Anybody on the exact same Wi-Fi network can force internet websites to launch, with no user conversation.
A vulnerability in Firefox for Android paves the way for an attackers to launch internet websites on a victim’s phone, with no user interaction. The attack manifests in the kind of a Firefox browser window on the concentrate on device suddenly launching, without having the users’ authorization. This can be utilised for numerous malicious assaults, or as the researcher factors out, stunning victims with an automobile-participating in Rick Astley video.
To exploit the bug, an attacker would need to have to be connected to the similar Wi-Fi network as the goal, in accordance to researcher Chris Moberly, who not long ago published particulars on the bug, alongside with a evidence-of-principle (PoC) exploit.
“The focus on merely has to have the Firefox application working on their phone,” he defined. “They do not require to access any malicious internet sites or click any malicious inbound links. No attacker-in-the-middle or destructive application installation is needed. They can merely be sipping coffee although on a cafe’s Wi-Fi, and their gadget will begin launching software URIs below the attacker’s handle.”
The flaw exists in Firefox for Android’s Very simple Assistance Discovery Protocol (SSDP) engine (68.11. and underneath). The SSDP is a network protocol that’s used for the ad and discovery of network expert services and existence details.
In this case, the SSDP engine can be tricked into triggering what are identified as Android intent Uniform Source Identifiers (URIs). An “intent” is an summary description of an operation to be done. An intent allows builders to specify steps that can get started an action in a different application (these types of as “view a map” or “take a picture”).
“The susceptible Firefox version periodically sends out SSDP discovery messages, hunting for second-display screen devices to solid to (these as the Roku),” Moberly defined. “These messages are sent through UDP multicast to 184.108.40.206, that means any product on the very same network can see them. Any device on the local network can respond to these broadcasts.”
A destructive attacker can answer to just one of the “ready to cast” messages and provide the product functioning Firefox with a spot to solid to, he claimed. Firefox will then endeavor to entry that locale, anticipating to find an XML file conforming to common plug-and-play (UPnP) technical specs.
“This is the place the vulnerability will come in,” Moberly wrote. “Instead of providing the place of an XML file describing a UPnP system, an attacker can run a malicious SSDP server that responds with a specifically crafted information pointing to an Android intent URI. Then, that intent will be invoked by the Firefox application itself.”
As a result, a specifically crafted response can power an Android phone on the nearby network with Firefox operating to out of the blue launch a precise internet site. It can also be applied to do this on all Android phones on a network.
“This most surely could have been an epic rick-roll, exactly where every person in the place running Firefox tried out to determine out what the heck was going on,” the researcher explained.
Extra malicious attacks could involve launching a phishing web page, or launching a immediate link to an .XPI file, prompting for immediate set up of a destructive extension to compromise the browser itself. The bug could also be used to prompt somebody to put in a destructive package.
Moberly also identified that other intents outside of launching a web browser can be invoked, far too.
“Another case in point is to simply call other purposes,” he stated: In his PoC, he was capable to start out a mail software with arbitrary text. “Pretty frightening to have transpire on your gadget when you’re just minding your personal business….However, that execution is not totally arbitrary in that it can only contact predefined software intents,” he mentioned.
The bug — and the exploit — was afformed by fellow researcher Lucas Stefanko:
Exploitation of LAN vulnerability discovered in Firefox for Android
I examined this PoC exploit on 3 gadgets on exact same wifi, it worked rather perfectly.I was ready to open up custom URL on every single smartphone working with susceptible Firefox (68.11. and under) uncovered by @init_string https://t.co/c7EbEaZ6Yx pic.twitter.com/lbQA4qPehq
— Lukas Stefanko (@LukasStefanko) September 18, 2020
Firefox swiftly preset the bug, so people need to update their software to variation 79 or above (this may possibly have presently quickly been carried out). Persons can validate that they’re up-to-date by navigating to “Settings -> About Firefox” and seeking for the variation range.
Some parts of this article is sourced from: