A high-risk remote command execution vulnerability that affects the Firefox app for Android was disclosed and its exploitation was recently demonstrated.
The vulnerability which was originally discovered by Australian security researcher Chris Moberly resides in the SSDP engine of the browser that can be exploited by an attacker to target Android smartphones having Firefox app and is connected to the same Wi-Fi network as the attacker.
ESET security researcher Lukas Stefanko demonstrated the exploitation of the bug.
Simple Service Discovery Protocol (SSDP), is a UDP based protocol which is a part of UPnP for finding other devices on a network. In Android, Firefox periodically sends out SSDP discovery messages to other devices connected to the same network, looking for second-screen devices to cast.
Any device on the local network can respond to these broadcasts and provide a location to obtain detailed information on a UPnP device. Then Firefox tries to access that location, to find an XML file conforming to the UPnP specifications.
Due to the vulnerability, the SSDP engine of the victims’ Firefox browsers can be tricked into triggering an Android intent by replacing location of the XML file in the response packets with a specially crafted message pointing to an Android intent URI.
In order to do this, an attacker connected to a targeted Wi-Fi network can run a malicious SSDP server on his device and trigger intent-based commands on nearby Android devices through Firefox without any interaction from the victims.
Some of the activities allowed by the intent includes launching the browser automatically and open any defined URL, which is enough to trick victims into providing their credentials, install malicious apps etc.
Moberly stated that the victim has to just have a Firefox application running on their phone and they do not need to access any malicious websites or click on any malicious links.
He reported this vulnerability to Firefox which was patched by them in the Firefox for Android versions 80 and later.
A proof-of-concept was also released to the public which has been used by Stefanko to demonstrate the issue against three devices connected to the same network.
All Android users who use the Firefox web browser must ensure that it has been updated to version 80 or the latest available version on the Google Play Store.
Image Credits : The Mozilla Blog