs in Web PlatformsBrowsers and networking features in OS are less competitive targetsT

4、here are common pitfalls but not widely knownDevelopers make similar mistakes whenever they introduce new featuresand try the same attack scenario on similar featuresLearn Known Bugs from Security AdvisoriesMozilla Foundation Security Advisorieshttps:/en-US/security/advisories/ExampleImproper Handli

5、ng of HTTP Redirectevil.serverbrowservictim.serverRequest to victimLocation: evilRedirect to evilFinal response from evilHTTP redirectsif( request.url.indexOf(http:/victim.server/) = 0 )resource = http.get(request.url); parse(resource);Developers expect following code properly gets a response only f

6、rom victimhttp.get(request.url);parse(resource);But still possible to load a resource from evilResource from evil might be used due to redirectif( request.url.indexOf(http:/victim.server/) = 0 )resource = http.get(request.url);Similar bugs were found other than FirefoxBug 1111834 - Cross-origin rest

7、riction bypass in navigator.sendBeaconBug 1164397 - Origin confusion in cache data of Service WorkersBug 1196740 - Cross-origin restriction bypass in Subresource Integrity (SRI)FirefoxCVE-2015-6762 - Cross-origin restriction bypass in CSS Font Loading APIChromeCVE-2016-1782 - Non-http port banning b

8、ypass in WebKitSafari”Fox-keh (C) 2006 Mozilla JapanTip #2Find Bugs in Unstable FeaturesFirefox Nightly Builds/e.g., Firefox Nightly, Chrome Beta and DevUnstable Features in Dev. Builds are Eligible for BountyExampleSubresource Integrity (SRI)2015.08.13SRI has been enabled in Nightly2015.08.20Report

9、ed the first security bug in SRIAfter 7 days2015.08.13SRI has been enabled in Nightly2016.01 - Implemented Service Workers on Firefox 44Reported an origin confusion (Bug 1162018) on Nightly 41 at 2015.052016.08 - Planned to introduce Web Extensions on Firefox 48Reported a privilege escalation (Bug 1

10、227462) on Nightly 45 at 2015.112015.12 - Determined not to support HTML Imports on FirefoxReported a sandbox bypass (Bug 1106713) on Nightly 37 at 2014.12”Fox-keh (C) 2006 Mozilla JapanTip #3Find Bugs in Sub ProductsSmartphones and Smart TV OS based on Firefox browserAll applications are made with

11、HTML5New bland name is B2G OSAll applications are made with HTML5All applications are made with HTML5Type pwnAll applications are made with HTML5Yes, we knowPre-installed applications run with higher privilegeProtected with Content Security Policy (CSP)i.e. XSS doesnt workBut HTML tag injection stil

12、l works fineExampleSpecial Iframe Tag InjectionFirefox OS supports special iframe that can embed another app in the frameEmbed FM Radio app.Inject special iframeType FM Radio worksFinally reported 7 similar bugs and Received reward of $20,000+ from MozillaBug 1065909Bug 1109276Bug 1162018Bug 1196740

13、Bug 1223743Bug 1069762Bug 1148328Bug 1162411Bug 1198078Bug 1224529Bug 1080987Bug 1149094Bug 1164397Bug 1207556Bug 1224906Bug 1101158Bug 1157216Bug 1190038Bug 1208520Bug 1224910Bug 1102204Bug 1158715Bug 1190139Bug 1208525Bug 1227462Bug 1106713Bug 1160069Bug 1192595Bug 1208956Bug 1258188Firefox for An

14、droidFirefox for Android is also in scope of their bounty programThere are many Android specific features and pitfallse.g. improper intent handlingExampleUXSS in Intent URL SchemeIntent scheme URL links let you launch another app from a web pagepackage=com.google.android.apps.map;S.browser_fallback_

15、urlIntent scheme URL link let you launch another app from a web pageApplication name you want to launchWeb site URL opened if application doesnt existjavascript%3Aalert(1)Firefox unintentionally allowed to use any kinds of URL as a fallbackJavaScript URL also does workAttackerw = window.open( victim

16、 )VictimAttackerVictimAttackerw.location = intent:VictimAttackerSpecified JS runs on another originFirefox for iOSFirefox for iOS is eligible for a bounty but not officially announcedDue to Apples restriction, Firefox for iOS uses WKWebView for loading and rendering web contentsFlaw in WKWebView is

17、ineligible since its out of control of MozillaExampleXSS in Browser Internal PageFirefox for iOS distributes browser internal pages from local web serverhttp:/localhost:6571/about/homehttp:/localhost:6571/about/licenseFirefox for DesktopFirefox for iOSabout:homeabout:licenseFeature of Firefox for re

18、storing previous browsing session after crashabout:sessionrestoreFirefox for iOS hosts session restoration feature on http:/localhost:6571/about/sessionrestoreRestoring URL can be set by query parameter ”history”mozilla/firefox-ios/SessionRestore.html, Github/mozilla/firefox-ios/blob/6ab27d75e0c3365b1decffff678072a9224f149f/Client/Assets/SessionRestore.html“history” is parsed as JSO