New Vulnerability in SSDP engine of firefox for android discovered, can be exploited without any malicious links or website click and launch as applications without user permission, says Australian based exploit researcher Chris Moberly.
Recently, firefox application(v 68.11.0 and below) for android devices was found to be vulnerable because of a faulty code that could be exploited to trigger android intent URIs with zero interaction.
The target needs to have a firefox application running on their phone(works even in the background)and be on the same network as the attacker. There is no need to click any link or URL or visiting any malicious website. Neither is there a need to install any malicious or man-in-the-middle-attack app on the android device.
This is not some fancy data-corruption bug, but a simple logic bug, says the discoverer, Chris Moberly, who goes by the name of @init_string on twitter. The researcher also provides proof of concept(POC).
The vulnerable firefox was found to send out SSDP discovery messages periodically.
Via UDP multicast meaning anyone on the same network can access the message. Moving forward, any device on the same network can even respond to it.
This part is when the vulnerability comes to exploitation by running a malicious SSDP server with a specially crafted message pointing to an “android intent URI” as an example.
The SSDP is a network protocol used for the advertisement and discovery of network services and presence information. An android intent URI is the feature that allows the user to navigate to another app while accessing some other app.
This means that firefox can be triggered to open other apps on the compromised device without the owner’s knowledge.
The discoverer has also provided a repository from which any interested individual can check the bug themselves. The exploit presented by the engineer was used to send malicious code via Linux device connected to the same network as the android device. Video for the process is also present in the repository itself.
Microsoft, with the help of Moberly, has now patched the issue. However, it is advised to update the browser application to the latest version, which is already free of the vulnerability. Moreover, Microsoft has announced that the previous version i.e., v 68.11.0, will not be getting any security updates or bug fixes from now on.
Firefox for desktop was however unaffected by this vulnerability.
To keep yourself safe, it is always advised to always update all your software to the latest and give minimum access to the lesser-used software and apps.