Firefox android browser, if you have it installed on your android phone make sure that it is upgraded to the latest version, as security researcher named “Lukas Stefanko” has tweeted about a new bug which lets an attacker hijack the Mozilla Firefox browser remotely over a Wi-Fi network connection.
Lukas Stefanko, who works for ESET, tweeted an alert message through his twitter account, which also has video demonstrating the exploitation of the recently disclosed “high-risk” remote code execution vulnerability affecting the Firefox browser app for Android platform.
This bug or vulnerability was originally discovered by an “Australian security researcher” Chris Moberly, the vulnerability resides in the “SSDP Engine” of the browser that can be exploited to attack the Firefox browser, installed on the victim’s android phone, which is connected to the same WiFi network connection as the attacker.
What is SSDP Engine in Firefox Android Browser?
Now before we begin with the explanation of how the exploit works, allow us to explain what SSDP Engine stands for. SSDP stands for “Simple Service Discovery Protocol” which is a “UDP Protocol” and it is part of universal plug and play (uPnP) protocols that is used for discovering or finding other devices on the network.
So how does this SSDP Engine works in Android phones?
On an Android phone, Mozilla Firefox constantly sends out SSDP discovery messages to other devices on the same WiFi network, because it is looking for a second-screen device to broadcast. So basically any device on the same network can respond to these discovery message which is constantly send by the SSDP Engine.
As well as the SSDP Engine also provides the location to obtain detail information on Universal plug and play (uPnP) device. After that Firefox browser attempts to access that location, the connection is accepted once the Firefox android browser confirms the universal plug and play specifications after it finds the “XML file” which contains all the information about the specification.
What Chris Moberly report says Firefox android browser?
According to Chris Moberly’s report (which you can read here – “Firefox for Android LAN based intent triggering“)
The SSDP Engine in Firefox android browser 68.11.0 and below can be tricked into triggering Android’s intent URL with “Zero user interaction”. This attack can be leverage by the attackers on the same WiFi network connection and manifests as an application on the victim’s device suddenly launching without the requirement of user’s permission and conducting activities allowed by the intent.
So basically this means when the attacker tricks the SSD Engine of victim’s Firefox browser, the location of the XML file is replaced which results into the intent getting triggered on the victim’s phone allowing the attacker to conduct malicious activities remotely. Once the location of the XML is replaced the intent triggering doesn’t require the user’s permission giving the attacker a complete control over the situation.
The location of the XML file in the response packet is replaced with a specially crafted message which is pointing to a Android intent URI which is controlled by the attacker.
Exploitation of LAN vulnerability found in Firefox for Android
I tested this PoC exploit on 3 devices on same wifi, it worked pretty well.
I was able to open custom URL on every smartphone using vulnerable Firefox (68.11.0 and below) found by @init_string https://t.co/c7EbEaZ6Yx pic.twitter.com/lbQA4qPehq
— Lukas Stefanko (@LukasStefanko) September 18, 2020
In other words the attacker connected on the same WiFi network connection as the victim can run a malicious SSDP server on the device which is owned by the attacker and trigger the intent-based commands on the victim’s device using Firefox browser, he/she can target one device as well as multiple if he/she wants to do so. And all of this doesn’t even require a single interaction from the victim, as well as it can be done remotely as shown in the video demonstration.
What more activities can be done using the intent?
The activities that can be done using the intent or the activities allowed by the includes the list of the following things:-
- Automatically launching the browser
- Automatically opening the defined URL through Firefox android browser
Which according to Chris Moberly is sufficient to trick users so they can download malicious apps on their phone or else the defined URL can be posed as a “Phishing page” tricking the victims to provide their user account credentials to their Emails or Social media accounts.
What makes this attack a dangerous one?
Well if the attacker has carefully researched the target then he can trick him at his most vulnerable period where he is not paying attention to his phone. However, something like this doesn’t make this attack dangerous, what Chris Moberly says is that:-
The target simply has to have the Firefox application running on their phone. They do not need to access any malicious websites or click any malicious links. No man-in-the-middle or malicious app installation is required. They can simply be sipping coffee while on a cafe’s Wi-Fi, and their device will start launching application URIs under the attacker’s control.
Precautions needs to be taken
Mozilla Firefox team has now officially patched this vulnerability, So android users who have Mozilla Firefox browser installed make sure that the browser is upgraded to the latest version.
As well as you can go to your phone settings and disable the option called “Allow installation of the apps from sources other than play store“. This is to make sure that as long as you have this setting unable, any malicious app will not get automatically downloaded and installed.
Final thing you need to make sure that, to identify any Phishing URL make sure to take look at the “URL bar” or Browser’s address bar to make sure that the URL matches the original website or not, and, don’t connect your phone to public WiFi network, when you’re out and use the “Data connection” from your “Sim service provider”.