Android firefox users at risk
Vulnerability has got its patch.
So don’t worry if your firefox mobile app version is above V79.
LAN-Based Intent Triggering
Let’s have a peek into it shall we?
Proof of Concept:-
First, just open Firefox on your Android device and let it sit there.
Next, run the exploit on a Linux laptop that is connected to the same wireless network as your Android device. The Android emulator will work, as well. Disable the firewall on your laptop while testing, or at least permit UDP broadcasts to be received.
# Replace "wlan0" with the wireless device on your attacking machine.
python3 ./ffssdp.py wlan0 -t "intent://example.com/#Intent;scheme=http;package=org.mozilla.firefox;end"Firefox on the mobile device should go to http://example.com within a few seconds, and you’ll see some logging in the attack tool as well.
Another example is to call other applications. Running the attack tool like this will pop the mail application with arbitrary text. Pretty scary to have happen on your device when you’re just minding your own business:
# Replace "wlan0" with the wireless device on your attacking machine.
python3 ./ffssdp.py wlps0 -t "mailto:itpeeps@work.com?subject=I've%20been%20hacked&body=OH%20NOES!!!"And one more, just for testing purposes. This will just pop the dialer:
# Replace "wlan0" with the wireless device on your attacking machine.
python3 ./ffssdp.py wlan0 -t "tel://1337h825012"Why is this happening?
The vulnerable Firefox version periodically sends out SSDP discovery messages, looking for second-screen devices to cast to (such as the Roku). These messages are sent via UDP multicast to 239.255.255.250, meaning any device on the same network can see them. If you run Wireshark on your LAN, you will probably see something on your network doing the same. A discovery message from Firefox looks like this:
M-SEARCH * HTTP/1.1
Host: 239.255.255.250:1900
ST: roku:ecp
Man: "ssdp:discover"
MX: 3Any device on the local network can respond to these broadcasts and provide a location to obtain detailed information on a UPnP device. Firefox will then attempt to access that location, expecting to find an XML file conforming to the UPnP specifications.
This is where the vulnerability comes in. Instead of providing the location of an XML file describing a UPnP device, an attacker can run a malicious SSDP server that responds with a specially crafted message pointing to an Android intent URI. Then, that intent will be invoked by the Firefox application itself.
For example, responding with a message like the following would force any Android phones on the local network with Firefox running to suddenly launch a browser to http://example.com:
HTTP/1.1 200 OK
CACHE-CONTROL: max-age=1800
DATE: Tue, 16 Oct 2018 20:17:12 GMT
EXT:
LOCATION: intent://example.com/#Intent;scheme=http;package=org.mozilla.firefox;end
OPT: "http://schemas.upnp.org/upnp/1/0/"; ns=01
01-NLS: uuid:7f7cc7e1-b631-86f0-ebb2-3f4504b58f5c
SERVER: UPnP/1.0
ST: roku:ecp
USN: uuid:7f7cc7e1-b631-86f0-ebb2-3f4504b58f5c::upnp:rootdevice
BOOTID.UPNP.ORG: 0
CONFIGID.UPNP.ORG: 1What is ssdp?
SSDP stands for Simple Service Discovery Protocol
How can we exploit it?
It’s very simple to exploit, hacker should be able to be on the same network with the victim and have to spoof modified packets and the hacker part’s is done now the victim just has to have Firefox running in the background or use it as usual.
Then the hacker has control of where to divert him.
Though it is patched imagine how many IOT devices are left unprotected and vulnerable to such simple exploits.
This exploit only works over wifi.
Check this video out its a sample demonstration for the exploit.
Bug Reported by:-
Exploit research and development by Chris Moberly (Twitter: @init_string)
Thanks for reading 😃.
