Without the need to click on links, install malicious software, or carry out man-in-the-middle ( MitM) attacks, a vulnerability found in Firefox for Android may have been abused to remotely open arbitrary websites on a target user’s computer.
The bug was found in version 68 of Firefox for Android by researcher Chris Moberly. Mozilla was confirmed to announce that the latest Firefox Fenix (starting with version 79) is not affected — the Android version of Firefox jumped from 68 to 79 when Fenix removed the Fennec version.
The flaw is linked to Firefox regularly sending out SSDP discovery messages in search of second-screen gadgets it can cast to, according to Moberly. Any computer which is linked to the same local area network ( LAN) will read these messages.
An attacker connected to the same Wi-Fi network as the targeted user may install a malicious SSDP server which is set up to react with specially designed messages which trigger Firefox to open an arbitrary website.
This is probable because the messages that Firefox broadcasts are searching for an XML file that defines a Common Plug and Play (UPnP) computer that it can cast to, but instead the server of the attacker responds with a message referring to a Firefox-invoked Android Purpose URI.
The weakness is analogous to RCE (remote command execution) in that a remote attacker (on the same WiFi network) will cause the system to execute unauthorised zero-interaction features from the end user. This execution, however, is not completely random in that only predefined task intents can be named, Moberly explained.
He said, “Had it been used in the wild, other applications might have exploited known-vulnerable motives.” Or it may have been used in a fashion similar to phishing attacks where a malicious website is pushed into the victim without their knowledge in the hopes of entering any personal data or deciding to install a malicious programme. The POC exploit will connect directly to the .xpi file, causing a malicious extension to be enabled immediately to compromise the browser itself.
Exploitation of LAN vulnerability found in Firefox for Android
I tested this PoC exploit on 3 devices on same wifi, it worked pretty well.
I was able to open custom URL on every smartphone using vulnerable Firefox (68.11.0 and below) found by @init_string https://t.co/c7EbEaZ6Yx pic.twitter.com/lbQA4qPehq
— Lukas Stefanko (@LukasStefanko) September 18, 2020
Technical knowledge and a proof-of – concept (PoC) exploit were published by Moberly. ESET researcher Lukas Stefanko verified that the hack is functioning and posted a video demonstrating how a hacker can simultaneously open arbitrary websites on three phones.