A vulnerability in Firefox for Android paves the way for an attackers to launch websites on a victim’s phone, with no user interaction. The attack manifests in the form of a Firefox browser window on the target device suddenly launching, without the users’ permission. This can be used for various malicious attacks, or as the researcher points out, surprising victims with an auto-playing Rick Astley video.
To exploit the bug, an attacker would need to be attached to the same Wi-Fi network as the target, according to researcher Chris Moberly, who recently published details on the bug, along with a proof-of-concept (PoC) exploit.
“The target simply has to have the Firefox application running on their phone,” he explained. “They do not need to access any malicious websites or click any malicious links. No attacker-in-the-middle or malicious app installation is required. They can simply be sipping coffee while on a cafe’s Wi-Fi, and their device will start launching application URIs under the attacker’s control.”
The flaw exists in Firefox for Android’s Simple Service Discovery Protocol (SSDP) engine (68.11.0 and below). The SSDP is a network protocol that’s used for the advertisement and discovery of network services and presence information.
In this case, the SSDP engine can be tricked into triggering what are called Android intent Uniform Resource Identifiers (URIs). An “intent” is an abstract description of an operation to be performed. An intent allows developers to specify actions that can start an activity in another app (such as “view a map” or “take a picture”).
“The vulnerable Firefox version periodically sends out SSDP discovery messages, looking for second-screen devices to cast to (such as the Roku),” Moberly explained. “These messages are sent via UDP multicast to 220.127.116.11, meaning any device on the same network can see them. Any device on the local network can respond to these broadcasts.”
A malicious attacker can respond to one of the “ready to cast” messages and provide the device running Firefox with a location to cast to, he said. Firefox will then attempt to access that location, expecting to find an XML file conforming to universal plug-and-play (UPnP) specifications.
“This is where the vulnerability comes in,” Moberly wrote. “Instead of providing the location of an XML file describing a UPnP device, an attacker can run a malicious SSDP server that responds with a specially crafted message pointing to an Android intent URI. Then, that intent will be invoked by the Firefox application itself.”
Thus, a specially crafted response can force an Android phone on the local network with Firefox running to suddenly launch a specific website. It can also be used to do this on all Android phones on a network.
“This most definitely could have been an epic rick-roll, where everyone in the room running Firefox tried to figure out what the heck was going on,” the researcher said.
More malicious attacks could include launching a phishing page, or launching a direct link to an .XPI file, prompting for immediate installation of a malicious extension to compromise the browser itself. The bug could also be used to prompt someone to install a malicious package.
Moberly also found that other intents beyond launching a web browser can be invoked, too.
“Another example is to call other applications,” he said: In his PoC, he was able to start a mail application with arbitrary text. “Pretty scary to have happen on your device when you’re just minding your own business….However, that execution is not totally arbitrary in that it can only call predefined application intents,” he said.
The bug — and the exploit — was afformed by fellow researcher Lucas Stefanko:
Exploitation of LAN vulnerability found in Firefox for Android
I tested this PoC exploit on 3 devices on same wifi, it worked pretty well.
I was able to open custom URL on every smartphone using vulnerable Firefox (68.11.0 and below) found by @init_string https://t.co/c7EbEaZ6Yx pic.twitter.com/lbQA4qPehq
— Lukas Stefanko (@LukasStefanko) September 18, 2020
Firefox quickly fixed the bug, so users should update their application to version 79 or above (this may have already automatically been done). People can verify that they’re up-to-date by navigating to “Settings -> About Firefox” and looking for the version number.